sa国际传媒官网网页入口

Just another nameless bureaucrat.

Such could be the future for Bernalillo County employees 鈥� at least on the county鈥檚 transparency portal.

In an attempt to wipe identifying information that could aid and abet phishing operations, a proposal to remove employee names and contracts from the Bernalillo County transparency portal is headed for 30 days of public discussion. The portal, established in 2011, is a central location for public documents such as building permits, employee salaries and audits.

The proposed ordinance, which was raised at a County Commission meeting Tuesday night, comes a year after a massive ransomware attack wreaked havoc on county operations. Inmates were locked into Metropolitan Detention Center when video surveillance failed; couples couldn鈥檛 get marriage licenses; county residents couldn鈥檛 pay property taxes. It took 19 days for the county to fully get back up and running.

At the Tuesday meeting, Commissioner Walt Benson said that more recently, an employee鈥檚 name and title were swiped and used in an attempt to change the direct deposit of her checks to a different account.

鈥淭here鈥檚 so much information out there that鈥檚 not safe,鈥� Benson said. 鈥淚t鈥檚 unsafe for individuals, it鈥檚 unsafe for the county as an organization, it鈥檚 not safe for our taxpayers or constituents.鈥�

The proposal would strike employee names from the transparency portal, but keep a list of positions in the county. Some salary and benefits data, as well as the names of employees鈥� supervisors, would be removed from the list as well.

Contracts that could affect the security of the county, Benson said, also wouldn鈥檛 be posted, but would still be available through public records requests. He said in the next 30 days, language would have to be discussed to clarify what qualifies as a threat.

County Chief Information Officer Robert Benavidez said that hackers can use this information to make their phishing attacks seem more real. For example, he said that data about benefits can indicate how many dependents an employee has. In the January attack, hackers used information from the transparency portal to find information about a user with administrative privileges, which they then leveraged against an older system.

But some commissioners are concerned about government transparency and accountability, and questioned how far the proposal would go.

鈥淎 really draconian interpretation of this could be: 鈥楨very contract could compromise the safety and security of the county,鈥欌�� Commissioner Eric Olivas said. 鈥淪o I鈥檇 like to see some guardrails.鈥�

Melanie Majors, executive director of the New Mexico Foundation for Open Government, said the proposal potentially could enable corruption.

Many people, Majors said, don鈥檛 know how to file a public records request.

鈥淲hy do people have to take another step to get information that should be readily available?鈥� Majors asked. 鈥�...It鈥檚 just putting up barriers.鈥�

She also questioned if the current staffing could handle a large influx of public records requests. Currently, two employees handle requests for the county. Since January, the county has received more than 3,000 requests. In a typical year, the county receives between 2,500 and 5,000 requests. Benson said he was uncertain if there would be efforts to hire additional employees to handle public records or teach citizens how to request documents. Staffing decisions are made by the county manager.

Lorie Liebrock, director of the New Mexico Cybersecurity Center of Excellence at New Mexico Tech, said the practice of using public information to create phishing and ransomware attacks is called 鈥渟ocial engineering.鈥� By peppering in details to gain credibility, a person can use public data to believably impersonate someone鈥檚 boss or a contractor.

Liebrock said the proposed amendments are an example of 鈥渟ecurity through obscurity鈥� 鈥� the idea that, if those details aren鈥檛 published, they can鈥檛 be weaponized in phishing attacks. But the tactic isn鈥檛 enough, Liebrock said, and noted she hasn鈥檛 seen widespread adoption of the method.

鈥淚f you鈥檙e hiding that information, it鈥檚 harder to use against you,鈥� Liebrock said. 鈥淭here鈥檚 some truth in that, (but) it鈥檚 not great cybersecurity practice from the perspective it鈥檚 far from sufficient defense.鈥�

In the year since the attack, Benavidez said, cybersecurity in the county has improved. Last April, following the attack, the county adopted a new cybersecurity policy, which required a multi-factor authentication process 鈥� people signing in need a separate code sent to another device to log in 鈥� for certain accounts. County systems are now monitored 24/7 by a security operations center, and all computers on the network have sensors to intervene if suspicious activity is detected.

In the year since the attack, investment in cybersecurity measures has increased by approximately $2.5 million per year, Benavidez said. He added employees are performing better on phishing training. Besides yearly cybersecurity trainings and new employee training, every month employees are fed fake phishing attacks. When they started sending out phishing attacks, about a third of employees fell for them. Now, the number stands around 2%.

But he said it鈥檚 鈥渏ust a matter of time,鈥� before an employee falls for a phishing attack.

The proposed amendments should return to the Board of County Commissioners on or after Sept. 12. In that time, the proposed ordinance can be amended. The public would have a second opportunity to comment on amendments.

鈥淚t鈥檚 about creating a balance between safety and not infringing on public information,鈥� Benson said.