I don’t know about that. They’re always going to have endpoints; maybe it’s better that they don’t get sucked into a multimillion-dollar AWS contract they didn’t need? I agree that they need better IT consulting (similar to many small businesses, I would think).

Yes but the attack surface would be much smaller. I think most cities have in-house IT employees running everything. Someone on the same network as a secretary has shell access, in other words. This is how most businesses were operating their tech 20 yrs ago, but government is always 30 yrs behind.

It doesn't need to cost a lot. What does a city need? Email, calendar, office apps, VoIP, file sharing, static website (basically GSuite). All of these have open source Linux solutions that cost nothing.

RedHat, Palantir, or some other would be happy to take this contract. It's ok to use contractors to kill people but not run computers?

Maybe the federal/state government should offer some of their generic services and allow wrapping for smaller cities.

This assumes at least one higher government body has technical chops and could reasonably extend their codebase. The cost could be paid by the equivalent of what would go to the ransom

That's a good point. The savings of not paying future ransoms would justify the expense.

Ok, but city governments are frequently very large, which means bringing in an outside contractor will be very expensive. Remember that every level of contractor adds additional overhead in the form of city funds being shifted into company profits.

For a small city, then yeah outsourcing might make sense. For a large one? Probably not.

The maths for cost is very simple: every person the contractor brings in is being paid for by the government, but now in addition to paying those employees, you also have to pay for a separate set of managers, and executives, and finally the business markup for profit.

If your org is large enough there is no way outsourcing is cheaper - it may be “easier”, but it inherently must cost more.

New Bedford city government has no reason to be that large though. Boston and some of its most urban suburbs maybe, but certainly not New Bedford or any of the other small cities in MA.

I have to hand it to New Bedford, it is a poor City and they know how to run an IT dept, esp. compared to what larger cities do. So they should give their IT dept a nice bonus and maybe educate other gov. entities.

>If your org is large enough there is no way outsourcing is cheaper - it may be “easier”, but it inherently must cost more.

I would agree with this if you were talking about a real business, but this is government. An island full of 14 year olds can't be trusted to operate a power plant, even if they outnumber the employees of Pacific Gas & Electric. It's not a choice between outsource vs insource security, it's a choice between security or none at all.

You're missing the point - there is a company that has employees that can [ostensibly] do the job you need. It's a free market so you could directly employ those people, and in that case you get the same level of expertise and you aren't paying for the outsourcing company's overhead.

Obviously employing those exact people may not be possible, but theoretically a large enough city can draw others of similar skill.

Why are we talking about large cities? New Bedford is under 100k people, and the parent post said "rag tag city governments" not large cities.

not sure how you are getting that from this one - sounds like this 'rag tag' govenment didn't get powned (completely) and was able to rely on good it practice to recover with minimal impact..

They got the victims' hard drives. Regardless of what happened besides that, that's a pwn.

What if the police chief had emails admitting to bribes or worse stuff on his pc? What if the hacker had an enemy he wanted framed and arrested?

>What if the police chief had emails admitting to bribes or worse stuff

Unless he's admitting to doing something that is directly counter to the platform of the ruling party (e.g. aiding ICE, rubber stamping CCW permits, racial profiling, etc) nobody would care. There would be some token outrage but it would mostly be business as usual. This is just how MA works. There's very much a "well that's government, nothing you can do, no sense getting bent out of shape over it" attitude by the majority of the population in MA.

For example, the state police overtime fraud is a recurring (every 1-3yr or so) "scandal". The latest instance is basically out of the news already.