Cyberattacks can paralyze a municipality. But for Dr. Kelley Misata, a victim of cyberstalking for seven years, it was much more personal.

Cyberattacks can cripple a city or town’s computer systems, making it nearly impossible to carry out the daily duties of government.

When it happens, inconveniences run the gamut, from delayed emergency response by police to residents unable to pay their tax bills electronically.

For Dr. Kelley Misata, a cyberattack was far more personal. Inconvenience was replaced by harassment and fear.

Misata suffered, she believes, a clear case of cyberstalking at the hands of a work colleague at a high-tech firm.

“It was like a barnacle on me for seven years,” she said in a recent interview.

Misata took out a restraining order against the man. But it was ultimately thrown out of court because authorities could not provide the evidence that clearly tied the man to the electronic harassment aimed at her.

An FBI investigation hit a dead end, Misata said, because the agency couldn’t definitively connect the evidence to what Misata called “malicious” cyberattacks to the co-worker.

Misata is convinced she was victimized, because the man used social media platforms, such as Facebook, email and text messages to gain personal details about her life, while masking his identity electronically.

SUNSHINE WEEK: Security presents a unique challenge in records request

He went to great lengths to get that information, according to Misata, including setting up false electronic accounts to contact people at her children’s school. He also established fake text message accounts, and used them to barrage Misata with text messages.

Ultimately, investigators hit a dead end, because they didn’t have the technological evidence to show the man hacked into Misata’s closed computer system. A closed system is when specifications are kept secret to prevent interference from third parties.

Will not define her life

Misata, who lives in Massachusetts (she requested the name of the town be withheld), was determined not to let those seven years of psychological turmoil define her life. Two years ago, she started Sightline Security, a Boston firm that helps nonprofit organizations guard against cyberattacks.

Sightline maintains confidential arrangements with clients; Misata declined to name the organizations her business serves. She said her clients range from small community-service groups, such as food banks, to national organizations.

She offered three pieces of advice to any organization that wants to protect itself against a cyberattack: assess current cybersecurity plans by comparing them to industry best practices; reach out for help in the event of an attack, from lawyers and information technology experts; and think carefully before alerting the public about a cyberattack.



The third point is especially critical, Misata said, because the public’s trust is at stake. Releasing information about a cyberattack too early before all the facts are known, or too late, could compromise that trust.

“(Public trust) is what we want to protect,” she said.

Lived through cyberattack

Sgt. Michael Lee of the Lake City Police Department in Florida lived through a cyberattack.

On June 10, 2019 the city of 12,000 residents was hit with a ransomware attack and all city workers were locked out of their computers, except for police and firefighters because those departments operate on different servers.

The attacker demanded a ransom of 11 bitcoin – a digital currency valued at the time at $470,000 – in exchange for giving the city an encryption key to retrieve its electronic files.

Lake City taxpayers paid the ransom, but they were only on the hook for a $10,000 insurance deductible. The city's insurance company covered the remaining $460,000.

Local IT director: Every community is vulnerable

Immediate steps were taken to prevent another attack, including hardware and software updates. Another was training all city employees to always be on the lookout for phishing emails, because clicking on one can spread a harmful virus through a city or town's computer network, rendering it useless. Phishing is an illegal scheme in which cybercriminals send out infected emails or links hoping unsuspecting employees will click on them, thereby opening the door to the town’s computer networks.



Lake City never determined what led to the cyberattack, but Lee and others think it may have started when an unsuspecting employee clicked on a phishing email.

"Everyone is in ultra-cautious mode (about phishing schemes)," Lee said.

Ultimately, he said the effort to stay a step ahead of cyber criminals never stops because their methods change daily.

"If you're not complacent, a cyberattack probably can't happen to you," Lee said.

Fallout from an attack



The fallout from the cyberattack on Lake City included firing the city's information technology director. Lee said that decision may have been connected to how the city's response to the attack was handled.

It's not uncommon for employees, especially those in the private sector, to lose their jobs if they unknowingly click on a email that sets off a malicious virus, said Stuart Madnick, professor of information technologies at the MIT Sloan School of Management. The accidental click could set off a chain reaction that could result in substantial financial losses, forcing the company to go out of business.

Outcomes are a little trickier for municipal governments, Madnick said, because most residents don’t interact directly with government departments on a daily basis.

Want news like this sent straight to your inbox? Head over to MetroWestDailyNews.com to sign up for alerts and make sure you never miss a thing. You pick the news you want, we deliver.

However, effects to residents can be uncomfortable when those government's computer systems are hacked. Madnick cited a hypothetical example of a driver with an expired license pulled over by police, and faced with the awkward moment of explaining that the license wasn't renewed because of a corrupted server at the Registry of Motor Vehicles.

There is also the possibility that a multi-million dollar construction project could be delayed, or cancelled, if a developer can't get the necessary building permits to move a project along because a city's servers are down.

Some local governments lack experienced staff to prevent and respond to cyberattacks, and Madnick said that can create a scenario that can get out of control fast.

Future landscape

As for what the future holds, ransomware attacks appear to be trailing off nationwide, said Raymond Hansen, associate professor in the Department of Computer Science & Networking at Wentworth Institute of Technology in Boston.

Cyberthieves, however, are constantly looking for new electronic vulnerabilities to exploit. A popular one currently, Hanson said, are Trojan viruses embedded in Adobe PDF files. The viruses invade an computer when an infected PDF file is opened.

“(Cyberattacks) are something that’s not going away,” Hansen said.

He also warned that organizations and governments remain vulnerable to attack if anti-malware software is their only layer of protection. Constant updating of operating systems and software must be part of the plan.

Education for all employees about the potential forms of cyberattacks, including their dangers and impacts, is also a must.

“It’s a people problem as much as a technical problem,” Hansen said.

Misata knows that fact first-hand, and she's not shy about sharing her story of suffering caused by a cyberstalker. She told it recently at an event in Boston that honored International Women’s Day.

“I often tell people that my perspective around computers and information systems is rooted in my experience (with a cyberstalker). I see security through different eyes.”

Henry Schwan is a multimedia journalist for the Daily News. Follow Henry on Twitter @henrymetrowest. He can be reached at hschwan@wickedlocal.com or 508-626-3964.