Officials in the Tennessee city of Germantown have restricted the email account of an alderman who refuses to undergo cybersecurity training.
Insurance specialist and married father of one Dean Massey was elected to the position of alderman in 2016. His official DMassey@germantown-tn.gov email account was restricted earlier this month after Massey failed to complete a cybersecurity training course.
According to the Commercial Appeal website, all Germantown officials and city employees were asked to complete the 45-minute course by a specific date and were warned that failure to comply would result in their email access being restricted. However, Massey told Infosecurity Magazine that "there was no policy that mandated the cyber-training for elected officials."
Explaining why he refused to complete the cybersecurity training after being instructed to do so by the city's IT director, Massey said: "I was not aware of any alderman having to take the cyber-training in the past, so I thought it was unusual for a city employee to suddenly claim the authority to demand that elected officials click a link to take the training this year.
"I simply disregarded the emails with the training links until I received a notice from the IT director advising me that he intended to restrict my government email account."
Massey responded to the imposed restriction by setting up a personal email account—dmassey.cityofgermantown@gmail.com—to handle his official city business. Conducting public business from a personal email address does not violate any Tennessee state laws or ethics guidelines.
Massey's refusal comes in the wake of a July 2019 ransomware attack on the neighboring city of Collierville, which compromised the town's internal servers.
Commenting on Massey's argument cited by Commercial Appeal that an elected official shouldn't have to comply with a directive from an unelected official, fellow Germantown alderman Rocky Janda told Infosecurity Magazine: "Mr. Massey came up with that reason for not taking the training. This was a city administrator/mayor decision to make it mandatory for all employees and elected officials due to recent local threats. Staff does not make these kinds of decisions on their own."
Janda, who himself became a victim of cyber-crime when hackers targeted his company with ransomware, added "Mr. Massey just needs to take the training. It's 45 minutes..."
Massey responded to Janda's comments by stating: "All the elected officials have used and/or currently use personal electronic devices and personal email addresses for government correspondence."
According to Commercial Appeal, Janda has asked the city administration to discuss a potential censure of Massey's actions to encourage a discussion around cybersecurity issues. Massey has also asked for cybersecurity to be added to the administration's agenda for the next meeting, which will take place on September 23.
Massey, who has never personally been a victim of a cyber-crime, said: "In my experience the threat of hackers and dangers of cybercrime are probably greater than what is reported in the media, but cities should not get a false sense of security by having city employees and elected officials click a link that provides 45 minutes of generic instruction on how to avoid cyber-crimes."
He added: "I think it would be appropriate and more beneficial for a cybersecurity specialist to give the entire board of mayor and aldermen a presentation on cybersecurity and allow aldermen to discuss whether more should be done."