City doubles IT rate, reports increasing cyberattacks

Presenter: The city of Eugene will be charging the Metropolitan Wastewater Management Commission a lot more for its information technology services. One reason: The growing cost of defending against cyberattacks from China. At the MWMC meeting April 11 from Eugene’s Information Services Department (ISD), Chelsea Clinton:

Chelsea Clinton: I’m Chelsea Clinton, I’m the IT strategy and finance manager with the city of Eugene.

[00:00:24] Until FY24, Eugene’s IT services were funded primarily by the city’s general fund, and then also by Fund 611, which you can think of as the city’s main IT fund.

[00:00:34] In the new model, the main funding sources for ISD are no longer split between the two funds. Instead, most revenue is collected via Fund 611—that main IT fund that we have. ISD receives no direct funding from the general fund. Functionally, this means that the IT rates that you see in MWMC’s budget increased.

[00:00:57] And when looking across all the funds globally at the city of Eugene, that Fund 611 IT rate doubled.

[00:01:04] Presenter: That change will protect the department from ongoing cuts to the general fund. ISD then sorts its work into five buckets. Chelsea Clinton:

[00:01:13] Chelsea Clinton: So there are five rates in the IT rates model in the FY24 budget. Over 80% of ISD funding comes from one particular rate. So, the methodology for this main rate, which we call our network infrastructure rate, shifted from the model based on the variety of detailed IT use metrics into a model where the main allocation basis is budgeted full-time equivalent positions, or FTE.

[00:01:38] Presenter:   All the costs that don’t fall into the first four buckets are added up, divided by the total number of budgeted FTE, and each department billed for its share. Department Director Robin Mayall:

[00:01:49] Robin Mayall: I’m Robin Mayall, I’m the director of information services for the city of Eugene.

[00:01:54] So the main thing that the network infrastructure rate covers is all those kind of shared services that IT provides to the organization. And I’m going to touch on them really just as they relate to the wastewater facility and personnel there.

[00:02:07] Business relationship management is our function that allows us to connect with the business, understand business needs, plan projects, and work directly with the business. And our business relationship manager meets both with Public Works regularly and also wastewater separately.

[00:02:24] And (Eugene Wastewater Division Director) Michelle (Miranda) and I also have regular touch-ins because wastewater is a critical facility. It’s not something I’m able to provide to all 42 of the city’s divisions, but we definitely make time to connect about wastewater because of its specific needs.

[00:02:40] We provide a direct city of Eugene secure network to the wastewater facility and within all the buildings in the facility. And this is separate from the network that provides direct control of the operational components.

[00:02:54] So you can really think of the facilities having two separate networks: One that is directly managed by the wastewater facility that controls the operational technology, and one that rides alongside it, that allows for business functions at all the stops, all the buildings in the facility. We also provide network out to Awbrey (Lane) biosolids facility as well, which is a fair stretch down towards the airport.

[00:03:21] Now you do have some specific application developers that work directly for Wastewater, but city of Eugene application development and project management is working pretty heavily right now on the billing system. So it’s not the systems that directly control the wastewater facility itself, but how it’s billed.

[00:03:38] And that billing system interfaces with EWEB’s system, which has been under a great change this year. So they changed their entire system around to a completely new system.

[00:03:47] And we’ve been working heavily with them to make sure that we’re getting the right information out of their system into our databases, we’re able to translate that into the billing rate model, and bill accurately to our customers. And then we also work with them to reconcile the billing and make sure that it’s accurate. And that’s actually pretty complicated.

[00:04:07] And then the last component I really wanted to touch on, because I don’t know how much you all are aware of it, is cybersecurity. This is a big component both for the city itself because attacks against municipal entities have been increasing dramatically, especially since the pandemic, with estimates ranging from double or triple to 1,000% more attacks against government facilities.

[00:04:29] But in the last two years we’ve seen very specific attacks from the People’s Republic of China against wastewater and water facilities. So our federal partners at CISA (Cybersecurity and Infrastructure Security Agency) and FBI, have been working really closely with us because we know that water and wastewater facilities are being directly targeted.

[00:04:48] So we actually did an engagement with CISA this year to review all of the cybersecurity for wastewater itself and for where we interchange with the city of Eugene systems. And we’re spending a lot of time and energy in this realm, both for the city as a whole, but very, very specifically for wastewater, because this is a high value target to them, and we are just seeing a lot of activity around that.

[00:05:11] And we’re in constant communication with our federal partners to make sure we’re aware of any of the latest changes that’s coming in these attacks.

[00:05:20] So those are the main drivers of rates, and in cybersecurity, also, we do provide 24/7 managed security operations centers. So we’re monitoring the network and everything that’s going on 24/7, because we know that attacks don’t just come at 9 to 5 Monday through Friday. They never sleep.

[00:05:41] So really just looking to the future of technology and rates: We did an adjustment to all of our employees under a pay equity study, and that really brought our technology staff to market rates, and market I want to emphasize being government.

[00:05:59] Hardware and software inflation is an interesting one. Software has been even since prepandemic times inflating at about 5% to 10% a year for software in general and that’s what we’ve just been seeing across the board. It is somewhat outpacing the general rate of inflation.

[00:06:16] And so we negotiate our Microsoft EA, which is one of our biggest enterprise agreements. And we will be renegotiating again this year. It’s a three-year agreement. And we’ve been hearing from partners that it’s probably going to go up about 12%. So that is really far outpacing the average cost of inflation.

[00:06:37] Hardware is going to be a really interesting one right now because with the changing tariff environment, especially on China, this one is really anybody’s guess what hardware is going to cost in the near term. Even our big technology partners that we work with are really unable to tell us what the costs will be.

[00:06:57] And of course, a lot of people have been buying ahead of time, and that’s been driving costs up as well. And we did allow all the departments of the city of Eugene to prepurchase hardware when we knew that tariffs were imminent. So that was an opportunity that was given to all divisions.

[00:07:14] And then just increased cybersecurity costs. As I mentioned, the attack rate is going way up and we are, you know, probably the only part of the city that’s regularly attacked by foreign nations. And so it’s a big deal. And again, it’s hard to predict how much it will go up, but we do know it’s been increasing steadily. And so the amount we have to concentrate on and spend in defense increases.

[00:07:38] And this really just isn’t something that was a big worry, even as little as 10 years ago. It’s hard to think back. Ten years ago, we had a few, you know, big breaches, like the Target breach. They were largely concentrated on commercial entities where they could get big databases of customers and credit cards, and that’s really not the case anymore. It’s really a lot targeted at government.

[00:07:57] So those are just our cost drivers that we see for the future. It’s hard to have tea leaves in this moment, but we try to control for costs as much as possible, for instance, by allowing people some heads up about what market drivers might be and allowing people to prepurchase if they need to.

[00:08:14] Presenter: That’s Robin Mayall from the city’s IT department, explaining why you’ll be seeing bigger bills from EWEB. On top of tariffs, inflation, and insurance increases, the city expanded use of its stormwater fee, and finds itself defending our water and wastewater infrastructure against an increasing number of Chinese cyberattacks.