Atlanta is a major cybersecurity hotspot. The city is home to the Georgia Institute of Technology, which houses nearly a dozen cybersecurity labs and centers and hundreds of scientists and researchers, and which regularly hosts cybersecurity conferences. Georgia has the country’s third-largest information-security sector with more than 115 firms bringing in nearly $5 billion in annual revenue, according to state data. Construction is underway in Augusta on the Georgia Cyber Innovation and Training Center, a statewide facility to “promote modernization in cybersecurity technology for both the private and public sectors.”
The center won’t have to look far for its first case study after Atlanta failed to take full advantage of the rich technology ecosystem in its own backyard. In mid-March, a ransomware attack compromised nearly half of the city government’s departments. The Atlanta Journal-Constitution reported that the city’s municipal court system finally got back up and running this week, thanks to what a city spokesperson called “the implementation of a manual paper-based process.”
The attackers originally demanded the equivalent of $51,000 in Bitcoin in exchange for “keys” to regain access to the compromised systems. Some departments like zoning and housing continued to conduct business by relying on staff, but others, like the municipal courts and the city’s watershed management department, suffered more extensive disruption, and the city continues to deal with the fallout.
— Metacurity - All Infosec All The Time (@Metacurity) April 6, 2018
The identity of the criminals remains murky, but the malware (malicious software) they used, a strain of ransomware known as SamSam, is well-known in the cybersecurity world. According to Wired, while attackers often gain entry to IT systems via phishing, or scamming users into giving up personal information or other data, SamSam hackers go after bad passwords or other weaknesses. Ransomware is used in nearly 40 percent of all cyberattacks, according to Verizon’s 2018 Data Breach Investigations Report.
The week following the attack on Atlanta, Baltimore’s 911 dispatch systems came under a ransomware attack. Unlike Atlanta, Baltimore’s problems lasted less than a day and the city temporarily switched to a manual system.
The Atlanta breach underscores the lack of understanding among many municipal leaders that cyber threats demand the same levels of emergency preparedness that natural or man-made disasters do. But unlike the issues that public officials deal with every day—education, poverty, economic development—cybersecurity concerns are not on their radar, even as the attacks multiply around the country. Public officials will have to begin focusing on the issue and deploy what resources they have to arming themselves against cyber attacks so they can act quickly when employees identify system vulnerabilities.
Cities and towns across the country are inviting targets for cyber criminals. In recent years, criminals have gone after tornado sirens in Dallas and transit-fare collection in San Francisco. In February, attackers took aim at Colorado’s Department of Transportation. Though none of these targets paid a ransom, cyber criminals interested in making a quick buck have exploited the willingness of some municipalities, hospitals, and universities to pay up. They price their demands to make paying the ransom more attractive than trying to recover data. Leeds, Alabama, a Birmingham suburb, paid $12,000 in Bitcoin to get back control of their computer systems.
“The business of being a bad guy on the internet today is really good,” says Oren Falkowitz, a former National Security Agency and U.S. Cyber Command senior analyst and founder and CEO of Area 1 Security, a Silicon Valley cloud-based cybersecurity firm. A criminal “can wake up one day and can send a couple of emails and make fifty thousand dollars, a hundred thousand dollars, a couple hundred thousand dollars for basically no work and no cost.” And criminals don’t necessary have to go after a ransom: Municipal networks have immense and valuable stores of personal identification that criminals can sell.
Municipal officials often argue that they can’t afford the experts required to make major security upgrades. A 2016 International City/County Management Association/University of Maryland Baltimore County survey of local government cybersecurity practices found that nearly 60 percent of local governments cited an inability to offer competitive salaries for cybersecurity professionals; 53 percent cited insufficient staff and another 52 percent termed a lack of funds as barriers to achieving the “highest possible level of cybersecurity.”
Smaller municipal governments often have the most severe budget constraints. Since they can’t hire the people they need, they make do with the people they have, according to Valorie King, a University of Maryland University College associate professor for cybersecurity management and policy. Scarcity means an IT person gets spread thin, doing desktop support, database management, and “running down the hall because somebody’s iPhone dropped and broke,” says King. “Sometimes we ask too much because the organization can’t afford enough people with specialized training,” she adds.
But some cybersecurity specialists see other problems at work. “There is plenty of money being spent,” says Falkowitz. “It’s not being spent efficiently to go after the problem.” He argues that municipal officials not only have a responsibility to keep residents educated and informed about threats, but that municipal officials also must invest in the right strategies, such as protecting systems against phishing attacks, keeping software updated, and making certain that two-factor authentication is standard.
Not surprisingly, New York is an exemplar in cybersecurity preparedness. Last month, Mayor Bill de Blasio announced the deployment of New York Secure, a free citywide smartphone protection app that warns users about intrusions on mobile devices. The mayor also said that the city would provide public Wi-Fi network protection to all users at no charge.
Many of the problems that municipalities face do not require deep knowledge of information systems technology—there are individuals who can bring those skills set to the table—but rather a firm handle on assessing threats and making the required decisions to assure security.
“If management was more aware of the responsibility that they have, their ethical responsibility to ensure that the security and privacy of citizens and the public information that they hold in trust,” King says, “you’re going to look at your organization differently and you are going to hold your managers below you accountable.”
Typically, government agencies focus on quality when it comes to building websites that residents use to apply for government benefits, drivers’ licenses, or other services. After all, municipal officials don’t want the headaches of being bombarded with complaints if a site is difficult to navigate or functions poorly. But backend information technology systems don’t necessarily get the same attention. “We don’t often think of quality for internal processes that are not customer-facing,” King says.
In the Baltimore 911 dispatch attack, a port left unprotected by a firewall while IT employees addressed another issue allowed attackers to breach the 911 system. King surmises that no one checked or that the check that was performed failed to uncover the issue. She compares these kinds of checks to a completing a house project: Usually a worker will make sure that no nails or hammers or screwdrivers or other tools are left behind. “In IT, we have checklists, procedures, and software that we run to test the firewall to make sure it’s configured properly,” she says. “The basic tools for ensuring quality weren’t effective.”
The Atlanta incident was even more stunning since city officials failed to heed the recommendations of an earlier audit of the city’s IT systems. According to Atlanta’s CBS affiliate, the document indicated that “the large number of severe and critical vulnerabilities identified has existed for so long, the organizations responsible have essentially become complacent and no longer take action” while "departments tasked with dealing with the thousands of vulnerabilities ... do not have enough time or tools to properly analyze and treat the systems."
The audit concluded that “This situation represents a significant level of preventable risk exposure to the city” and that there was “no formal program to manage risk.” A cybersecurity specialist told The Atlanta Journal-Constitution that his review of emails between managers and employees who warned about viruses and other incidents suggested negligence on the part of city officials.
“Atlanta failed an audit over a year ago: They were told they had multiple vulnerabilities,” says King. “Anytime you have an audit finding that is not addressed, that’s a management failure; if there was an audit finding against financial controls in a city, it would have been addressed,” she continues. “Those same audit findings for IT vulnerabilities should have the same priorities for getting fixed—that’s an accountability issue at the very top.”
For their part, city officials noted that they had taken steps to “mitigate risks,” like moving data to the cloud and assuring that their IT systems have backups. Code for Atlanta, which describes itself as “a bunch of civic-minded technologists, designers, and topic experts,” has started a Change.org petition calling for deep dive into the causes and solutions for Atlanta’s problems.
— Sunlight Open Cities (@SunlightCities) April 6, 2018
Much like dealing with hurricane or terrorist attacks, cities and towns should design continuity of operations plans that describe how they plan to handle an attack, what backups can be employed and how services will be restored, as well as determining how attackers got in and how to keep them out in the future.
King notes that municipalities should also take a “public hygiene approach” to help keep attackers out. Just as hospitals implement basic steps like handwashing to stem the spread of infections, municipal departments need to assure that employees perform basic security practices, such as avoiding writing down a password and leaving it under a keyboard.
The FBI, the Department of Homeland Security, and the Secret Service have investigated the Atlanta breach, which has cost the city nearly $3 million and forced many residents to return to paper, phone, or in-person visits to conduct their business with the city.
By contrast, Colorado’s SamSam ransomware breach cost the state more than $1 million and only affected backend systems, so residents did not experience the level of disruptions that Atlanta residents experience. It took about a month to resolve many of the issues, but Colorado officials restored most of its data. State officials were also well-prepared with “comprehensive backup strategies’” according to a Statescoop.com report. Colorado IT officials have been advising their Atlanta counterparts.
This post has been updated.