Hospitals, airports, police departments, educational systems, court records, water services, payment portals, technology infrastructure – these cornerstones of the public sector are under attack every day from complex cyber threats. ICMA and Microsoft’s cybersecurity report claims that 44% of local governments are under attack daily. The FBI reports that over 4,000 ransomware attacks occur daily. This year, when the City of Atlanta was compromised by a ransomware attack, the nation realized the maturity of today’s cyber threats. Hackers from around the world are able to hold our cities hostage through cybersecurity attacks. Why are cities so vulnerable to cyber threats, and how do these cybersecurity attacks even work?
Why Are Cities So Vulnerable to Cyber Threats?
- Atlanta – In March 2018, the City of Atlanta suffered from a devastating ransomware attack by SamSam, costing the city more than $2 million in recovery. Multiple types of applications, both internal and customer-facing, were compromised. Thousands of city employees could not access their computers, court dates were rescheduled, water bill payments had to be made in person by check, traffic tickets could not be processed—this ransomware attack completely obstructed the day-to-day operations of the City of Atlanta. The City of Atlanta’s ISO/IEC 27001 ISMS Precertification Audit Report from January 2018, just two months prior to this ransomware attack, reveals that critical cybersecurity best practices were not being met from gaps in policies and procedures, definitions of scope, formal risk assessment processes, vendor management processes, data classification policies, and measurement, reporting, and communication related to risk.
- Los Angeles – In December 2016, L.A. County announced that 108 employees fell for a phishing email on May 13. Through this type of cybersecurity attack, the malicious individual was able to gain usernames and passwords for employees who had access to confidential information. Through a forensic investigation, the county found that the names, dates of birth, Social Security numbers, driver’s license numbers, banking information, payment card information, and medical treatment information of 756,000 individuals were potentially impacted by this phishing email.
- Baltimore – In March 2018, Baltimore’s 911 dispatch system was attacked, causing staff to manually relay the details given by incoming callers. Obviously, this put a critical hold on the city’s ability to respond to emergencies. Fortunately, although this cybersecurity attack caused inefficient processes, the city didn’t see a slowdown in responders’ response times. Within a week of this hack, the city determined it was caused by a ransomware. Frank Johnson, CIO in the Baltimore Mayor’s Office of Information Technology, called the attack a self-inflicted wound. Their IT team had inadvertently changed a firewall and left a port open for about 24 hours, likely letting the hackers into their network.
- San Francisco – When ransomware hit San Francisco’s light rail transit system in November 2016, the San Francisco Municipal Transportation Agency (SFMTA) had two choices: shut down the light rail or let users ride for free. On one of the busiest shopping weeks of the year, the agency let users ride for free. Fortunately, this cybersecurity attack did not impact the functionality of San Francisco’s buses, light rail, street cars, or cable cars. The attacker demanded a $73,000 ransom, but the agency informed the public, “The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.”
- Charlotte – In December 2017, a hacker was able to access one Mecklenburg County employee’s log-in credentials through a phishing email. From there, the ransomware attack was launched. About 200 systems were impacted, causing the county to shut down many parts of its network. Fortunately, back-up data was available so that the county did not have to consider paying the $23,000 ransom. IT Chief, Keith Gregg said, “We could not be in the recovery process if we did not have back ups.” To prevent a second attack wave, the county disabled employees’ ability to open certain types of emails. It took almost six weeks and thousands of dollars to rebuild servers, get employee email up and running, and secure the rest of their systems.
Lessons Learned from Cybersecurity in the Public Sector
The number and maturity of cyber threats targeting cities is growing every day. Oftentimes, local governments don’t see it coming or, even after the attack, can’t identify what type of cybersecurity attack hit them. This poses a major issue in mitigating cyber threats. Organizations within the public sector must cover all their bases, casting their preparation net far and wide.
In the five cities we discussed, data was not breached, and ransoms were not paid, but many cities aren’t that lucky. IBM Security and the Ponemon Institute report that in 2018, the average total cost of a data breach in the United States is $7.91 million, with the average stolen record costing $233. There are headlines of new data breaches every day – and the cyber threats are becoming more complex. As the cyber threats mature and the cost of a data breach becomes higher, cities must protect their technology infrastructures.
What are the obstacles? Lack of funds, lack of support from elected officials or management, lack of availability to train personnel, lack of cybersecurity awareness within the organization, and too many IT networks/systems within local government.
What should public sector organizations invest in? Cybersecurity awareness to citizens and elected officials, use of forensic services after incidents or breaches, cybersecurity exercises, vulnerability scanning and penetration testing, and competitive compensation for IT personnel.
These five cities don’t even come close to the number of reported breaches by municipalities. Have you been victimized the cyber threats targeting the public sector?