For almost two weeks, the city of Atlanta has been in a “hostage situation.”
That’s how Atlanta Mayor Keisha Lance-Bottoms described a March 22 ransomware attack that has spread through the municipal computer systems, causing serious disruptions in several departments of city hall. The attack crippled Atlanta’s courtrooms, disabled online bill payments, and forced many public employees – including the Atlanta Police Department – to keep records with pen and paper.
Security experts have long known that local governments are vulnerable targets for cybercrimes. But the attack in Atlanta, followed by a March 28 hack that disabled 911 services in Baltimore, show that many municipalities have failed to mount adequate defenses for their local computer systems.
“Networks fall into two categories: those that have been breached and those that will get breached,” said Jason McNew, president of Gettysburg-based Stronghold Cyber Security. “This is definitely a public safety issue and municipalities need to take it seriously.”
A 2016 report from Pennsylvania’s auditor general found that cybercrimes are certainly on the minds of government leaders across the state. Sixty-five percent of municipalities reported being concerned about cybersecurity threats, and 55 percent said they needed more resources to improve their network’s defenses.
As it turns out, though, many municipalities across the country operate with outdated or nonexistent cybersecurity programs. A 2016 study by the International City/County Management Association found less than half of local governments surveyed have a formal cybersecurity policy, and only 34 percent have a written strategy to recover from breaches.
The city of Harrisburg is among the municipalities that has neither. Steve Bortner, Harrisburg’s director of information technology, said that updating policies has been a priority of his since he took the helm of the IT Department in July 2017.
Harrisburg does have an information security policy, but it’s more than 10 years old and has “very little reference to anything related to cyber security,” Bortner said.
The city is also developing a written strategy for recovering from breaches.
“These policies are things that I guess had never been a priority,” Bortner said. “There are several other IT policies that we are trying to make current.”
Bortner explained that the city’s working cyber-security policies are embedded in other IT guidelines that govern computer usage for employees. New employees pledge to follow these policies, but Bortner said that there isn’t formal training for employees when they’re hired, nor are there regular cyber security trainings for staff.
McNew recommends that all cybersecurity policies and procedures be updated annually to keep up with emerging threats and industry best practices. He also urges his clients to hold annual, mandatory cyber-security trainings for employees.
“The analogy I like to make is that it’s like a safety program,” McNew said. “If my clients do safety training, I tell them to do the cybersecurity training at the same time.”
Bortner said the city has considered implementing mandatory employee trainings, but it would likely require a costly third-party vendor. The IT department does conduct phishing tests, when they send out suspicious emails to see if employees click on them, which he said were “fairly successful.”
An attack on Harrisburg’s municipal computer network would likely hit email and phone communication systems first, Bortner said. Other city applications run on mainframes that are connected to a different internet network. According to the city website, the mainframe systems run city operations such as insurance claims management; field reports for all service calls for police; billing systems for property real estate taxes, and codes licenses, permits, inspections and complaints.
“It depends on the nature of the attack as to what would be impacted, but not everything would be adversely affected,” Bortner said.
For instance, courts in Harrisburg would likely be safe if the city’s system was breached, since the Magisterial District Judges offices are run by the county. Dauphin County has a cyber security policy and an incident response plan that are updated yearly, according to IT Director Tom Guenther.
Bortner pointed out that almost all of the information that Harrisburg stores is public information, either published online or obtainable through a right-to-know request. But most hackers who target municipal governments aren’t after sensitive data.
As was the case in the Atlanta ransomware attack, most cybercrimes aim to hold computer systems hostage from city employees. The hackers who contaminated Atlanta’s IT system demanded $51,000 in bitcoin to end the attack; city officials have not said yet whether or not they have paid it.
Since every city relies on some form of IT infrastructure, hackers can afford to be indiscriminate when launching attacks, McNew said.
“Hackers troll the internet looking for targets,” McNew said. “Your data may not be interesting to them, but it’s interesting to you, and if they get a toehold in your network they can compromise it.”
Bortner said that the recent scourge of municipal cybercrimes hasn’t led him to reevaluate the city’s defense systems. He reports that finances have not been an issue for the IT department, and he’s fairly confident that Harrisburg could weather an attack with the systems it currently has in place.
“I believe we would be in a position to reckon with an attack,” Bortner said. “It would be a triage situation, but we have the knowledge and the resources to address a breach in the event that we have one.”