Remember when a major U.S. city’s computer infrastructure was hacked, and held ransom, by a group of cyber criminals?
It’s very possible that Atlanta’s battle with this new type of online threat last month—hackers gained control and shut down the city’s computer system for days—went unnoticed due to the recent rapid-fire news cycle. Atlanta’s Mayor Keisha Lance Bottoms compared the incident, known as a ransomware attack, to a hostage situation.
While the premise of hackers holding a city ransom may seem sci-fi, cyber security experts believe it’s already a common menace.
“It’s a fairly big problem because unfortunately, state and local governments are prime targets,” says Allen Liska, a senior intelligence analyst at Recorded Future, a company specializing in cyber threat assessment. “After what happened in Atlanta, cities are going to appear as big targets. And now, with so many constituent services online, cities have a huge exposure on the internet.”
It’s also more everyday than many expect. A survey taken by the International City/County Management Association and the University of Maryland, Baltimore County, found a quarter of local governments reported experiencing attacks, a vast majority unsuccessful, as often as once an hour.
“It’s somewhat surprising it doesn’t happen more,” says Justin Cappos, a NYU computer science professor who studies cyber security. “Many of the teams working on the local level don’t end up with a lot of resources. If someone is going for a soft target, cities tends to be a soft target.”
Due to the ransomware cyberattack all scheduled Court appearances will be reset. Reset notices will be mailed. @ATLCourt— City of Atlanta, GA (@Cityofatlanta) March 28, 2018
Smart cities open themselves up to cyber threats
It’s seen as a given by tech evangelists that smart cities, online municipal services, and internet-of-things technology will continue to proliferate, advance, and improve urban life. But the continued adoption of these services and technologies by cities hasn’t been paralleled by similarly sophisticated investments in security. And there’s no going back.
“You have to continue offering the ability to pay water bills online, and allow constituents to and interact with state and local government online,” says Liska. “Unfortunately, many of them don’t understand how much exposure they have, and how much is vulnerable to attack.”
Recent events have shown just how exposed cities can be. A March report by the U.S. Computer Emergency Readiness Team, or US-CERT, noted that Russian hackers were testing critical infrastructure systems. Liska also says there have been a dozen or so instances of hackers targeting local 911 systems, including a recent disruption in Baltimore. These systems have redundancies built-in, meaning hackers haven’t been able to cut off the vital service. But the potential for injury or even death is real.
“When people hear about the ability to shut down the internet, they may think, ‘I can’t use Twitter for an hour,’” Liska says. “But so many of our systems are internet-connected. Water, communications, even electricity; if you shut that down, you can make a lot of other services go down.”
Six days after a ransomware cyberattack, Atlanta officials are filling out forms by hand https://t.co/xSuO4klfPC— deray (@deray) March 29, 2018
How the cyber threat has grown
While there are numerous federal teams and programs protecting U.S. government sites, the armed forces, and critical national infrastructure, there’s no overarching initiative providing cyber defense for city and local governments. There’s a group called MS-ISAC, a clearinghouse for sharing information and best practices, and the Department of Homeland Security monitors and alerts cities of threats, but for the most part, every city needs to set up its own teams and systems.
With other budget priorities at play, city cyber defense is often underfunded and understaffed.
“The mission of the city isn’t tech,” Cappos says. “It’s a secondary concern.”
But the potential of hackers to reach into more and more city systems will only increase. During the Atlanta attack, hackers gained control of municipal court computers, the network police officers use to write reports, and the job application system.
“Five years ago, there wasn’t the same sort of problem,” says Cappos. “But now, hackers are much more motivated. Systems are harder to attack, but there are organized criminal organizations that are financially incentivized to hack into systems, and the talent that’s out there is so much better, and that’s continuing to grow.”
The criminals behind the Atlanta attack, the SamSam group, have extorted more than $1 million from more than 30 targets this year alone, according to the New York Times, including hospitals, police departments, and universities. A recent survey of city cybersecurity officials found that a third of attacks against city computer systems are meant to extract a ransom.
As countries continue to invest in offensive cyber weapons, this online arms race can impact the security situation down the line. Cappos says that incidences where cyber tools developed by the NSA have been leaked and use by hackers underlines the growing threat of talented criminals utilizing cutting-edge technology.
How cities can adapt to the evolving threat
Cities need to cover the basics, says Liska, such as prioritizing system updates as quickly as possible. The Atlanta attack highlighted the danger of outdated technology; the SamSam group exploited a system that wasn’t updated.
Securing systems including police, fire, and vehicle fleets are absolutely critical. Cappos says the power grid is the most severe threat.
Due to the sensitive nature of cyber security, normally the teams and institutions doing a good job defending sensitive systems don’t get the headlines. But Liska says there are plenty of examples of cities doing good work. New York City has a very strong plan in place, as does Los Angeles. Both have made the investments in tech and manpower to protect themselves.
Cities can also plan for the potential of these hacks, and have backup plans for what happens if someone gains access to critical systems.
As evidenced by recent high-profile incidents, such as the WannaCry attack in Europe (which many believe was done by North Korean hackers) and recent Russian attacks that shut down local power grids in the Ukraine, the potential for serious damage is clear.
“I don’t think cities are paying enough attention,” says Cappos. “I hope that folks who set policy are thinking this through.”