Remember when a major U.S. city’s computer infrastructure was hacked, and held ransom, by a group of cyber criminals?
It’s very possible that Atlanta’s battle with this new type of online threat last month—hackers gained control and
shut down the city’s computer system
for days—went unnoticed due to the recent rapid-fire news cycle.
Atlanta’s Mayor Keisha Lance Bottoms compared the incident, known as a
ransomware attack, to a hostage situation.
While the premise of hackers holding a city ransom may seem sci-fi, cyber security experts believe it’s already a common menace.
“It’s a fairly big problem because unfortunately, state
and local governments are prime targets,” says Allen Liska, a senior
intelligence analyst at Recorded Future, a company specializing in cyber
threat assessment. “After what happened in Atlanta, cities are going to
appear as big targets. And now, with so many constituent services
online, cities have a huge exposure on the internet.”
It’s also more everyday than many expect.
A survey
taken by the International City/County Management Association and the
University of Maryland, Baltimore County, found a quarter of local
governments reported experiencing attacks, a vast majority unsuccessful,
as often as once an hour.
“It’s somewhat surprising it doesn’t happen more,” says
Justin Cappos, a NYU computer science professor who studies cyber
security. “Many of the teams working on the local level don’t end up
with a lot of resources. If someone is going for a soft target, cities
tends to be a soft target.”
Smart cities open themselves up to cyber threats
It’s seen as a given by tech evangelists that
smart cities,
online municipal services, and internet-of-things technology will
continue to proliferate, advance, and improve urban life. But the
continued adoption of these services and technologies by cities hasn’t
been paralleled by similarly sophisticated investments in security. And
there’s no going back.
“You
have to continue offering the ability to pay water bills online, and
allow constituents to and interact with state and local government
online,” says Liska. “Unfortunately, many of them don’t understand how
much exposure they have, and how much is vulnerable to attack.”
Recent events have shown just how exposed cities can be.
A March report by
the U.S. Computer Emergency Readiness Team, or US-CERT, noted that
Russian hackers were testing critical infrastructure systems. Liska also
says there have been a dozen or so instances of hackers targeting local
911 systems, including a
recent disruption in Baltimore.
These systems have redundancies built-in, meaning hackers haven’t been
able to cut off the vital service. But the potential for injury or even
death is real.
“When people hear about the ability to shut down the
internet, they may think, ‘I can’t use Twitter for an hour,’” Liska
says. “But so many of our systems are internet-connected. Water,
communications, even electricity; if you shut that down, you can make a
lot of other services go down.”
How the cyber threat has grown
While there are numerous federal teams and programs
protecting U.S. government sites, the armed forces, and critical
national infrastructure, there’s no overarching initiative providing
cyber defense for city and local governments. There’s a group called
MS-ISAC,
a clearinghouse for sharing information and best practices, and the
Department of Homeland Security monitors and alerts cities of threats,
but for the most part, every city needs to set up its own teams and
systems.
With other budget priorities at play, city cyber defense is often underfunded and understaffed.
“The mission of the city isn’t tech,” Cappos says. “It’s a secondary concern.”
But the potential of hackers to reach into more and more
city systems will only increase. During the Atlanta attack, hackers
gained control of municipal court computers, the network police officers
use to write reports, and the job application system.
“Five years ago, there wasn’t the same sort of problem,”
says Cappos. “But now, hackers are much more motivated. Systems are
harder to attack, but there are organized criminal organizations that
are financially incentivized to hack into systems, and the talent that’s
out there is so much better, and that’s continuing to grow.”
The criminals behind the Atlanta attack, the SamSam
group, have extorted more than $1 million from more than 30 targets this
year alone, according to the
New York Times, including hospitals, police departments, and universities. A recent survey of city cybersecurity officials found that
a third of attacks against city computer systems are meant to extract a ransom.
As countries continue to invest in offensive cyber
weapons, this online arms race can impact the security situation down
the line. Cappos says that incidences where c
yber tools developed by the NSA have been leaked and use by hackers underlines the growing threat of talented criminals utilizing cutting-edge technology.
How cities can adapt to the evolving threat
Cities need to cover the basics, says Liska, such as
prioritizing system updates as quickly as possible. The Atlanta attack
highlighted the danger of outdated technology; the SamSam group
exploited a system that wasn’t updated.
Securing systems including police, fire, and vehicle
fleets are absolutely critical. Cappos says the power grid is the most
severe threat.
Due to the sensitive nature of cyber security, normally
the teams and institutions doing a good job defending sensitive systems
don’t get the headlines. But Liska says there are plenty of examples of
cities doing good work. New York City has a very strong plan in place,
as does Los Angeles. Both have made the investments in tech and manpower
to protect themselves.
Cities can also plan for the potential of these hacks,
and have backup plans for what happens if someone gains access to
critical systems.
“I don’t think cities are paying enough attention,” says Cappos. “I hope that folks who set policy are thinking this through.”