Hands up who has a fax machine in their office? Hands up who knows how to use it? How legible is your handwriting these days after years of touch typing? These were challenges faced last month in Atlanta when the SamSam ransomware attack on municipal computer systems hit at least five out of 13 departments, knocking out some city services and forcing others to revert to paper records. Stories emerged of police and other public servants trying to piece together their digital work lives on paper, recreating audit spreadsheets and conducting business on mobile phones, a “clunky” personal laptop and yep, the old fax machine.
Momenta Partners predicted last year that Moore’s Outlaws ”ensure Cybersecurity Remains Top of Mind in IoT as “Cybercriminals continue to be innovative, and benefit from open source tools and increasingly cheap processing power. Cybersecurity in IoT will continue to be a top area of innovation for startups and established companies alike.“
As far as cyberattacks go, this wasn’t the largest or most devastating regarding financial, human costs, or loss of reputation. City officials told Reuters that police files and financial documents were rendered inaccessible by unknown hackers who demanded a rather paltry sum of $51,000 worth of bitcoin to provide digital keys to unlock scrambled files.
Government attacks on the rise
But the reality is that while attacks on health services are statistically more common, the past 16 months have seen high-profile ransomware attacks affecting various municipal services including Licking County Government in Ohio, Municipal Transport in San Francisco and Sacramento, and the emergency warning sirens of Dallas. The more 'smart' or connected a city, the more vulnerable they may be to attack if 'security first' has not been the guiding venue of the officials, vendors and service providers.
To pay or not to pay
It’s unclear whether the City of Atlanta paid to regain access to their data, a contentious concept according to many who view such an act as rewarding criminals with taxpayers’ money. But some cities do pay - just last month, City officials in Leeds, Alabama, paid hackers $12,000 in BTC to regain control of their computer systems.
According to City Auditor Amanda Noble “One of the reasons why municipalities are vulnerable is we just have so many different systems,”
The big problem
According to Mike Shultz, President & CEO of Cybernance: “The Atlanta failure is just like so many that have gone before. Ransomware is easy, relatively risk-free and really profitable. Why does this continue? Most organizations think about cyber risk as a technology problem, and when the IT team fails to prevent cyber attacks enabled by failed people processes and internal error, leadership blames IT. If risk is a management responsibility, why wouldn’t cyber risk also be a management responsibility? Because cyber risk is rooted in technology, many leaders assume the solution must be more technology. However, research shows that almost 70% of all cyber breaches are a failure of governance, and the companies’ policies, processes, and people. Following the “dig the moat deeper, make the wall higher” approach, most cyber risk management investments are spent on the perimeter, and the losses occur because of internal error."
In most organizations, risk is the responsibility of the board of directors. In a city, the responsibility lies with the city council/city manager. Yet, the first reaction to a cyber breach is to fire the security team—the one team that is mostly technology-focused. According to Shultz:
“I believe that cybersecurity will become more reliable when leadership are held responsible for security breaches because their job will depend upon it. For Atlanta (and all organizations), the best place to start mitigating cyber risk is to implement the NIST Cyber Security Framework. They must begin with governance—outline their policies, plans, risk, responsibilities, etc.—all of which stem from the very top of the city council and staff. Once they have this in place, any external tech-based cybersecurity solution will be a better investment and the IT team can more effectively protect city data.”
By the time this article goes to print, it's reasonable to expect that several other attacks will have occurred, leaving various municipalities in disarray. We might not be seeing severity of attacks such as the Mirai botnet and Wannacry ransomware, but the scale is increasing and the threat landscape continues to get more severe.