Another Invisible Threat: Cyberattacks
by Smart City Expo Atlanta
May 19, 2020
As the world begins to recover from the devastating impact of the coronavirus pandemic, we continue to remain vulnerable to another invisible threat dismantling our institutions — cyberattacks. Like COVID-19, digital viruses are finding weak entry points from which they rapidly spread and infect systems, quickly taking down entire organizations and ecosystems.
With most of the world now online, cybercriminals are taking advantage of the crisis to not only hack unprotected computers and networks, but to disrupt pandemic response efforts. In recent weeks, hackers have been attacking national and global health organizations such as the World Health Organization (WHO), Centers for Disease Control and Prevention (CDC), and the National Institutes of Health (NIH), mining them for COVID-19 research and intelligence. Critical infrastructure in the U.S. and the U.K., such as electricity grids and their respective supply chains, which have always been at risk, are also coming under fire. And areas that were of little interest prior, such as ed tech and certain government portals, have become top targets with more people working and studying remotely and unemployment sites overwhelmed by an unprecedented surge in traffic.
With the pandemic exacerbating our ongoing cybersecurity issues, under-resourced state and local governments continue to be held hostage. Deloitte reports that in 2019, governments were the victims of 163 ransomware attacks and paid more than $1.8 million in ransom and tens of millions of dollars in recovery costs, marking a nearly 150% increase from the previous year. In ransomware attacks, hackers access a city’s system — commonly through phishing and social engineering — then use malware to block access to data and demand money to release it.
Infrastructure Held for Ransom
In December, the City of New Orleans declared a state of emergency following a ransomware attack. Criminals have also recently targeted Atlanta, Baltimore, Naples, and New Bedford, shutting down their networks and ordering payment. In Atlanta, recovery costs reached a reported $17 million, one of the most expensive attacks in 2018. Utilities, parking, and court services were all impacted; many legal documents and police dashcam video files were never recovered.
As these attacks become more common, governments will have to make a crucial decision. Should they shell out hundreds, thousands, or sometimes millions of dollars to avoid losing valuable information, or does paying a ransom encourage more attacks?
Some cities have chosen to take a stand against exploitation. Baltimore and Atlanta both refused to pay ransoms of a reported $102,000 and $51,000 in bitcoin, respectively. And last summer, the U.S. Conference of Mayors agreed to a resolution that opposes paying perpetrators of a ransomware attack. The resolution mirrors recommendations from the FBI, which says paying a ransom emboldens criminals and doesn’t guarantee the recovery of data.
Meanwhile, other cities are taking a different approach. On the advice of outside consultants and with a unanimous city council vote, Riviera Beach in South Florida decided to pay $600,000 in ransom. One week later, another Florida community, the Jacksonville suburb of Lake City, paid $462,000 through an insurance company to restore its phone and email systems.
Of course, local and state governments want to avoid making the difficult decision about whether to pay a ransom. Still, cyberattacks will continue to persist as cities become more connected, which provides more entry points for hackers. The smart city IoT market is expected to grow to nearly $220 billion by 2023, an annual growth rate of 22.5% over five years.
“Municipalities lack the personnel and the technology to run and maintain secure systems, they may be in a position of having outdated software and hardware for which a patch may not be available. A criminal can exploit the vulnerability to hold a city at ransom.”
Cracks in the System
There are still critical gaps in how cities and states safeguard IT infrastructure and data against a potential cyberattack. A recent survey found that nearly half of U.S. states don’t have a standalone cybersecurity budget, and most spend less than 3% of their IT budgets on cybersecurity.
Megan Stifel is executive director of the Global Cyber Alliance (GCA) in the Americas, an international nonprofit whose mission is to reduce cyber risk through cybersecurity best practices. She says hackers know that municipalities often have fewer resources than for-profit entities. It’s a problem that could get worse with budget cuts resulting from the novel coronavirus outbreak.
“[Municipalities] lack the personnel and the technology to run and maintain secure systems,” Stifel said. “They may be in a position of having outdated software and hardware for which a patch may not be available. A criminal can exploit the vulnerability to hold a city at ransom.”
Cities have turned to the federal government for funding help. In late April, a coalition of a dozen government organizations, including the National Governors Association, the National League of Cities, and the National Conference of State Legislatures, asked Congress for increased cybersecurity funding. In a letter to Congressional leaders, the group wrote, “the response to the ongoing COVID-19 pandemic creates unique challenges for continuity of government and the ability to provide timely and critical services to citizens.”
They’re asking Congress to fully fund a dedicated cybersecurity program to help governments implement programs for remote work, to detect, analyze and shield against cyber threats, and strengthen relationships at all levels of government. Even before our current crisis, technology and security leaders urged Congress to pass legislation that would allow state, local, and tribal governments to apply for funding from the Department of Homeland Security (DHS) to protect against cyber threats.
“We’re bringing to bear all of those intellectual resources, plus the technology and the infrastructure, to be able to meet the needs of a growing threat across the globe.“
A Secure Path Forward
Whether or not the federal government steps in, cities and states will have to be proactive in protecting themselves.
Hardie Davis, Jr. is the mayor of a city some call an unexpected global cybersecurity capital — Augusta, Georgia. Located near the Georgia-South Carolina border, Augusta is mentioned alongside global “Cybercon Valleys” like Tel Aviv, Washington, D.C., and Boston. The city is home to the Georgia Cyber Center and the U.S. Army Cyber Command, which have brought thousands of cybersecurity specialists to the area while training the next generation.
“We’re bringing to bear all of those intellectual resources, plus the technology and the infrastructure, to be able to meet the needs of a growing threat across the globe. That certainly warrants us being held in high regard,” Davis said.
He stressed that at the local level, one of the most crucial yet unpredictable factors in securing a city’s infrastructure and data is its employees. “You have to have a ready, trained workforce that’s able to recognize threats.”
GCA’s Stifel agrees. She encourages governments to create a culture of cybersecurity through awareness and training on topics like phishing scams, social media usage, and social engineering. “We want to see that cities are regularly, annually at least, training their employees around cybersecurity.”
Cities are also partnering with the private sector and nonprofits to fill the security gap. GCA has launched several initiatives to address the unique cybersecurity challenges of connected cities, including an ecosystem that allows cities to test the vulnerability of IoT devices before deploying them. Their DNS service protects wi-fi users — government employees and citizens — from accessing known malicious websites. The City of New York has adopted the service on its public wi-fi.
The need for cybersecurity is so pervasive and urgent that the only way to build solutions that rise to the challenge is through public-private partnerships, says Nicholas Lalla, co-founder and director of Tulsa Innovation Labs. “That’s why we’re seeing cities, big and small, forge creative collaborations and taking ecosystem-wide approaches,” he said.
His organization, a tech-led economic development organization, is building public-private partnerships by creating links between cyber and growing industries like telemedicine, energy, and agriculture to position Tulsa as a tech hub.
One project that shows the power of partnerships is the TU-Team8 Cyber Fellows, a specialized doctoral fellowship in computer science. The program is focused on commercializing cyber research projects between the University of Tulsa and Team8, a cyber venture creation company founded in Tel Aviv.
“Together, we’re supporting ten doctoral students each year and plan to spin off new companies into the Tulsa ecosystem,” Lalla said.
Another option that many cities have not considered: cyber insurance. These policies, also known as cyber risk or cyber liability insurance coverage, offset recovery costs after a cyber-related security breach. The City of Augusta quietly took out a policy a few years ago after watching other cities, including their sister city Atlanta, become the targets of hackers. After its ransomware attack, Lake City was only responsible for a $10,000 deductible thanks to its cyber insurance policy.
Surprisingly, even with an increased risk of cyberattacks, this type of insurance has struggled to gain traction. In 2015, Allianz, one of the world’s largest financial groups and a cyber insurance provider, predicted that cyber premiums could reach at least $20 billion by 2025. But growth has been slow. By 2018, net written premiums in the U.S. only totaled $1.94 billion.
The pandemic has created a fierce urgency for cities to become better prepared for vicious cyberattacks. Governments no longer have the ability to debate policies and procedures – the pandemic has accelerated digital transformation and in parallel, increased vulnerabilities. As cities become more connected, every new device and service, from desktop computers to connected traffic cameras and parking meters, is a means of access for malicious malware. The federal government must act immediately to provide funding, support, and resources to our state and local governments while communities continue to be vigilant in addressing ongoing threats through technology, training, and public-private partnerships – all the tools necessary in creating smarter and more secure cities.