As a resident of Madeira Beach, several months ago I expressed apprehension to city government officials about the absence of both managerial and security controls in the city’s information system. Through both email and a hard copy letter I presented my credentials as a full professor in information technology that has extensive international experience and suggested a complete and detailed analysis of the architectural inadequacies of the information system. My concerns were based on anomalies that occur with the management and storage of critical information or the lack thereof and the high probability that cyber attacks would disable critical functions. My concerns were unanswered.
Riviera Beach and Lake City are among the more than 50 cities that have been the target of ransomware attacks during the past two years, including Atlanta in March of 2018 and Baltimore in May of 2019. Disruptions occurred with their life-saving services, document management systems such as real estate records, health alerts, email, telephones, and online payment systems. After the cyber attack in Atlanta, travelers to the world’s busiest airport could not use the free Wi-Fi. Often, the costs incurred to rebuild the information systems are higher than the ransom itself. For example, both Atlanta and Baltimore (both cities refused to pay the ransom) estimate that recovering from the attacks could cost $18 million.
While the damage from cyber attacks can be mitigated if the data is backed up regularly on secure computers, chief information officers of local governments admit that they often are using outdated technology that does not even provide for secure off-site back-ups. Thus municipalities are vulnerable to ransomware attacks because they choose to remain blind to the increasing trend in cyber attacks and are not interested in investing in the resources to upgrade outdated technology that can be up to 20 years old and/or to install security hardware and software that has the most recent and necessary features. Meanwhile the sophistication of cybercriminals is increasing and thus becoming more difficult to defend against.
While many cities, especially the smaller municipalities, may lack the budgetary requirements to roll out the necessary training and technology, there is a solution. Just as smaller municipalities use the service of the Pinellas County sheriff for police-related activities, they could form a coalition in order to achieve economies of scale when addressing this problem.
A start would be to form an ad-hoc committee consisting of members from the cities who are interested in arriving at a mutually agreeable solution. The mandate of the committee would be to establish guidelines and a budget and to identify an appropriate vendor. The vendor must have an established successful track record and be capable of implementing the proper technology and security services, provide training for government employees, and deploy a system that will deter future hacks by cybercriminals. Since this is a critical issue that must be addressed, this may require a grassroots push to make cities understand its importance. Otherwise the question is not if one of our cities is held up for ransom, but when.
Clive C. Sanford, Madeira Beach