Over just eight weeks, four Florida cities announced network security breaches.
Riviera Beach and Lake City respectively paid $600,000 and $460,000 ransoms to online shakedown artists to recover their systems. Naples was bamboozled out of $700,000. Key Biscayne reported a data security “event,” but officials refused to say if any money was stolen, citing an ongoing investigation.
Cybersecurity experts say the number of attacks on cities is likely to keep rising.
Sri Sridharan is the director of Cyber Florida, a cybersecurity-focused partnership of government, academic and private organizations. Sridharan notes that the estimated 13,000 unfilled security positions across the state reflect a growing demand for cybersecurity workers. At the same time, shoestring municipal technology budgets and more lucrative jobs in the private sector make it difficult for government IT managers to hire and retain talent.
“They come to us and they ask this question: ‘We have a lot of taxpayer data, we have a lot of personally-identifiable information for citizens, and we have to safeguard it. We don’t have it in the budget, and if we have the budget, we can’t find the people. What do we do?’ ” Sridharan says.
In addition to resource constraints, city IT departments face network attacks on more fronts than private companies.
Cities — which are required by law to disclose contracts, budgets and employee information — are susceptible to highly targeted phishing operations, as in the case of the recent attack on Naples, Florida. Phishing is when a hacker tries to trick an email recipient into clicking on a malicious link by impersonating someone trustworthy. In the case of Naples, hackers impersonated the email address of a construction company that the city hired for a utility improvement project, and swiped $700,000 in taxpayer money before officials caught on.
Money is motivating, but hackers aren’t always after quick cash. Personally identifiable information, known as PII, can be used for identity theft.
“The government agencies collect, use, and share enormous volume of citizen PII,” says Srini Subramanian, a principal in Deloitte’s Cyber Risk Services. That PII, in the form of bank account or property information, is collected when residents pay water bills or purchase homes.
“A lot of data ends up on the dark web, and it’s disturbingly cheap to buy,” says Miloslava Plachkinova, the interim director of the University of Tampa’s cybersecurity program. Social Security numbers cost as little as $2 and bank account information runs from $10 to $25 per account. Medical records are also available on the dark web, which can be valuable for criminals looking to defraud insurance companies.
Sagar Samtani, an assistant professor at the University of South Florida, notes that after hackers identify a target, they usually start by finding a vulnerability in the system. “Once they gain a foothold, their move is going to be to go laterally to other assets,” which can include databases containing customer information, Samtani says.
When company networks are breached, hospitals, cities and private companies may choose not to announce an attack, or may be encouraged to stay silent to preserve the integrity of ongoing investigations.
Malware can lie dormant in a computer network for months, making cyber crime statistics inherently fuzzy.
“To be able to report it means that you have to be able to detect it,” says Kevin Stine, the chief of the Applied Cybersecurity Division in the National Institute of Standards and Technology’s Information Technology Laboratory. “It’s quite possible that many attacks go undetected; if not for a very long period of time, until well after the attack occurred.”
If a city does get hacked, Plachkinova says that paying the higher costs to restore systems is preferable, regardless of the expense. The cost can be extracted in bitcoin, the decentralized digital currency that is hard to trace.
In May, Baltimore refused to pay a 13 bitcoin ransom, valued at around $75,000, to hackers at the time of the attack. That decision will ultimately cost the city $18 million in recovery efforts and lost productivity for city departments. Months later, the city is finally issuing retroactive water bills, shocking residents at the cost of four months’ worth of water usage.
“Cities pay the ransom and move on, but they don’t realize that this money goes out to funding these types of hacker groups and organizations,” says Plachkinova. “They’ll just continue to come back — maybe not to that exact same company, but other organizations.”
Historically, victims of reported ransomware attacks tended to refuse to pay hackers, but that’s starting to change. Some cities and states carry cyber insurance, meaning taxpayers will only foot the deductible for the claim. In Lake City, the city paid only $10,000 for coverage on the nearly half-million dollar claim.
“I’m not sure how sustainable that is,” says Subramanian of insurance companies covering ransom payments. “It’s also not the answer to the cyber hygiene training and actual measures that companies can and must take to protect systems.”
In a twist to the Lake City saga, the municipality’s former chief of IT just sued the city after it blamed him for the breach and fired him, The New York Times reported. Brian A. Hawkins said he had warned the city about security gaps and had advocated for the purchase of a cloud-based backup system.
Experts disagree on whether most cities carry cyber insurance, and numbers are difficult to pin down, since publicizing coverage could be an open invitation for opportunistic hackers looking for a target that is likely to pay up.
The problem is that payments could raise premium costs and encourage future cybercrimes.
“I think this is just the early stages of cyber insurance,” says Subramanian, noting that the industry has only around 20 years worth of data to analyze. “There is a fairly small number of sample years to determine the risk and really put a dollar amount to it.
“In the past six to 12 months, there is a trend of the municipalities and cities starting to pay ransoms, because some of the cyber insurance does cover it,” Subramanian says.
Regular system backups are crucial to network security, but for organizations hit with ransomware attacks, free decryption tools are available through Emsisoft and Kapersky, or Europol’s No More Ransom project. Decryption tools attempt to detect the strain of malware in the system and attempt to decode it.
Considering how personal information might end up online is important for anyone with an online presence. Plachkinova encourages consumers to keep an eye on credit alerts and to think critically about what types of information mobile applications are trying to access and whether they really need those permissions, such as mobile games that request access to location information, texts and a device’s microphone and sensors.
“If your flashlight is asking for access to your contacts, and your email, that’s not OK,” Plachkinova says.
This article has been updated to correct the approximate number of vacant cybersecurity jobs in Florida.