Two major U.S. cities were crippled this week by ransomware, but even in the heart of Silicon Valley, Bay Area government officials tasked with safeguarding a growing trove of sensitive data feel vulnerable to what they see as a constant and ever-evolving threat.
More than one-fourth of U.S. local governments are subject to hourly cyberattacks, according to one recent national survey, and about one in seven experience yearly electronic security breaches that result in confirmed unauthorized access to sensitive information and systems. Nearly one-third said the hackers were seeking ransom.
"Every city sees on a routine basis ransomware attacks; it's just a matter of which ones get through," said San Jose Chief Information Officer Rob Lloyd. "We've had minor ones we've been able to resolve. You lose a little ground, but you recover. We really feel for our colleagues in Atlanta and Baltimore. No one's immune to these types of attacks. Everyone is running into the same type of threats." In a virtual briefing with Techwire last June, Lloyd cited cybersecurity as his top priority.
In Oakland, hackers in 2014 shut down various city websites, including the police department's, and two years earlier released personal information, including home addresses, of city leaders. Spokeswoman Karen Boyd said there haven't been any recent ransomware attacks, but it is always a concern.
"Attacks like the one that occurred in Atlanta remind us that it is critical that we continue to build upon the security systems we have in place to keep our city safe," Boyd said.
On March 22, ransomware rocked Atlanta with a "digital extortion" that the New York Times called "one of the most sustained and consequential cyberattacks ever mounted against a major American city." Dell SecureWorks, an Atlanta company helping the city respond, said it was the work of a hacking crew called "SamSam" that demanded $51,000 to free the city networks.
On Sunday, an attack on Baltimore shut down the city's automated emergency dispatching for some 17 hours, according to the Washington Post. On Wednesday, the city's chief information officer declared it the work of "ransomware perpetrators."
Officials in Walnut Creek and Contra Costa County had no immediate response to how often they are attacked. Lloyd said that San Jose's efforts to keep ransomware hackers at bay "starts with individuals being vigilant with own practices."
"That's a key part of our cybersecurity plan — making sure our practices and habits lend to a more secure environment," Lloyd said.
Boyd said that "Oakland's Information Technology Department takes security concerns very seriously and has technology and protocols in place to protect the city's assets and maintain security."
Ransomware is one of many types of security threats they must guard against, in which hackers commandeer computer systems and threaten to destroy data or paralyze networks unless they are paid.
"It's really alarming, frankly, what's happening in Atlanta, but many people in the national security space have been worried about this for a long time," said Kenneth Geers, senior research scientist at cybersecurity firm Comodo.
In 2016, the International City/County Management Association, a professional organization for local government administrators, surveyed 3,423 local governments serving populations of 25,000 or more on cybersecurity.
The association found that 26 percent reported experiencing attempts to gain unauthorized access at least once an hour, and 32 percent said the motivation was ransom. And 16.3 percent reported security incidents at least once a year in which their network security was compromised. About one in seven, 14 percent, reported security breaches at least once a year in which unauthorized access was confirmed.
But "the most troubling results," the survey study authors said, were "the high percentage of respondents that did not know how often they are attacked (27.6 percent) and experience incidents (29.7 percent) and breaches (41.0 percent)."
The cost of data breaches can be staggering. A 2016 BetaNews article put the total average cost of a data breach at $6.53 million, including $3.72 million in lost business. Fleming said it's become so costly that some municipalities are buying insurance to cover the costs of cyberattacks.
Local governments spend billions on information technology — more than $30 billion for cities and $22 billion for counties, according to a 2017 report in Government Technology magazine, Techwire's sister publication. But the typical state or local government agency spends less than 5 percent of its information technology budget on cybersecurity, while the typical commercial enterprise spends more than 10 percent, according to the management association report.
But guarding against attacks requires more vigilance than money. Security requires funding for hardware and software capable of detecting, cataloging, and preventing attacks, and for a sufficient and well-trained cybersecurity staff.
"The good news," the report said, "is that, for the most part, local governments can ... improve cybersecurity without spending a lot of money."
This article includes reporting by Techwire.
(c)2018 the San Jose Mercury News. Distributed by Tribune Content Agency, LLC.
