A ransomware attack targeting Colonial Pipeline created chaos last month when it disrupted operations responsible for carrying 2.5 million barrels of fuel a day – 45% of the East Coast's supply.
Think it couldn't happen here? It already has.
“The city, the county, and (City Utilities) are under constant attack, 24/7,” wrote Jack Haley, chief information officer for the city of Fort Wayne, in an email. “(We) work together to face these threats. Every moment our firewalls detect intrusion attempts. Every moment our public-facing assets are probed for known security vulnerabilities.”
Haley noted all organizations face an unending barrage of “phishing” emails – attempts to access their computer networks.
“While we need software tools to defend against intrusion, we also need the agility to make the crucial changes when required. When new vulnerabilities emerge, we're in a race to patch the vulnerability before the criminals can develop an attack and target us,” he wrote.
Haley said city officials were notified on March 2 of a major Microsoft email vulnerability and patch.
“We had to apply the fix before the inevitable attack was turned toward us,” he wrote. “Constant examination of our systems and simplifying our operations are key to staying agile enough to be ahead of the threats.”
Part of the strategy is a software upgrade. City Council last week approved four ordinances related to the upgrade, authorized at a cost not to exceed $588,768. Ransomware attacks are not the only concern, according to Haley.
“Certainly cybersecurity is a constant worry. But we have threefold needs to address: cybersecurity, facilities and equipment,” he wrote. “Ransomware is in the news now, but it's been a threat for years. It's not the only worry. We also have to protect our data center.”
Aging equipment is a concern.
“The world has changed and stretching computer equipment past the end of its supported life is a false economy we can't afford,” Haley wrote. “These changes will be expensive, but failing to make these changes could be even more costly in lives and dollars.”
The software and equipment upgrades are vital investments in protecting residents. Other communities have already faced damages. In April, hackers targeted the computer network of Logansport Community School Corp., shutting down the internet and phone systems in every school building and forcing the district to move to e-learning the next day. The cyberattackers demanded a Bitcoin ransom, but the district did not pay, Superintendent Michele Starkey told a Lafayette TV news station.
Last month's Colonial Pipeline attack ended with the company paying 75 bitcoins – about $4.4 million. The U.S. Department of Justice announced this week it had successfully reclaimed about $2.3 million.
The ransom payments are controversial. Cybersecurity experts at Indiana University-Bloomington, writing for The Conversation, address the ethical issues involved, in terms of encouraging continuing attacks or limiting exposure to greater harm:
“(T)he message is mixed,” write Scott Shackelford, law professor and director of IU's Ostrom Workshop Program on Cybersecurity and Internet Governance, and Megan Wade, a research affiliate for the program. “Law enforcement agencies encourage victims not to pay, but paying ransom is not illegal, and even police departments have been known to pay up when their systems have been compromised. And while the Treasury Department has been investigating new financial penalties against payment of ransoms, to date none have been levied.”
The best way to avoid the cost, damages and ethical dilemmas, of course, is to do everything possible to prevent an attack. Cybercriminals are as close as the nearest keyboard. Public officials must have the tools to lock them out.