In those attacks — seen in California, Florida, North Carolina and beyond — municipal computer systems have been compromised by malicious actors who often are looking to make a quick buck. In early May, Baltimore’s government computers were infected with “ransomware” — employees were locked out of various files, hamstringing city business, and the city was asked to pay a five-figure sum to unlock them once again. In late August, the Baltimore Sun reported that the city likely will lose at least $18.2 million on a combination of revenue setbacks and recovery efforts.
Maureen Storstad, city finance director, said Grand Forks has $500,000 of coverage for an annual policy premium of $7,828.
“It’s nationwide, and it’s all over the place,” said Kitt McNamee, a network administrator with the city of Grand Forks, referring to the spate of attacks. “And it’s affecting a lot of the cities, even the smaller cities. Because it’s so popular now, they’re demanding a higher payout because they’re demanding cyber insurance. (We’re) just trying to be as protective and defensive of our network as possible.”
Those efforts can prove not only damaging, but remarkably cinematic. The Sun reported on some especially notable details from its own city hall attack, include a “ransom note” that accompanied the incident.
“We’ve been watching you for days and we’ve worked on your systems to gain full access to your company and bypass all of your protections,” the note read. “We won’t talk more, all we know is MONEY!”
Prakash Ranganathan is an associate professor in UND’s School of Electrical Engineering and Computer Science, and leads a university lab where he researches cyber security issues. In an interview, he used an acronym — “SECURE” — to describe what organizations should do to keep their data and their systems safe.
The S is for regular software updates — to operating systems, antivirus programs, and the like — and the E is for encryption. C is for something the general public might not know much about — “cyber insurance,” tailored specifically for the risk of an online attack — and U is for “user access control,” which means tightly controlling who gets to access what, perhaps with a two-step computer log-on process that requires both a password and access to a paired cellphone.
The R and E are for “recovery planning” and “education,” respectively, both of which are more human-side items that suggest making a plan to respond to an attack and actively educating employees, users and the like about cybersecurity.
McNamee said the city is addressing all those items in some way, though encrypting information is something “we’re getting our feet wet with.”
“We’re looking at bringing that into our network in places that need that,” she said.
She also said City Hall’s information technology department regularly monitors likely threats and advises employees to stay aware of potential threats — like a fishy email, for example.
“I think it is increasing globally, everywhere,” Ranganathan said of cyber attacks, ticking off a list of U.S. locations where they’ve occurred — from California to Ohio, where recent attacks hit an airport near Cleveland. “I think it’s actually cutting across all domains, and the number of data breaches is actually growing as well.”