COLUMBUS, Ohio (WSYX) — One year after experiencing a massive ransomware attack, the City of Columbus is making a major move to strengthen its digital defenses.
Council approved a $23 million investment into a modern cybersecurity initiative designed to protect against both internal and external threats during its July 14 meeting.
The overhaul introduces what is called a “zero-trust network,” which requires strict identity verification for anyone accessing city systems, including all city employees.
“Columbus is facing persistent and sophisticated cybersecurity threats,” said Jennifer Fening, Deputy Chief of Staff with Mayor Andrew Ginther’s office. “These threats are constantly evolving and increasing in sophistication. Cybersecurity experts and researchers have developed the ‘zero-trust network’ to adapt to these threats. ‘Zero-trust’ is not a product, but a shift in security mindset, architecture, and operational approach.”
The ‘zero-trust’ model assumes no user or device— inside or outside the organization—can be inherently trusted. Instead, every request for access must be verified through multiple layers of authentication.
“It also includes segmenting an organization’s network into smaller, isolated zones or microsegments,” Fening added. “These microsegments are typically aligned with organizational units such as departments or workgroups, are intended to limit unnecessary network traffic between segments, and are designed to prevent unauthorized movement between segments.”
“Zero-trust networks are a relatively modern concept,” said Carter Yagemann, Assistant Professor of Computer Science and Engineering at The Ohio State University. “They’ve really only gained popularity in the past few years. It’s not uncommon for many enterprises to still rely on perimeter defense. Switching to zero trust is a much more proactive step toward best practices.”
Yagemann commends the City of Columbus for taking a forward-thinking approach.
“Zero trust networks are a relatively modern concept,” Yagemann said. “They’ve really only become popular in the past couple of years. So, it’s not uncommon for a lot of enterprises to still be doing perimeter defense and switching the zero trust is definitely a much more proactive step towards best practices.”
Findings in the city’s ransomware investigation report were expected to be released in mid-2025, though no details have been made public.
“You can imagine with how large the city’s network is and how many different buildings and organizations they have to serve,” Yagemann added. “Even the smallest changes are long and difficult processes with pickups and learning curves. The fact that they’re taking a step is important and speaks a lot.”
City officials told ABC 6 that the initiative will launch later this year, with the zero-trust network expected to be fully operational by 2027.
