When Gary Brantley stepped into the role of Atlanta’s chief information officer in October 2018, he inherited a system still reeling from a crippling cyberattack that forced employees to revert to pen and paper. It didn’t take him long to see just how inviting the city’s operations were to hackers.
“We had close to 400 applications, several that were redundant, meaning they did all the same thing across multiple agencies,” Brantley said. For instance, there were five email programs, four customer resource managers and several permit application systems — each one a potential window of opportunity for cybercriminals. “What you end up finding is, it makes it really hard to secure the whole system and put a real strong strategy in place.”
Atlanta’s recovery efforts took more than a year and cost at least $7.2 million, according to Mayor Keisha Lance Bottoms’ testimony to Congress in 2019. By the time Brantley left his position in November 2020 and started working for the private sector, he had overhauled the security of not just a handful of agencies, but the city’s entire network. Bottoms said they would use the experience to make Atlanta a “model city” for other municipalities.
The attack on Atlanta, plus the many more that targeted other major cities like Baltimore and New Orleans, as well as contractors and utility companies, have reinforced calls to make cybersecurity a top priority. Compromises at the local level, experts say, also threaten critical infrastructure, potentially disrupting the supply of water and electricity to millions of people — the way the Colonial Pipeline hack in May fueled a gas shortage in parts of the East Coast — or something arguably worse, like poisoning the drinking water supply.
Cities often make for easy targets; hackers can have multiple entry points because of a city’s size and organizational structure, built long before cybersecurity became an urgent matter. Multiple departments often use different platforms, and agencies may not always keep up with software updates. For opportunistic hackers, who hone in on just one overlooked vulnerability after scanning a system, the attack takes little effort — but reaps potentially huge rewards.
That means preparing cities for future attacks can seem like a game of whack-a-mole, with employees patching one vulnerability only to find new ones down the line. And even as cybersecurity experts advise “ basic digital hygiene” measures like training staff on best practices and hiring firms to probe for weaknesses, some cities are scrambling to keep up with new threats.
Cyberattacks on state and local governments have been rising in both frequency and cost, according to a recent report by the cybersecurity firm Blue Voyant. Between 2017 and 2019, there were at least 108 hacks — though many more have likely gone unreported — with ransom demands rising from a monthly average of $30,000 to $500,000. The majority of of the 25 most populous cities have some sort of insurance policy, according to a Wall Street Journal survey in 2018. Some have p remiums as high as hundreds of thousands of dollars, and that cover millions of dollars worth of things like legal liabilities, computer-forensic expertise and extortion demands. Paying the ransom doesn’t guarantee a city gets all its data back, and can even encourage future attacks, while refusal to do so can end up costing municipalities even more to recover.
“Environment of Awareness”
In many cities, positions like Brantley’s are relatively new, and security teams may be understaffed and underfunded. Until recently, few public officials paid much attention to cybersecurity, much less made it a priority, and more often than not, cities don’t have a clear picture of where all their vulnerabilities lie.
“If you don't know what you have, you can’t protect it,” says Brantley. “The first thing I wanted to know was what our portfolio looks like, and how we can find what else may be out there.” The early efforts involved figuring out what needed to be retired, streamlined, patched and modernized. One of the biggest improvements was to segment the network so hackers couldn’t “travel” from one department’s system to another, and add layers of identification requirements.
Brantley set out to create an “environment of awareness,” which meant putting in place new policies and procedures for procuring new contracts and building out new systems. And he expanded the security team, from three people to about a dozen by the time he left. They monitor the city’s entire network for potential attacks, and oversee the security for new projects.
“One of the most vulnerable times for an organization is when they are transforming,” he says. “So when you're going from one system to the next, did you close down all of the holes on the old system that may give someone access to the new one? Did you turn everything off that needed to be turned off, and did you cut access to people who had access?”
Getting support and approval from the city for his projects was sometimes time-consuming, but Brantley says he was largely able to secure the funding he needed because Atlanta officials understood the urgency. Preventative measures, though, can be a much tougher sell to public officials amid competing projects in cities that haven’t experienced an attack. “A lot of these political officials, they run on specific promises, and none of those are cybersecurity,” he said.
Staying Vigilant
Even after all that, Atlanta isn’t immune to future attacks; no city is.
“If you look at the number of vulnerabilities and the frequency of new vulnerabilities being discovered, they have gone up tremendously,” says Michael Makstman, chief information security officer (CISO) for the city of San Francisco. Even if your organization had perfect security before, “you have to run faster just to stay in the same place.”
Makstman is also a founding member of the Coalition of City CISOs — along with officers from other major cities like Detroit, Los Angeles and Seattle — formed in the fall of 2020 to exchange ideas and solutions on how to educate public officials, residents and other security officers about cybersecurity.
Cities are complex, made up of multiple agencies serving residents’ needs of all kinds, and navigating conflicting priorities like balancing the need to keep data safe but also remaining transparent. What’s good for protecting the system against potential hackers can hinder collaboration between departments, or raise surveillance concerns. Efforts to silo city networks may counter efforts to make data sharing easier among different agencies, for example. And while collecting data on who uses public library computers and how, in theory, can help monitor potential hacks, it also would erode the public’s trust in the institution.
Too often, Makstman argues, that complexity gets lost in the calls for cities to secure their networks. Plus, the budget needed to upgrade such a complex system isn’t always there. “The world is becoming more dangerous, unfortunately,” he adds, “and I think it's a little bit disingenuous to say the local government is not patching fast enough.”
That’s not to say cities can't make gradual changes to protect themselves against the worst outcomes of a cyberattack.
“What we can do is design and architect our environment — and this is what I've been focused on for the last 3.5 years — in such a way that a compromise or a mistake does not lead to catastrophic impact for the whole city,” he says. “We can survive, and not implode.”