As Baltimore recovers from a breach of its 911 dispatch system on Sunday, cybersecurity experts say it’s a chance for the city to reinforce the networks within its municipal agencies to stave off future attacks.
And more attacks are coming for sure, these experts say. Generally, municipalities don’t fully understand their risk and addressing the problem is less about funding and more about government culture, they said.
Baltimore’s 911 dispatch system was hacked Sunday morning, shutting down automated dispatches for 911 and 311 calls, after a port to the internet was inadvertently left unprotected. Hackers running automated scans looking for such vulnerabilities found and exploited it, much like thieves who check for unlocked doors and windows.
The breach, a ransomware attack carried out by unknown actors, follows recent cyberattacks on cities like Atlanta, where multiple systems were disabled over the weekend, and Dallas, where emergency sirens went off for hours last year.
From stealing residents’ identifying information to disabling emergency response systems, “the list of things that can be done is as long as your twisted imagination,” said Richard Ford, chief scientist of Forcepoint, an Austin, Texas-based cybersecurity firm that acquired Baltimore-based RedOwl last year.
Systems like emergency dispatch centers and networks that contain financial transaction information are particularly vulnerable and lucrative to hackers wishing to create chaos or turn a profit.
“To see a 911 system attacked, it’s disturbing but it’s not surprising,” said Rick Forno, assistant director of the University of Maryland, Baltimore County’s Center for Cybersecurity.
Chad Howard, the IT manager at the Henry County 911 center in Paris, Tenn., knows all too well what Baltimore is going through. In 2016, his center was the victim of a similar ransomware attack, when hackers got into the computer-aided dispatch (CAD) system through a port, or a channel to the internet, and by finding a staff list and guessing the forgotten, insecure password of an employee who had died.
Like in Baltimore, dispatchers were able to handle 911 calls manually after the breach, but “it shut down our CAD system completely,” Howard said.
The CAD system was down for about 36 hours, and even when it got back up and running, “we were limping,” Howard said.
They had backups of data, but the most recent backup had occurred six days prior to the attack, so the system permanently lost six days of data. Once operating systems were reinstalled, they didn’t have the software patches that had been applied over the years, so nothing worked as it had before the hack, Howard said. And some of the patches no longer existed, he said.
Howard estimated the recovery cost his city about $20,000. His advice for other jurisdictions? “Layers of security. Layers upon layers upon layers.”
Municipal services become increasingly vulnerable to hacks the more they are integrated with online networks.
“As you leverage these new technologies, they come with a certain amount of risk,” said Amit Yoran, chairman and CEO of the Columbia cybersecurity company Tenable. “They’re exposed to all the potentially bad actors on the internet.”
Yoran said cities and counties need to manage those risks more proactively. To start, cities like Baltimore should take stock of their networks to understand their exposure, assess the risks and patch vulnerable areas. Most cities and counties don’t have a strong picture of their networks’ security, Yoran said.
“We find that organizations which have a culture that … emphasizes good ‘cyber-hygiene’ end up with a radically different exposure profile than their peer group,” Yoran said. “I don’t think this is a matter of budget. The problem here is most frequently a cultural one.”
A report released last year by UMBC and the International City/County Management Association (ICMA) detailing the cybersecurity practices of local governments found that the agencies struggled to fund and staff their cybersecurity programs.
“One of the most important findings was that large fractions of local governments do not know if they are under attack. They do not know if they’ve been breached,” said Donald Norris, a professor emeritus of public policy at UMBC who surveyed thousands of local governments for the study. “This kind of thing can happen anytime to anybody whose cybersecurity policies and practices are not just top notch.”
Even when local governments do have top-notch cybersecurity, Norris said, one mistake by one employee — opening a malicious email, leaving a port open — can open the door to an attack.
Cory Fleming, program director for the ICMA, said the report shows government workers need better training and stronger cybersecurity policies to protect against attacks.
“When you look at some of those statistics, they’re not necessarily following through and paying attention to cybersecurity,” she said.
Yoran also suggested implementing complex user authentication techniques, such as face and touch recognition. He sees too many organizations relying on usernames and passwords to identify users.
“If you are, you’re starting with an abysmal ‘F,’” he said.
Building strong cybersecurity into networks can be challenging for cities with limited budgets, where the physical needs of citizens are more pressing. But money is not often the answer to cybersecurity breaches.
“You’re never going to spend your way out of cybersecurity hell,” Ford said.
Maintaining network safety over time is more cost-effective that continually fixing problems caused by hacks. And organizations should monitor their systems consistently for signs of breaches, which can come from a range of actors: criminals, nation-state actors, hacktivists and other troublemakers.
“As we have a lot of international instability, I think there are concerns around attackers that might go after critical infrastructure for nation-state type activities,” Ford said.
For example, the Trump administration recently accused the Russian government of a concerted effort to hack into U.S. utilities and the nation’s power grid.
Hackers’ motives are varied, too — from creating mayhem to making money.
After hacks, cities should reevaluate the security of their networks and consider other potentials for failure. Ford said municipalities have to think about long-term, broad security goals rather than responding only to individual crises.
“It should drive the creation of crisis plans across many of your critical services,” Ford said. “Don’t fix the specific problem; fix the bigger problem.”
Every incident should be a learning experience, Forno said. “You don’t want to have the same attack twice,” he said.
Lester Davis, a spokesman for Baltimore City Council President Bernard C. “Jack” Young, said he expects the council will address the breach and what needs to been done to prevent another one in the coming weeks, and in a public setting.
“There will be an opportunity for the public to be walked through exactly what happened, and then an opportunity for the administration to talk about safeguards being put in place, and what those safeguards are, so that the chances of something like this happening again in the future are greatly diminished,” Davis said. “That’s the bare minimum.”
City Councilman Brandon Scott, chair of the public safety committee, said the city must be “more prepared,” and that he plans to call officials from the Mayor’s Office of Information Technology before his committee to explain what happened.
“It’s fortunate that it didn’t go further than it did, and no other services were gotten into,” Scott said of the breach. “But cybersecurity on the city infrastructure is an issue that I’ve raised before. We don’t spend enough money on it, and we should spend more to make sure that we’re prepared.”
Baltimore, together with the FBI, is still investigating the source of Sunday’s ransomware breach.
Dave Fitz, a FBI spokesman, confirmed the city had turned materials over to the federal agency but otherwise declined to comment.
Although it’s uncertain where the next attack will come from, one thing is clear: hacks on city agencies will continue and become more frequent, experts said.
“You’re really in the risk management business not the risk removal business,” Ford said. “It’s tough and unfortunately it’s only going to get tougher.”
©2018 The Baltimore Sun Distributed by Tribune Content Agency, LLC.