FEATURE Review
by Scott Meyer, City Administrator, Cape Girardeau
Cybersecurity Lessons: Keep Your City Protected
As I prepared for the Martin Luther King holiday weekend, I looked forward to some time to stay in town, take in some of the MLK Celebration events, and rest. It had been a mild winter thus far, so I was thankful for the good fortune that might keep the city of Cape Girardeau from dipping into our contingency for snow and ice materials, and overtime hours for this fiscal year. No one had a clue just how different and difficult 2020 was going to be, and the upside-down of 2020 started earlier than most. The first clue that something was wrong was when my city account email stopped receiving emails. The next day our finance director notified me it was more serious, and by the end of that day, we were setting up an Emergency Operations Center (EOC) meeting to update key city officials and staff and set a course of action. What we knew in the early hours after discovery of the problem was: • Our email system was down. • Our phone system was not affected. • Network files were inaccessible due to encryption. • Files stored on individual computers were not affected • Data on some of the network storage device(s) was erased. • Nothing on the servers was accessible including utility billing, accounting, licensing, permitting, cashiering, GIS and court software, as well as all daily working files for most departments. Cloud based software and data was 6
theReview September/October 2020
still in place, including 911, e-ticketing, body camera recordings, parks and rec software, etc. A cyberattack was suspected, and we were concerned that a server was taken down and destroyed. We soon found out it was an attack and ransom was demanded. Our data stores were encrypted by RYUK Ransomware, and hackers, through some type of password keylogger, acquired many of our administrators’ passwords and deleted all of the data from some of the city-owned network storage device(s). Staff moved on several fronts: • Contacted FBI and its cyberattack unit. • Contacted the insurance company for our cyber insurance. • Developed a plan to keep up our business processes and continue serving customers. 1. Set up Gmail accounts that mirrored our city accounts. 2. Published cell phone options to reach city offices.
3. Began to work on utility billing and set up processes to accept money and credit card payments, as well as cut checks to pay vendors. Fortunately, staff had just gone to an off-site, time-keeping and payroll system that meant our employees would be paid. The FBI agent gave staff the authority to tell the public that the City had involved them and were taking the attack seriously. The FBI also provided statistics to share with our citizens. • About 200 public agencies are attacked each year, almost one every other day. • Most attackers are never caught. Attackers are very sophisticated and helpful to the “client,” even to the point of having a “help desk” to get data unencrypted should there be an issue. This cyberattack was a true emergency, one that required tapping into all redundant and backup systems to keep the City running, and to rely on our city experts. The insurance company took the lead in the City’s response. It was critical to not do anything that would jeopardize our coverage. At first, daily meetings were held to work t hroug h problems and develop communication strategies, both internally and externally. It was important to manage and coordinate all messaging with the insurance company. The early message was that it was an IT issue, but quickly migrated to a cybercrime that could not be discussed due to the FBI investigation, and then to a more vague description of a cyberattack that included a ransom. At the direction of the insurance carrier, the City did not disclose the amount of ransom paid.