Cyber Criminals Put Cities In Crosshairs
Server rooms are boring. Stacks of computers with blinking lights. Cords in red, yellow, black and blue held together with zip ties. They're chilly from the extra air conditioning that keeps them cool.
In Cary's town hall, the server room is deep inside a building under constant lock. Town Information Technology Security Manager Erik Chapman had to swipe his badge and enter a number code to get in. The whirring sound of dozens of computers running at the same time rushed out of the door as it opened.
While these servers might seem nondescript, they house all the valuable data for the town. Permits, maps, zoning, and more. All that data lives on these servers. And to function properly, that data needs to be secure.
"These smaller towns are these soft targets," said Chapman. "They're easier to go at and they have a higher chance of success."
That means he needs to stay on his toes.
"It is a cat-and-mouse game on a daily basis, and as the attackers are constantly shifting their focuses, we have to shift our focus, and we always have to try to stay one step ahead of them," he said.
The threat isn't just theoretical. Last year, cybercriminals hacked into Atlanta's servers. And while that was maybe the most high profile city to fall prey, it's far from the only one. Of the 70 large ransomware attacks in the first half of this year, 50 targeted cities, according to a recent report by cybersecurity firm Barracuda.
"Criminals like to hit local governments for the same reason that lawyers tend to like to sue them," said Peter McClelland, a data security and privacy attorney. "They have a lot of revenue, even the small towns. They're not going anywhere. And oftentimes they want to make the problem go away."
As with other kinds of crimes, the end goal is almost always money. After all, what's a criminal going to do with zoning permits from Fuqua-Varina? To squeeze money from a town, cyber criminals encrypt data and demand a ransom – usually in Bitcoin – to set that data free.
"We are considered low hanging fruit," said Maria Thompson, North Carolina's chief risk officer. "We are under-resourced. We are not a Fortune 100 company that has a bottomless pit of money to throw at a situation. And so (cyber criminals) look to compromise us in that way. Our data is ripe for the picking. I hate to say that, but that's what it is."
When a ransomware attack does come, Thompson said it's important not to panic.
"We definitely encourage not to pay the ransomware, because obviously that monetizes the malicious aspect of the attacks. And we don't want to feed the machine."
But as McClelland notes, that's easier to say when it's not your data that's been encrypted.
"Game theory kind of helps us with this," he said. "Everyone is better off if no one pays the ransom. But for the one person in that one moment, their short-term interest is to pay the ransom, and get their data back."
If you show you are willing to pay, word gets around. "If you don't shore up your systems, and they know you are going to pay, you have painted a target on your back," said McClelland.
That's why experts say it's important to not only have good safety measures in place, but also to back up all data - including in a way that's offline. But that can be expensive. Cary has invested hundreds of thousands of dollars into protections and added staff to the effort. Raleigh has spent more than $1.3 million in the past five years. Most towns in Wake County and elsewhere have cyber insurance to cover the cost of restoring systems in the event of a breach.
"Spend the money now," said Thompson. "Spend the money now to make sure that you have that resiliency in your environment so that you are not as susceptible to a ransom attack."
Thompson added that cities and counties should know the state is a resource. And that includes a partnership with the National Guard, which also has resources to help.
Maybe most importantly, experts say it's on workers to stay vigilant as well. They say to look out for threatening messages, and not to click links or download attachments from phishing or other suspicious emails.