With most city staffs now teleworking, governments are even more vulnerable to these costs and risks due to the sheer number of remote devices in use, the lack of a unified network and the need to protect all systems the same time, said Michael Lake, president and CEO of the nonprofit Leading Cities.
“Every single laptop or home internet network or whatnot that is going to be utilized during this period of time is just one more additional point of vulnerability for any city,” Lake told Smart Cities Dive, noting it’s difficult to quickly build out the necessary security infrastructure that may had been neglected up until now. Cities may also find it hard to justify a significant investment in cybersecurity right now — especially if they don’t currently have staff with expertise in that area.
“There is no chief information security officer for a town of 25,000. It just doesn’t exist,” Thad Eidman, COO at security platform provider Acreto, told Smart Cities Dive. “They have probably a director of IT or a vice president of IT and a couple of network people … but that’s about it. They don’t have a staff of 200 cybersecurity professionals running all kinds of products.”
While cities must be careful of their own systems’ vulnerabilities, they must also be wary of vulnerabilities that could be present in the systems of third-party vendors or contractors. Those vendors could handle all manner of payments, data and other vital information, so it’s crucial for cities to understand how they protect themselves, according to cybersecurity experts.
However, as private companies and big vendors are more likely have their own IT and cybersecurity staff, it can be tough for a city to police and implement security protocols.
“It could be an internal user putting a thumb drive in, but then the vendor’s system gets rolled, in part because you have this ambiguous responsibility and ownership,” Mike Duffy, founder and CEO of digital service platform CityBase told Smart Cities Dive in an interview last year. “You don’t have unfettered access either way.”
Some cities have distributed virtual private networks (VPNs) to employees to enhance the security of their remote work, but Eidman warned those could be vulnerable to hacking. VPNs extend a private network across a public one to allow employees to access data and other information that may only be available at city hall, but they come with their own risks.
“If you go to the airport and you try to board a flight, the first thing that happens is you have to go to the checkpoint where they check your license and your ticket,” Eidman said. “That’s really identity [like a VPN]. But that is not security. The next thing that happens is you have to put your bag through a scan, where they look for all the bad stuff. That’s not what a VPN does. A VPN does not look at the content of the message.”
Other security systems can be complex or take a long time to set up, said Nathan Pawl, president of network security firm Blacksands, and the associated costs might make cities question whether to proceed at all. Simpler solutions that take a matter of hours or days to set up are much more ideal, he said.
“Traditional technologies out there, for every single new connection, is a two to three-month process at minimum [to enable a security system] with a full project IT team,” Pawl told Smart Cities Dive. “You can imagine you may have hundreds or thousands of these individuals who are trying to get connected in a secure way. It’s just not feasible.”
But not all hope is lost. Many cloud-based services and products have proven beneficial for cities going virtual due to their built-in security measures, Andrew D’Ottavio, director of customer success at Accela, told Smart Cities Dive. Accela recently unveiled a suite of tools to help governments maintain “normal” operations through online resident services, virtual inspections and help with permitting.
“Just access to information or data within the product, because it’s a platform, is very controlled, so we can get very granular within the product as well, not just the technology and the hosting security requirements,” D’Ottavio said. “It’s got multiple layers.”
Meanwhile, Duffy said Amazon Web Services (AWS), which has a global security infrastructure and data centers that allow professionals to monitor traffic and any suspicious activity, should be a go-to for cities.
“Your security defenses are only as good as the number of attacks that you observe,” Duffy said. “When you have your own infrastructure and have co-located your own data center, you’re only seeing your own attacks. When you’re using some of the resources of an Amazon, for example, together we’re seeing globally all the attempts that are happening across their infrastructure, so we have more perfect information in the sense that it’s coming faster to us.”
There is evidence that communicating the importance of cybersecurity has not been top of mind in some cities. During the 2018 Smart Cities New York conference, Atlanta Mayor Keisha Lance Bottoms said the March 2018 cyberattack on the city came as a “surprise” to city staff and residents, as cybersecurity was initially “not a topic of conversation.”
Some cities have since learned from these mistakes and were proactive in telling employees how to stay safe online during the pandemic, especially when handling city data on municipal equipment. For instance, the City of Mesa, AZ provided employees with tips on security “beyond the office,” with hints on creating strong passwords, using active antivirus software and using secure Wi-Fi networks.
Clear communication in this area is key, though it can be hard to incentivize employees to change behavior, Lake said.
“Frankly, the reality is there’s nothing that will teach you faster than being a victim yourself,” Lake said, noting the “next best thing” is to be vigilant in communication and in informing employees when they take actions that are unsafe.
In cities that haven’t yet practiced or allowed remote work, these can be especially challenging times, D’Ottavio warned. He said the workforce will need to be educated on all the necessary protocols, be set up with new equipment and have supervisors ensure meetings carry on as normal, albeit over video.
Showing employees the economic losses a city government must endure when it’s hacked could be another way to adhere strong cybersecurity practices, Eidman said.
“I think a lot of times, what we see is that some directive or instructions or orders or whatever will come down from on top that say, ‘Hey, don’t do this, don’t do this, these are bad things,'” Eidman said. “I think there’s less time being spent on, why is this important? What happens if we have a breach and how does that impact not only the city but the trust with our community?”
To keep up with all of our coverage on how the new coronavirus is impacting U.S. cities, visit our daily tracker.