Introduction
In March of 2018, several agencies in Atlanta were forced to convert to paper as ransomware encrypted their computer systems. Ultimately, this malicious cyber event will cost the city over $17 million1 to recover data, upgrade, and improve its systems and processes.
During the course of the incident and in its aftermath, Atlanta reached out to its public and private partners for assistance. Working together with technology experts employed by the city, they have helped get systems back online, protected others from susceptibility to similar failures, and made improvements that will increase security going forward.
Fortunately, the services impacted by the ransomware attack in Atlanta, while integral to a high functioning local government, were not critical in terms of life and death to its citizenry. There have been other cases, however, such as an infection in the Baltimore 911 system that occurred the same week as the Atlanta incident, that might have affected citizens’ basic safety. City governments and their affiliated agencies serve to ensure that all residents have clean water, emergency services, education, trash collection, and many other public works functions. If these municipal service systems go down, the security and, potentially, the very survival of residents would be in jeopardy.
Cities and other local governments are the core service providers for citizens and businesses. Ensuring the security of municipal systems is essential to ensuring basic safety, quality of life, and economic prosperity. Increasing digitization means some city services are now managed and/or delivered using technology. In the past, cities have established relationships with public and private-sector partners to prepare for and respond to catastrophic events such as natural disasters or terrorist attacks, both of which can threaten the viability of normal operations and the security of the community.
Ensuring the security of municipal systems is essential to ensuring basic safety, quality of life, and economic prosperity.
At this juncture, however, efforts to build similar partnerships to respond to cyberattacks are still early stage in most jurisdictions, leaving cities around the country significantly less than well protected. This paper highlights ways in which cities are currently working with their federal and state partners, private sector companies, and nonprofit agencies and foundations to improve their cybersecurity and resiliency efforts.
We will also seek to provide recommendations to cities and their partners on additional opportunities and policy changes that would increase the propensity, efficiency, and effectiveness of such cyber-partnerships going forward. While we focus on the American system of government, such lessons can be situationally applied to municipalities and provinces around the world.
Cities, whether in the United States or elsewhere, are incredibly diverse. This report is designed to address the needs of a range of municipalities; further, we will call out certain initiatives that may be more appropriate for cities of one size or another. The case studies will necessarily focus on larger cities, since it is those cities that so-far have had the most established and mature programs.
Still, cities with smaller populations, towns, or counties, can utilize the lessons learned in this paper and aim towards a more secure digital operation. All cities have the responsibility to provide reliable services to their residents, so the core mission remains the same. Add to that the idea that cities have a responsibility for the safety of their citizens2—online or not—and the cybersecurity mandate for cities grows greatly. Local governments, large or small, need assistance from their partners to fulfill that mission. In doing so, cities can also provide value in return, raising the overall security of the ecosystem in a way that should not be overlooked.
As former New York City mayor and civic issue philanthropist Michael Bloomberg has stated,
“Virtually all of society’s problems are problems that both originate in the cities and are being solved there…There are some things that can only be decided on the federal or state level—starting wars for example—but generally speaking, both the problems and the solutions are located in the cities… So finding solutions to these problems in one city will enable us to test them in other cities that experience similar problems.”3
Bloomberg, and other civic officials often expound that cities are the perfect laboratories for developing and refining solutions to critical and universal civic problems. Cybersecurity is and will remain an issue that impacts every citizen and business; cities and other local governments will be the key players in addressing the challenge of securing the digital world and ensuring the continuity of critical services.
Citations
- Olenick, Doug. "Atlanta Ransomware Recovery Cost Now at $17 Million, Reports Say." SC Magazine. August 06, 2018. source.
- Farrell, Mark. "Mayor's 2018-2019 & 2019-2020 Proposed Budget." City & County of San Francisco, CA. June 01, 2018. source; McKeon, Amanda. "NYC CISO Geoff Brown on Public Privacy and Security." Recorded Future. April 30, 2018. source.
- Tholl, Max. "Michael Bloomberg: ‘People Care About Services, Not Ideologies’." Huffington Post. June 25, 2014. source.