Reducing or eliminating the chance of another cyber attack on the city of Pensacola is contained in a new report from the firm charged with getting to the bottom of the December invasion.
You could call the attack on the city’s computer systems on December 7 a sort of high-tech Pearl Harbor. City phones, 311 customer service and some online payments were hit by ransomware -- which takes computer data “hostage” with the hackers demanding payment to release it.
Speaking in December, Mayor Grover Robinson said no such payment would be made – and none was made. He added that they were looking into extra protection for the system.
“We have hired an outside firm to come in and audit what we have and where we go from here,” said the mayor. “We’ve been approached about it a couple of weeks ago and obviously we had this issue. Whether we had the attack or not, they were looking into cyber insurance; now that we’ve had the attack, it will definitely be at the top of the list.”
The city hired Deloitte & Touche to assess the incident and provide observations and recommendations to mitigate the risk of further cyberattacks. Kaycee Lagarde, the city’s public information officer, says that assessment is complete.
“We already had multiple layers of security on the network,” said Lagarde. “In working with Deloitte on this report, they also assisted us as they were doing this assessment; they helped us with kind of cleaning up the network and taking steps to remove any potential risk factors.”
An executive summary released to the public lists strengths -- such as backups for major systems -- that were readily available following the attack; and proactive communication with the public.
“They gave us some credit for that; rather than pretending like it wasn’t happening we acknowledged it and we got as much information out to the public as we could,” said Lagarde. “Of course, there’s always room for improvement; but there are some things that I think we did well. And then, of course, there are things that we can learn from moving forward.”
Areas that need work, according to the report, include developing a more robust Incident Response plan and regular security inspections. Much of the report will remain in-house; the thinking is don’t give hackers a blueprint for another cyberattack.
“So now we’re just working on building on that and further securing our network,” Lagarde said. “I don’t want to seem like we’re starting at square one with this assessment we just received. These steps have been taken already and they’re kind of ongoing.”
“One challenge is that, as organizations and cities continue to expand their cyber defenses, the cyber-criminals are also increasing and advancing their attack scenarios,” said Eman El-Sheikh, director of the Center for Cybersecurity and professor of computer science at the University of West Florida, which provided assistance to the city.
She says municipalities must ensure that “layered security” -- multiple procedures and defenses – can combat the two most common forms of online attacks at the very least.
“Phishing attacks – where attackers send email that poses as a legitimate contact; they can install malware or viruses, or penetrate into other systems, El-Sheikh said. “The other is ransomware. Criminals disable the organization from gaining access, and often demand a ransom.”
Another must-do, says El-Sheikh, is training everyone in an organization – from the boardroom to the mail room – in cyber-awareness.
“Anybody who has access to a system, a network or a facility, can pose a risk,” said El-Sheikh. “And what we’ve seen was a very large phishing attack [in which] they started with somebody inadvertently clicking a link on an email that then gave the cyber-criminals access to the system.”
One recommendation from Deloitte and Touche is for the city to have a staff member dedicated to cybersecurity. Lagarde says that’s in the works.
“We actually are advertising right now an Innovation and Technology Director,” Lagarde said. “We anticipate that they will be responsible for hiring that security officer to focus on network security specifically. Because right now, that’s kind of a shared responsibility in our Tech Resources Department.”
Meanwhile, about 57,000 Pensacola residents who may have been affected by the hack are being offered a subscription to cybersecurity service LifeLock.
“If you’ve received a letter in the mail, you are being offered the LifeLock service for one year; there are instructions in that letter on how to sign up,” said Lagarde. “I believe they have until the end of April; so, if somebody did receive that letter and they haven’t signed up yet, it’s better to do that sooner rather than later.”
The cyberattack on Pensacola city government remains under investigation by a number of law enforcement agencies, including the FBI and Pensacola Police. It came during cyberattacks over the past year in Baltimore and Atlanta; about two dozen small towns in Texas, and multiple state agencies in Louisiana.