In the first few months of 2018, nearly every tweet on the Department of Atlanta Information Management’s Twitter account referred to smart cities. The tweets were building up to a smart cities forum, where key players would discuss the city’s forward progress in smart city applications such as smart traffic, smart building & homes, energy management, and wireless networking. The event’s tagline was “Can’t Out-Smart Atlanta”…a tagline that would set up irony for what was to come.
In March 2018, Atlanta fell victim to a massive cyber-attack where ransomware had allowed the unknown culprits to take advantage of vulnerabilities in the city’s IT system. The attack impacted many city programs and services, including bill payments and utility requests. It eventually cost the city $2.7 million, although the final price tag is unknown and estimates as large as $17 million have been suggested.
The Atlanta incident begs the question: are smart cities really smart? Although we equip our cities with technology and experiment with modern solutions, cities and the data they gather are still so vulnerable. Or perhaps cities are simply trying to be too smart? When we think of ‘smart city’ we think of smart applications of technology, while many cities are not taking care of what is already there—the infrastructure that needs millions of dollars of investment to upgrade.
These questions and the Atlanta incident as a whole were contemplated by city leaders at the 2018 Smart City Innovation Accelerator at Toronto. As panel members discussed the cyber-attack and what it means for their own cities, several realizations came to the front.
1. Cities must protect citizen data.
One of the biggest duties modern cities have is to protect the growing amount of data that is coming in. Attackers are seeking to disrupt city services, but they are also looking to get their hands on valuable data that can be used in a multitude of ways. Cities must protect citizen data and also discover beneficial ways in which they can use that data. Meanwhile, cities must be transparent in their communications with citizens, making them aware that when they share and access digital information, there is a risk to their privacy.
2. Cyber-attacks are inevitable.
There is no such thing as a secure system. Even cities that invest the most in cybersecurity and try to do the best to protect themselves from attack are still at risk. What happened in Atlanta is not surprising, and it could very well happen to any city other across the globe. Everyone is vulnerable.
3. Cities must engage in risk management.
Since cities cannot fully protect themselves from cyber-attack, they must make the best of that imperfect world by engaging in risk management. Beginning from the standpoint that cyber-attacks WILL happen, city leaders can branch out to consider how to manage that risk and minimize the aftermath.
4. Cities must practice digital hygiene.
One element of risk management is digital hygiene. Many cities use devices that are not updated to the recommended standard by the software vendor or worse – devices that are so old they cannot be updated. It is reasonable to ask that the public infrastructure is benchmarked to a safe level to ward off lower level attacks and make it easier to react after an attack has happened.
5. Cities must educate employees.
Cities must ensure that the whole organization is risk aware, and to do that, employees must recognize that cybersecurity is everybody’s responsibility. Knowing that breaches will happen, governments should make sure that the organization is resilient and everyone knows what to do when things go wrong so they can bounce back quickly. This means making sure that everyone understands the basics of cyber best practices, knows how their machine works and is clear about what their responsibility is.
6. Containment is a top strategy.
If cyber-attacks are a ‘given,’ then governments must follow best practices in containment in order to limit the impact of the attack. Some containment strategies include multi-factor authorization, LAPS (Local Administration Password Solution), and PAM (Privileged Access Management).
7. Having a recovery strategy is crucial.
When a cyber-attack happens—even if it is contained—cities must be able to recover from the loss and do so quickly. Atlanta was able to deal with what was happening, but it took months to recover, and critical data was lost. Cities must have a strategy for recovery similar to how they have plans to deal with other disasters and emergencies.
8. Cities must manage public expectations.
Citizens have come to believe that cities can protect them 100 percent from cyber-attacks but, unfortunately, this isn’t the case. Cyber-attacks can and will happen, and if they do, the city will need time for recovery. Just like a city couldn’t prevent all damage and lost lives if a strong hurricane struck, there will always be some aftermath associated with a cyber-attack. Cities must manage the expectations of the public while making sure that their recovery is reasonable and appropriate given the circumstances.
9. Cybersecurity should be a priority in the budget.
Another factor that impacts cybersecurity is budget. In Atlanta, before the attack, budgets were consistently cut on major preventative things in the cyber realm, which helped contribute to the vulnerability of the system. All city services need funding, and cybersecurity isn’t tangible like other things like police, fire, and natural disaster recovery, but it still must be made a priority in the budget.
When Atlanta’s computer systems were targeted in March 2018, officials from every other city across the globe sat back and thought, “Are we next?” When contemplating that question, none of them cast it aside, believing that their city has cybersecurity covered so an attack wouldn’t be an issue. Every city official recognized the possibility that a similar attack could happen to them, and if so, how well could they respond to it?
In that way, Atlanta was a global wakeup call. In the timeline of cybersecurity, we can now divide things into “before Atlanta” and “after Atlanta.” City officials have big questions to contemplate in a post-Atlanta world, now with a real-life example that they can point to say, “Look. Here’s what’s going to happen if we don’t take cybersecurity seriously and finally give it the adequate funding and attention it deserves.”