Our cities are under attack. In the past two months, two major cyberattacks have targeted urban critical infrastructure and services. In February, Colorado’s Department of Transportation had to shut down 2,000 employee workstations after an attack. The department website reported issues for more than a week after the attack. In late March, 8,000 city employees in Atlanta resorted to using pen and paper for work after a cyberattack compromised their computers. Both attacks caused havoc.
Public agencies are perfect targets for hackers. Why? Hackers are known for taking the path of least resistance when staging a major attack. Some companies spend millions of dollars a year on security technologies and on hiring difficult-to-find talent in cybersecurity to help defend their networks. Our public systems do not have the financial means to procure such security software or talent. Thus, public agencies become the low-hanging fruit for hackers to target and disrupt. That’s why the Defensive Social Engineering Team at the Massachusetts Institute of Technology is working on developing a toolbox of nontechnical defenses against cyberattacks for cities.
The most prevalent form of attack against public agencies is social engineering. This involves tricking a civil servant into clicking on a link or email attachment that installs malware. Because public agencies do not have the budget to invest in expensive technical security solutions, they should look to the hackers for inspiration and complement technical tools with less expensive social defense tools. My team suggests using defenses called Defensive Social Engineering.
Here’s what happens in a cyberattack.
Ransomware is the malware of choice for hackers against public agencies. Many public agencies post email addresses of department personnel online so the public can contact them. It is not difficult for attackers to quickly collect addresses and disseminate emails containing the malicious software that, when activated, encrypts all the files in the computer and demands a ransom. Until the ransom is paid, the infected system is unusable.
When the Police Department in Swansea, Mass., was hit in 2013 with a ransomware attack, the city decided to pay the $750 ransom so that it would not lose valuable records.
When the Cockrell Hill Police Department in Texas was hit in 2016 with a ransomware attack, the department refused to pay the ransom — and lost eight years’ worth of police evidence that was important for pending court cases.
How do we protect our public agencies from these attacks?
Some organizations focus any and all funding they have on developing a strong backup program. This way, if hackers try to blackmail a city, services can be restored without having to pay the ransom. While backups are essential in these scenarios, it still takes time to reboot all the systems. For example, in 2016, the San Francisco Municipal Transportation Agency was ransomwared, where the hackers demanded 100 bitcoin or about $70,000 at the time. Because of the attack, the agency took the precautionary measure of shutting down all fare payment systems. In doing so, passengers were allowed to use the SFMTA system for free during the downtime, which cost the SFMTA $50,000 in lost fares. The systems were shut down when the ransomware was detected, and three days later, the backups were installed. This was a terrific case of cyberresilience by a public agency, however, it clearly takes time for backups to be deployed.
In addition to using backups as technical defenses, one cyberdefense is conducting a misinformation campaign. For example, if a hacker steals your passwords, your organization should issue a press release indicating that the hackers actually stole a decoy data set. This action can devalue the stolen data set. Further, your organization can leak fake passwords that can further confuse hackers about which passwords are valid. These actions will make the stolen information considerably less valuable because buyers of the information on the Dark Web will not know which passwords are authentic.
Another defensive social engineering tool is proactive defensive signaling. A public agency can use this by announcing its policy for dealing with hackers and specific repercussions for potential attacks. For example, a public organization can proactively announce it will not pay ransoms. This could potentially deter a hacker, leaving agencies that do not have a clear payment policy for ransoms as a more inviting target.
Many once thought the only social strategy to defend against cyberattacks was to develop an employee cybersecurity awareness campaign that could help reduce the effectiveness of social engineering attacks. These are useful, but public agencies need to start taking a page out of the hacker playbook and seek less expensive and high impact strategies to defend their computer networks and systems.