As so-called “smart cities” across the U.S. explore opportunities to deliver more services over the internet, they also expose city infrastructure to cybersecurity threats – and San Antonio is no exception, local experts say.
“Cities are getting more high-tech. … They’re connecting things to the internet that used to not be connected, and that’s increasing the local service these cities can give their people,” said Chris Gerritz, chief product officer at Infocyte, a San Antonio-based cybersecurity company. “But at the same time it’s actually a sore spot when you look at security.”
Two U.S. cities experienced major breaches of their governments’ information systems in recent months. In March, the City of Atlanta became the target of a ransomware attack. The malicious software held the city’s online bill payment system ransom for $51,000 in bitcoin, a virtual currency that masks the recipient’s identity, and the breach cost the city more than $2 million to assess damage and shore up defenses. Later that month, the City of Baltimore’s 311 and 911 dispatch systems were shut down for 17 hours due to a malicious attack, forcing local law enforcement to respond to emergency calls manually.
While Craig Hopkins, the City of San Antonio’s chief information officer, called cybersecurity a top priority for his department, he declined to comment on details of the City’s cybersecurity preparedness, citing security concerns.
“The City continually increases its commitment to funding security, which includes data, physical and cyber,” Hopkins said, “but at the end of the day, we’re still a municipal government and there’s only so much funding available to us.”
The City of San Antonio spent $167,303 in 2017 and 2018 combined for information technology “security products and services,” according to the Texas Department of Information Resources.
Cases where hackers target specific government systems are rare, said Red Thomas, CEO of San Antonio cybersecurity firm RedKnight.
“I don’t know that I would really consider the typical problems cities face as hacks,” Thomas said. “Most up to this point have been the result of ransomware attacks that exploited the most vulnerable part of any security system – people.”
An employee that clicks on a phishing email or visits a corrupted website may create opportunities for hackers to exploit connected computer systems, Thomas said.
Last month, the University of Maryland in partnership with the International City/ County Management Association published what it called the first U.S. survey of local governments’ cybersecurity preparedness. The study surveyed more than 3,000 municipal and county governments with populations of 25,000 or more, and found governments to be largely underprepared for cybersecurity threats.
In the study, almost 30 percent of local government officials said they experience cybersecurity attacks hourly. An additional 20 percent said they are attacked at least once a day, and 30 percent said they did not know if they were being attacked.
The majority of respondents, 58 percent, said they do not know who is tampering with their systems. In general, respondents said they keep track of serious incidents or breaches, but do not typically document attacks.
How city government is structured and lack of support from higher-ranking officials for cybersecurity initiatives are barriers cities face seeking to improve their cybersecurity strategy, the study found. Respondents cited lack of support from department management (61 percent), lack of support from top appointed officials (62 percent), and the federated structure of city agencies (55 percent) as reasons why they were underprepared for potential attacks.
In San Antonio, City leaders express support for staunch cybersecurity measures, but the City’s processes for purchasing updated technology and personnel have not yet caught up with industry standards, Gerritz said, which makes it harder for startups and local companies to compete for City business.
Red tape, Gerritz said, is the biggest barrier for firms like his to be able to win cybersecurity contracts with the City.
“We’ve had several conversations [with the City], and there’s a desire for the security team at the City to do work with us … but we’ve seen incredible friction on actually getting there,” he said.
If the City could offer shorter contracts for smaller projects, that would give startups an opportunity to provide technology solutions, Hopkins said, and it would give his department a chance to test new technology before committing to a multi-year contract. Hopkins said the City’s Office of Innovation is rethinking how local government works with startup companies in particular.
“Everything doesn’t need to be a big multi-year project,” Hopkins said. “It’s not about any one company, it’s about how we can be more flexible and agile with any company.”
But cities that have plans in place to recover compromised systems after an attack won’t need to pay large fees to consultants after the fact, Thomas said.
“If you have a good recovery plan, you don’t need to pay anyone anything,” he said. “I don’t know that governments spend much time preparing, and that’s part of the problem.”