Article Legal Notes by Nora Wetzel

Cyberattacks and Public Agency Response

Nora Wetzel is a partner in the law firm of Burke, Williams & Sorensen, LLP, and can be reached at NWetzel@bwslaw.com.

Cyberattacks and resulting data breaches are a growing threat to cities. In January 2020, the City of Las Vegas experienced a cyberattack when bad actors gained access to the city’s network via a malicious email. Las Vegas had previously taken a public position not to pay a ransom, though it is unclear if this attack involved ransomware. The city reportedly caught the attack early and does not believe any data was lost or taken.1

Another city, New Orleans, fell victim to a cyberattack in December 2019. The city detected suspicious activity on its network, investigated the activity, and discovered a ransomware attack affecting roughly 4,000 city computers. The city’s IT Department ordered all employees to power down computers and disconnect from Wi-Fi. All city servers were also powered down, and employees were told to unplug their devices.2 New Orleans had cyber insurance and expected it to cover nearly $1 million in costs the city incurred as a result of the attack, though the insurance did not cover the costs of paying a ransom.3

In October 2019, a suspected cyberattacker targeted the City of San Marcos in California. The attack affected the city’s email system, leaving employees unable to communicate with some members of the public. Employees discovered the problems, and the city manager confirmed the city was the victim of suspected hacking.4

The City of Baltimore was attacked in May 2019 by ransomware known as “RobinHood.” Some experts said the attack involved a tool developed by the National Security Agency.5 The attack locked the city out of its computer servers and demanded ransom. Officials said the attack cost the city more than $18 million.

In summer 2019, hackers infiltrated 22 Texas cities’ computer systems and demanded a ransom.6 The mayor of one of those cities said the attackers asked for $2.5 million in ransom to restore their systems. The Texas Department of Information Resources said that the evidence pointed to a single-threat actor. A representative for the department reported that he was “not aware” of any of the cities having paid the ransom sought by hackers and disclosed that the affected locales were mostly rural.

These attacks on the cities of Las Vegas, New Orleans, San Marcos, and Baltimore, and the coordinated attack on 22 cities in Texas, are just a sampling of the numerous attacks on cities in recent years.

Types of Cyberattacks

A cyberattack is an attack launched from one or more computers against another computer, multiple computers, or networks. There are many types of cyberattacks, but the following techniques are commonly used to infect victims with ransomware, one of the most prevalent kinds of attacks on cities.

Email phishing campaigns. The cyberattacker sends an email containing a malicious file or link, which deploys malware when a recipient clicks on it.

Remote Desktop Protocol (RDP) attacks. RDP allows individuals to control the resources and data of a computer through the internet. Once they have RDP access, criminals can deploy a range of malware — including ransomware — to targeted systems.

Software attacks. Cybercriminals take advantage of security weaknesses in widely used software programs to gain control of targeted systems and deploy ransomware.

These attacks can cause significant financial harm to victims. A recent report by the Federal Bureau of Investigation’s Internet Crime Complaint Center7 found that in 2019, cyberattacks cost victims $3.5 billion in losses. While phishing was the most effective method of cyberattacks in 2019 measured by the number of victims, the highest financial losses were caused by compromised business email (referred to in the industry as “business email compromise”).

Notably, California was the state with the most victims and highest financial losses caused by cyberattacks; thus, it is particularly important for cities in California to be on alert.

Unsurprisingly, cyberattackers increasingly target mobile devices. Ransomware can infect mobile devices just like it can infect workstations and laptops.

Cybersecurity Best Practices

The FBI outlines a number of best practices for cybersecurity, including:

  • Regularly back up data and verify its integrity. Ensure that backups are not connected to the computers and networks they are backing up; for example, physically store them offline. Backups are critical in fighting ransomware; if your city is infected, backups may be the best way to recover its data.
  • Focus on awareness and training. Because end users are targeted, employees should be made aware of the threat of ransomware and how it is delivered and trained on information security principles and techniques.
  • Ensure that patches for the operating system, software, and firmware are continually updated on all devices.
  • Employ best practices for use of RDP, including auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.
  • Ensure that anti-virus and anti-malware solutions are set to update automatically and that regular scans are conducted.
  • Categorize data based on its organizational value, and implement physical and logical separation of networks
    and data for different organizational units. For example, sensitive data should not reside on the same server and network segment as an organization’s email environment.

The FBI also provides these specific recommendations to protect against business email compromise attacks:

  • Employees should be educated about and alert to this type of scheme. Tools that can be deployed to train employees include webinars, in-person presentations, phishing exercises,
    and more.
  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials or personal identifying information in response to any emails.
  • Monitor personal financial accounts on a regular basis for irregularities, such as missing deposits.
  • Keep all software patches on all systems updated.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from.
  • Ensure that the settings on employee computers are enabled to allow full email extensions to be viewed.

Responding to a Cyberattack

When a cyberattack against a city occurs, the city typically engages in a phased response, which includes investigation, containment, remediation, and notification, if appropriate. Although every incident and organization’s response will be unique, some broad considerations for reacting to cyber incidents are offered here.

Before a cyberattack occurs, cities should have clear instructions for staff and vendors about what qualifies as a security incident, whom to notify, how to notify, and timing for notification. This can be accomplished in an incident response plan or other written policies. After a qualifying security incident occurs, the city should implement the incident response plan or other written policies as designed. Every city should consider obtaining or purchasing cyber insurance. Upon detecting a qualifying cyber incident, a city that has cyber insurance should notify its cyber insurer immediately, so the city can access the coverage and resources available under its insurance plan.

The city must then investigate and contain the incident. Investigation largely falls to the city’s IT Department or an outside forensic investigator. Documenting the investigation and everything that follows, including remediation and notification efforts, helps to preserve a record of what occurred. Obtaining legal counsel right away may offer the best chances of preserving attorney-client privilege or attorney work-product doctrine over communications and other materials related to the cyberattack.

For remediation, the goal is to restore the city to its normal functioning. When a ransomware attack occurs, the best method of restoration — if the city has implemented best practices and has backups — is to restore the city system to normal functioning from the backups. Such backups can help protect the city from having to pay a ransom to get its files back.

If a cyberattack affects personal information such that it qualifies as a data breach under applicable law, there may also be a requirement to notify affected individuals, the offices of the attorneys general, the U.S. Department of Health and Human Services Office for Civil Rights, credit agencies, or other agencies. For notification concerns, rely on your attorney’s advice on whether a data breach has occurred under applicable law and then proceed with notification as appropriate.

Conclusion

As with other emergencies and crises that affect cities, taking proactive steps is the key to preventing or recovering from a cyberattack. Cities wishing to avoid costly cyberattacks should implement preventive measures with an emphasis on best practices and employee education, purchase cyber insurance, and ensure that an incident response plan and other written policies related to such attacks are in place.

Related Resources

Communicating During a Cyberattack: The Next Crisis Frontier for Cities

Data Loss Prevention and Cybersecurity: A Practical Guide

Getting the Most Value From Your City’s Technology Investment

About Legal Notes

This column is provided as general information and not as legal advice. The law is constantly evolving, and attorneys can and do disagree about what the law requires. Local agencies interested in determining how the law applies in a particular situation should consult their local agency attorneys.

Footnotes

[1] Las Vegas Suffers Cyber Attack,” Sarah Coble, Jan. 8, 2020, https://www.infosecurity-magazine.com/news/las-vegas-suffers-cyber-attack/

[2]“New Orleans Declares State of Emergency Following Cyber Attack,” Davey Winder, Dec. 14, 2019, https://www.forbes.com/sites/daveywinder/2019/12/14/new-orleans-declares-state-of-emergency-following-cyber-attack/#2c01a6a36a05

[3] “New Orleans cyberattack costing the city close to $1 M so far,” Charles Watson, Dec. 18, 2019, https://www.foxnews.com/tech/new-orleans-cyberattack-costing-city-close-to-1m

[4] “Cyber Attack Shuts Down Email System Used by San Marcos City Employees,” Oct. 29, 2019, https://www.nbcsandiego.com/news/local/san-marcos-city-hall-computer-system-email-hack-cyber-attack-emergency-services/2060733/

[5] Hack that cost Baltimore $18M a mystery after experts eye NSA link,” Daniel Uria, Jun. 10, 2019, https://www.upi.com/Top_News/US/2019/06/10/Hack-that-cost-Baltimore-18M-a-mystery-after-experts-eye-NSA-link/7961559775882/

[6] “22 Texas Towns Hit with Ransomware Attack in ‘New Front’ of Cyberassault,” Bobby Allyn, Aug. 20, 2019, https://www.npr.org/2019/08/20/752695554/23-texas-towns-hit-with-ransomware-attack-in-new-front-of-cyberassault

[7] FBI 2019 Internet Crime Report, available at https://pdf.ic3.gov/2019_IC3Report.pdf

Related Content

Article Everyday Ethics for Local Officials

Taking the Bite Out of Blogs: Ethics in Cyberspace

Article Everyday Ethics for Local Officials

Local Agency Opportunities for Website Transparency

Public agency transparency comprises two dimensions: information and process. This article includes a handy checklist of items local agencies may want to consider including on their website.

Article Everyday Ethics for Local Officials

Website Content for Local Agencies to Consider: A Checklist

Article Legal Notes by Jennifer Gore

Dockless Bicycles and Scooters: Responding to New Technology

Few technologies have overtaken cities as quickly as that of dockless bicycles and scooters, and these devices have proved difficult for cities to regulate.