Scott Summerfield is a principal of California-based SAE Communications and can be reached at scott@saecommunications.com.

California is in the midst of one of its most crisis-filled periods on record, and it seems as if we’re perpetually managing fires, mudslides, drought and more — at the same time we’re focused on community resiliency. But one crisis of confidence lurks within every city and has the potential to cripple operations and destroy public trust: a cyberattack.

What Can Go Wrong

Local agencies are a favorite target because they often haven’t created safeguards. Think about what can happen if a cyberattacker seizes control of your data and your systems, whether it is the theft and public release of information or a ransomware hostage situation. Resident/customer information, billing and payment systems, 911 dispatch, human resources and payroll records, legal documents, traffic controls and countless other systems and services can go offline or become inaccessible in an instant.

Your city’s network and systems are only as strong as their users, and most attacks are the result of staff members inadvertently clicking on a dangerous email rather than organized internal or external system breaches. Suddenly your most sensitive information is open to the world, with your internal and external stakeholders blaming you for allowing it to happen.

How much risk is involved? Statistics for 2018 tell the story:

• $8 billion in damages caused by ransomware globally;
• 5 billion online records leaked or stolen; and
• $8 million — the average cost of a data breach in the United States.

The risk is clear. The task for council members and staff leadership is to reduce that risk through strategic planning and effective communication.

I recently attended an IBM Security Cyber Range simulation in a Cambridge, Massachusetts, facility designed specifically to help organizations recognize what happens when cyberattackers strike. A small group representing some of the world’s largest financial and insurance services companies experienced how a cyberattack unfolds and how to manage organizational and media responses. Using a broadcast TV studio, a social media simulation platform and other eye-opening resources, IBM’s experts stressed that we must consider our actions to be a business response tied to a security culture, not a technology response. And leadership is a vital part of keeping our businesses — our cities — operating in the wake of an attack while every aspect of our organization is scrutinized.

Communication is at the top of a successful cyberattack response along with a clear pre-crisis understanding of all city database vulnerabilities, and city leaders and communicators are just as important as those who investigate what happened and restore services. Cybersecurity experts consistently note three inviolable communications guidelines:

• Openness with those affected;
• Transparency in explaining what happened; and
• Honesty about the attack’s scope.

Those tenets are frequently missing from cyberattack responses, and bad situations are made worse by a communications vacuum, rumor, innuendo and fear.

Your stakeholders will express a range of feelings including outrage, disappointment, worry and confusion. They will ask pointed questions. How did you let this happen? Are my kids safe? Is my credit impacted? How are you going to get services restarted? When will things be back to normal?

Lessons Learned From Atlanta

The City of Atlanta faced about $20 million in recovery costs from a ransomware attack in 2018, which shut down most of its operations for two weeks. Considering the attackers’ first ransom request was for about $50,000 and the city had warnings for several months before the attack, much can be learned from how this crisis was handled and how it could have been prevented.

Analysis of the Atlanta case reveals several important considerations for city leaders who may someday face their own version of this nightmare.

Risk Builds Over Many Years. An independent auditor warned city officials eight years before the attack that the city had insufficient funding for business continuity and disaster recovery plans. Attackers often have access to systems for several months before taking action.

It Won’t End Soon. Several months after the initial attack, more than a third of the city’s software programs were still offline or partially disabled, and nearly a third of those were considered “mission critical.”

Finger-Pointing Will Linger. City officials continue to blame each other for the attack, undermining public confidence in city operations. Pundits throughout your community will also second-guess your security measures and response efforts.

Paying Ransom Is a Tough Call. It’s easy to question the city’s decision not to pay ransom (especially given the relatively small initial request versus the amount spent on recovery), but refusing to give in to criminals is an understandable reaction.

Contact With Hackers Can End Quickly. After law enforcement agencies get involved, criminals may abandon their ransom request in an attempt to elude identification and capture. This leaves the city with no choice but to rebuild its systems from backups — if they exist.

Explaining “What Happened” May Be Difficult. Investigating agencies may limit communication about the cause, especially if known international hackers are suspects. This information void feeds the rumor mill and impedes the city’s ability to fully inform its stakeholders.

10 Steps to Help Your City Prepare for and Respond to an Attack

Consider these steps when developing your city’s plan.

1. Know Your Exposure. Meet with your information management staff and department heads for an in-depth and brutally honest discussion about your city’s cyberattack vulnerabilities.
2. Be a “Nudge.” Communication is one of the most important elements of a viable cyberattack response. As a city leader (whether elected, appointed or staff), your input must be part of the response, even if it means sometimes being a pest. Continually ask tough questions about the attack’s scope and recovery progress.
3. Help Prevent an Attack. Craft an educational program for staff centered on spotting phishing and other attack triggers in personal email accounts; this behavior will carry into the workplace.
4. Highlight the Risk. Ensure that staff understands the potential damage to your city and those you serve, the costs of data recovery and the damage to your credibility when information is stolen or held hostage.
5. Focus on New Hires. Include cybersecurity in orientation materials and briefings, and emphasize your city’s commitment to protecting its information.
6. Plan Your Response. Make sure your emergency response and crisis communications plans include cyberattack, and don’t forget about your staff, who will be affected in many ways.
7. Identify Your Team. Chaos will likely ensue if your city is attacked, and you’ll need to immediately gather your designated crisis response team, including your local FBI, Department of Homeland Security, Secret Service and other partner agency contacts. Pull your team together and build relationships now, as you won’t have time when the attack occurs.
8. Anticipate Outrage. Your stakeholders will be angry and confused, and communicating with heartfelt empathy will help you tell your city’s response story more effectively.
9. Prepare for Questions. Though each attack is different, you can begin drafting your answers to questions you’re most likely to be asked by your stakeholders and the media and modify your responses as necessary during the crisis. Identify your attack-related spokesperson and train them for a high-visibility response.
10. Create Response Documents. Develop cyberattack statements, social media posts prepared in advance, news releases and staff communication scripts that are written in plain language and can be deployed quickly.

Tell your resiliency story whenever possible. Our stakeholders expect us to anticipate bad things, and we can increase confidence by noting our challenges, highlighting what we’re doing to keep information safe and committing to honesty when something happens. City officials can use a variety of tools to build confidence, such as scheduling a policy leader update, holding community and staff forums, spurring an online discussion and pitching a media story. The more we focus on cybersecurity, the less likely we are to become victims.

Good planning is the foundation for a well-developed response. With a bit of effort — and a deep understanding of our vulnerabilities — we can take the necessary steps to keep our cities safer when data thieves pay us an unwanted visit.

Photo Credit: Xijian (Man on computer); iLexx (Hand); Henrik5000 (Lock).

This article appears in the June 2019 issue of Western City

Did you like what you read here? Subscribe to Western City