Report on city cyber-attack response kept private
Confidential report assessed how well city can respond to hacking attacks
City governments are right now some of the best, most lucrative targets for cyber attacks, say experts, but Edmonton is not saying if it’s prepared.
The city auditor released an assessment this week of how well the city could recover if its information technology resources were taken out by a flood, fire or deliberate hacking attack.
But don’t look for it online. The report is confidential. It will be debated in private next Wednesday — with city officials arguing disclosure would be harmful to law enforcement, reveal advice from officials and hurt the economic and other interests of Edmonton.
“Municipal governments have the largest attack surface of any government,” said David Shipley, head of Beauceron Security and formerly with the University of New Brunswick.
They also provide services that are critical to residents every day — services that involve water, safety and transportation, said Shipley, reached by phone to comment on Edmonton’s situation.
If hackers can disrupt those critical services, they have leverage to extract payment.
City auditor David Wiun said no specific incident prompted this audit.
But “it’s high risk for any organization.”
This audit focuses on recovery after an attack. He did a previous audit on how well the city is working to prevent one, and will re-audit administration on that question shortly.
Cities and institutions across North America have been struggling with this. Several rural municipalities in Alberta lost property tax records, said Shipley, and the University of Calgary paid out $20,000 in ransom in 2016.
Larger cities are also suffering. On March 22, Atlanta lost access to city files, found itself locked out of access to online services and unable to process court cases or warrants.
Emergency services, including 911, were unaffected, but court dates had to be rescheduled and citizens couldn’t pay parking tickets or water bills.
Hackers were asking for a $51,000 payment in the cryptocurrency Bitcoin to restore access.
Officials spent weeks trying to restore services and have not said whether they paid the ransom.
They’re out-gunned. It’s just a numbers game ... We’re getting attacked more and more. That’s important for people to know.
CITIES EASY TARGETS
Cities are a soft target because the budget for prevention is often small, and they are increasingly digitizing services, said Shipley.
Dozens of cities and organizations have been affected, and those are only the ones that publicly admitted to it. Hackers can often get $20,000 to $50,000 from the organization for something that amounts to less than a week of work for the attacker.
But the damage they cause is worth hundreds of thousands of dollars to the municipality, said Shipley, comparing it to someone who smashes a car window to grab valuables.
They’re attacking from outside the country, often from countries where Canada does not have extradition treaties. They often hack into a system and ban access to data and services. Recently, they ’ve also started to go into systems and change data until the organization has backed up its information several times before letting anyone know the data is now unreliable.
They ’ll only tell the organization which backup is still accurate after they get a ransom.
IS EDMONTON PREPARED?
Shipley said citizens are right to ask if their government is investing in protection, and also how they would recover from an attack, because no city is 100 per cent protected. To hold officials accountable, they could report how often employees are trained in security, and how many smallscale breaches happen every year.
“They’re out-gunned,” said Shipley. “It’s just a numbers game ... We’re getting attacked more and more. That’s important for people to know.”
Mayor Don Iveson said council’s audit committee will review the report Wednesday and see if any of it can be released to the public. But if not, “it’s ultimately for council to hold administration accountable.”