For hundreds of years, government has been the domain of the quill pen and parchment or whatever followed on from that.
But now, cities want to join the digital revolution to make life easier for their citizens and save money.
However, as we have seen, that has not always worked out so well.
Atlanta recently was hit by a ransomware attack – just one example out of hundreds. It appears that was facilitated by the city’s choice to not spend money on IT and IT security. Now they are planning on spending about $18 million to fix the mess. Atlanta can afford that, smaller towns cannot.
We are hearing of hundreds of towns and cities getting hit by hackers – encrypting data, shutting down services and causing mayhem. In Atlanta, for example, the buying and selling of homes and businesses was shut down for weeks because the recorder could not reliably tell lenders how much was owed on a property being sold or record liens on property being purchased.
But what if, instead of not being able to pay your water bill, not having any telephones working in city hall or not being able to do things on the city’s web site – what if instead, the city owned water delivery system stopped working because the control system was hacked and the water was contaminated? Or, what if, all of the traffic lights went green in all directions? Or red? What if the police lost access to all of the digital evidence for crimes and all of the people being charged had to be set free? You get the general idea.
As cities and towns, big and small, go digital, they will need to upgrade their security capabilities or run the risk of being attacked. Asking a vendor to fill out a form asking about their security and then checking the box that says its secure does not cut it. Not testing software, both before the city buys it and periodically after they buy it to test for security bugs doesn’t work either. We are already seeing that problem with city web sites that collect credit cards being hacked costing customers (residents) millions. Not understanding how to configure systems for security and privacy doesn’t cut it either.
Of course the vendors don’t care because cities are not requiring vendors to warranty that their systems are secure or provide service level agreements for downtime. I promise if the vendor is required to sign a contract that says that if their software is hacked and it costs the city $X million dollars to deal with it, then the vendor gets to pay for that, vendors will change their tune. Or buy a lot of insurance. In either case, the city’s taxpayers aren’t left to foot the bill, although the other issues are still a problem. We have already seen information permanently lost. Depending on what that information is, that could get expensive for the city.
In most states governments have some level of immunity, but that immunity isn’t complete and even if you can’t sue the government, you can vote them out of office – something politicians are not fond of.
As hackers become more experienced at hacking cities, they will likely do more damage, escalating the spiral.
For cities, the answer is simple but not free. The price of entering the digital age includes the cost of ensuring the security AND PRIVACY of the data that their citizens entrust to them as well as the security and safety of those same citizens.
When people die because a city did not due appropriate security testing, lawsuits will happen, people will get fired and politicians will lose their jobs. Hopefully it won’t take that to get a city’s attention.
Source: Helpnet Security