Typically, a city the size of Fort Atkinson doesn’t have to face the same problems with crime that larger cities deal with on a daily basis. But in the 21st century, there’s a new front in the fight against crime to which communities of all sizes are just as vulnerable: cyberattacks.
Municipalities big and small are one of the largest targets for cyber criminals for a variety of reasons.
Cities keep a large amount of important data such as employee payroll information, taxpayer information and utility customer information; cities crunched for cash might not have the funds to keep their systems as up to date as possible and cities often will pay a ransom just to get back to the important business of governing.
Trever Brandenburg, the owner of Ignatek, the IT company with which Fort Atkinson contracts to run its systems, is aware of the target on his back.
“Municipalities, government entities, are the number-one target at this time,” Brandenburg said.
One of the most common types of cybercrime is called a ransomware attack. Ransomware effectively shuts down an organization’s system and doesn’t let go until a ransom is paid.
In one of the first comprehensive tallies of ransomware attacks against municipalities, the cybersecurity firm Recorded Future found 169 attacks against city governments from 2013 to April 2019.
In May, the government functions of Baltimore screeched to a halt after a ransomware attack. Government emails were down, payments to city departments couldn’t be made online and real estate transactions couldn’t be processed.
“Baltimore was scary,” Brandenburg said. “Baltimore was the biggest one, but, like I said, it’s happening to governments all over.”
While Baltimore is the 29th-biggest city in the country, that doesn’t mean only major cities are at risk.
Nicholas Davis, who does cybersecurity for the entire University of Wisconsin System, said small organizations such as municipal governments can’t hide.
“You have the same concerns as everybody else does. Small or large, it doesn’t matter,” Davis said. “Interestingly, you know, in years gone by, people thought that smaller organizations that could obfuscate their presence or hide who they are were less likely to be victims of cyber attacks than large organizations. And to some extent, that may have been true 20 years ago, but the environment has changed substantially since then.”
The way the internet is structured, you can’t slip under the radar, Davis said. This means even though Fort Atkinson has a population of only a little more than 12,000 people, it’s just as visible as anything else online.
“You now — due to the speed and connectivity of the internet — can scan networks extremely quickly,” Davis said. “So a small organization hidden away in rural Wisconsin might be geographically far away, but from an electronic digital perspective, they’re just as easy of a target as somebody in downtown Milwaukee or in a large company here in Madison. So that’s the first thing to understand, that there’s no hiding.”
Because everyone is a target and there are so many different ways for a hacker to get into a system, the complexities of cybersecurity means there are many ways a city can be vulnerable and a lot of routes a security expert can take when defending a system.
Davis and Brandenburg both spend their days thinking about how to defend their respective systems from attacks, but they differ on the best way to do that.
Davis said he believes a small organization should store its data offsite on a cloud server hosted by companies such as Amazon or Microsoft in order to benefit from “strength in numbers.”
“In my opinion, since large targets and small targets are both equally visible on the internet, you’re better off putting your data where you know you have the resources behind it to protect it,” Davis said. “I’d rather have one very well-protected castle than I would 50 weakly-protected wooden cabins.”
But Brandenburg said he sees a benefit to keeping the data onsite and having it easily accessible in case of emergency. This allows the city to recover faster if it does get attacked.
“There’s both sides of that story,” Brandenburg said. “Just because you don’t host your data on your server doesn’t mean those people can’t be hacked, as well. It’s going to take twice as long to get you back up and running internally. Where we have access to our data today, right now, we have a backup in hand that we can mock something up in house here and get the city up and running.”
Brandenburg said he believes in a multi-leveled approach to keep bad actors out of Fort Atkinson’s systems. If someone gets in the front door, they can’t get further in where the sensitive information is stored.
“You’ve got to have a layered approach,” Brandenburg said. “You can’t say ‘Oh, I got a good firewall’; that’s not going to do it. You got to floor one, but you didn’t get to floor two or three or four.”
The two cybersecurity experts might disagree on the best way to defend systems, but they both believe it’s only going to get worse. The arms race of hackers and security experts is going to keep ramping up as new viruses and new anti-virus software continue to go back and forth.
“It’s not gonna get any easier, that’s for sure,” Brandenburg said. “And it’s not going to slow down and that’s for sure. The types of attacks that are out there are going to continually get worse and they’re going to change. You have to change your network to the next level. So, you’re never complacent.”