City hall computer upgrades don’t get oversized plaques listing the names of the mayor and members of the city council, like some other municipal projects. Hardly anyone makes a big private donation to sponsor one. And you rarely, if ever, hears them talked about in a campaign. Safe to say no one’s won an election on a promise to update computers in the assessors’ office to the latest version of Windows.
Still, maintaining this infrastructure is a critical function of government. Data about taxpayers, businesses and students are at stake, not to mention the potential cost of freeing a computer system commandeered by a hacker in search of a payoff.
Events in Methuen over the summer should serve as warning to technology officers and elected leaders everywhere about this potential threat and the need to make regular upgrades as a step to avoid them.
Methuen’s was just the latest government system to be targeted by ransomware. According to Mayor Neil Perry, an unsuspecting city employee opened an email attachment that unleashed code seeking to seize the city’s network. The attack is believed to have launched from Eastern Europe.
The city was lucky. Its data and network security vendors spotted the problem within an hour and isolated it. The trouble, Perry told reporter Bill Kirk, is that the hackers were persistent, trying for months to break in. “This was a repetitive cyberattack,” he said. “Every couple of days, they were trying to get in.”
The city spent $272,000 to shut down the attack, rebuild its network and upgrade its computers — not short money by any means. But the potential cost was far greater, especially had the city faced a successful attack completely overtaking its systems.
These cyber-assaults are a real hazard of running a municipal network. Some, launched as so-called Robin Hood attacks, show up under the guise of raising awareness or money for a good cause only to infect equipment with malicious code. That was the case in Baltimore last year, when the city was forced to shut down nearly all of its computer systems to deal with an attack. A year earlier, police in Atlanta were writing out reports by hand and water bills had to be paid in person as the city dealt with what then was the “largest, most expensive cyber-disruption to date,” according to Government Technology magazine.
Methuen’s troubles may have started from a similar source. An outdated operating system complicated matters. The city was still using an 11-year-old version of Windows, ancient considering that operating systems are ideally updated every year and a half. As City Councilor Nicholas DiZoglio told Kirk, “The city has neglected IT for a decade, just kicked it down the road. . . . Our tech is too old, and somebody got ahead of us.”
The threat of cyberattacks aren’t new, and fortunately there are deep resources to help city and town halls deal with it, from the federal Cybersecurity and Infrastructure Security Agency to the nonprofit Center for Internet Security’s Multi-State Information Sharing and Analysis Center, which counts hundreds of state and local agencies among its members.
Much of the work of battling cyberattacks happens before they happen, in both preventative measures and regular maintenance. Methuen officials learned a painful lesson this summer. Hopefully leaders in other communities not already sufficiently wary of these potential crimes will take notice.