By Ryan Johnston, Policy Counsel 

Ensuring that every resident and municipal government is able to benefit from digital access also means that new stockpiles of data are being collected on each user. Too often, it is the decades-old server at city hall that collects and records much of the personal information the city is required to maintain. This server that may not be running the most current operating system or updated with the most recent security patches that could ward off sophisticated cyber threats.  Easy entry into a network is a dream come true for an intrepid hacker easy entry into a network to deploy malicious attacks against a community’s municipal network. 

Legacy systems contain outdated hardware and software that are often difficult to replace, either because other systems rely on the outdated equipment and there is no modern replacement solution, or are situated within a network in such a way that any downtime would cause serious operational problems. This makes upgrading prohibitively costly or practically impossible. In turn, critical infrastructure networks including inherent security vulnerabilities that are often not compatible with security features surrounding access, including multi-factor authentication, single-sign on and role-based access. Legacy systems can also lack sufficient encryption methods to protect citizens data. These systems may vary in “outdatedness” simply because of differences in hardware and software support. Local governments may need additional support to identify how their outdated systems may affect their citizens’ data. 

The most recent and notable potential example of a legacy system being exploited has been the ransomware attack launched against the City of Baltimore. This attack was launched using the RobbinHood ransomware, a type of malware that encrypts the user’s files and replaces the screen with a message directing the victims on how much to pay and where to send the funds. Specifically, RobbinHood exploits a vulnerability in a deprecated Windows kernel driver included with the malware. Because the driver is legitimate, Windows will load the driver allowing the attackers to exploit the bug and wreak havoc within a user’s system. 

The attack shut down Baltimore’s email systems and its ability to take credit card payments for bills and fines. The attack also crippled the real estate market for several days as the City’s Finance Department could not verify if home sellers owed the city on outstanding bills or taxes.

An undated risk assessment report obtained by the Baltimore Sun, focused on two city servers that were running versions of Microsoft’s Windows Server that Microsoft no longer supports, meaning that they no longer receive routine security updates. The risk assessment recommended abandoning the outdated servers, and either rewriting or buying commercially available versions of contemporary programs that the city utilized on these servers. 

While it is unclear whether these servers were in use during the ransomware attack that ravaged Baltimore’s systems, if they were, they would certainly present problems. A system infected with ransomware should still be able to restore backed up versions of files. However, the risk assessment report noted that neither server had active backups. These servers thus acted as single points of failure ensuring that any data contained therein would likely be lost in the event of an attack. 

In May 2019, Baltimore launched its own investigation as to the cause of the ransomware attack. Shortly thereafter, the City Council established the Cybersecurity and Emergency Preparedness Committee. While the details of the attack were restricted during committee hearings due to a then ongoing federal investigation, the Committee sought to understand what could be learned from the attack–what the city had done correctly, incorrectly and what avenues are available to ensure the city is prepared if anything similar happens in the future.

Preparedness for cyber events is critical. Communities seeking to shield themselves from malicious actors have many steps they can take to minimize threat vectors. 

In general, limiting the number of old, outdated, or unsupported systems included in a network will severely minimize the number of openings malicious actors may have to breach a system. While it may be costly to replace or rewrite legacy software, often the cost of replacement and downtime of these systems outweighs what will be faced if an attack is successful. 

Additionally, local officials  should regularly revisit system backup strategies. Relying on “live” backups that mirror files onto network shares or copying changed files into directly accessible cloud storage is a potential risk, as attackers seek to delete or scramble these backups with ransomware along with everything else. Offline, offsite backups are the safest and most secure way to remain operational in the event an emergency arises. 

Furthermore, attackers that require higher levels of access and probe for existing protections often leave traces of their presence, constant monitoring technologies, log review, and ensuring that alerts, warnings, and anti-virus detections are monitored closely will act as reliable, early warning signs that there may be intruders that are up to no good. 

Finally, the age old adage “patch early, patch often.” In any circumstance, where there is a patch available, increased permissions or higher access than what hackers may be able to achieve without admin privileges may help deter cyber attacks. Leaving holes that are easily filled invites mischief. 

During National Cybersecurity Awareness Month, Next Century Cities remains committed to raising awareness for cities, towns, villages, and counties that have a duty to protect the data they safeguard on behalf of their communities. As communities embrace more digital solutions to make their operations more efficient and user friendly, municipalities have an increasingly more important role to play as stewards of their residents’ data. Designing new systems with security in mind ensures that citizen data is protected and communities have taken all the steps they reasonably could to ensure that it stayed out of the hands of malicious actors.