Business

Why Iowa cities are stepping up cybersecurity

Cyber attacks in major cities prompt need to be alert

Aaron Warner, ProCircular CEO
Aaron Warner, ProCircular CEO
/

What might at first glance appear a simple request from a colleague — “Could you please review this attached invoice?” — nowadays could land Iowa’s local governments in a world of hurt.

Cybersecurity weaknesses, perceived or otherwise, nowadays are a pressing concern for some cities, with unknown marauders threatening to digitally breach progressively larger libraries of sensitive data and online utilities used by residents.

“Nobody wants to be the city of Atlanta,” said Aaron Warner, CEO of Coralville-based cybersecurity company ProCircular, referring to a high-profile March 2018 cyberattack that wiped out the city’s online services — everything from parking ticket and utility bill payment systems to court schedules and airport Wi-Fi.

Atlanta projected it could spend up to $17 million to recover from a ransomware attack — malware that held sensitive data hostage, threatening to release or keep it encrypted until Atlanta paid the marauders.

More recently, in May, a ransomware attack took Baltimore’s email, city payment and real estate systems offline, with a recovery cost around $18 million.

How to pay for cybersecurity

Defending against such attacks can prove challenging for smaller governments from a financial standpoint, as they must budget a limited pool of taxpayer dollars compared to larger companies that have deep pockets for information technology departments.

ARTICLE CONTINUES BELOW ADVERTISEMENT

“The thing about cybersecurity is, there are so many things you can spend your money on, and we’re all trying to figure out what’s most effective, given the budgets we have,” said Terrell Hunter, who became Marion’s first information technology hire six years ago, when he transitioned from his IT manager role at the University of Iowa.

On a global scale, the cybersecurity market was valued at $137.6 billion in 2017 and is projected to grow to $248.3 billion by 2023, according to research firm MarketsandMarkets.

Hunter, now Marion’s IT director, said he strives to keep city staff educated on the city’s internet usage policy and aspires to revise its language to ensure it is up to date.

“If it’s hard for people to understand, it’s going to be hard for them to follow, and most of them (the employees) aren’t technical,” Hunter said.

Phishing growing

The challenges come at a time when hackers are becoming more sophisticated in their attacks.

“It seemed like the classic virus, the frequency of those seemed to slow down, but more malware and the complexity and variety of things that need to be considered has changed quite a bit over the past few years,” said Scott Larson, Coralville’s assistant city engineer.

Phishing — or attempts to fool users to click seemingly trustworthy links or attachments to access information — is one example, he said.

ARTICLE CONTINUES BELOW ADVERTISEMENT

“Instead of coming from some random person, from some random name or some random email address, now it’s coming from somebody that you’ve corresponded with in the past, or a business that your business corresponds with,” Larson said.

He said Coralville last year enlisted ProCircular, which offers risk assessment, data scanning and incident response services, to bolster its protections.

Marion became a client two years ago, Hunter said.

Paying ransom

Warner, of the Coralville cybersecurity company, said local governments “weren’t on our radar when the firm started in September 2016, but as time has progressed and as they’ve been targeted more and more often, they’ve been increasingly a part of the business that we do.”

A May 2019 Recorded Future study documented at least 172 ransomware attacks against city and state governments since 2013. Of those attacks, only 17.1 percent of the victimized governments paid the ransom, while 70.4 percent reported they did not make payments.

“Although state and local governments do not pay ransoms nearly as frequently as other targets, they generate outsized media coverage because of the effect these attacks have on the functioning of essential infrastructure and processes,” the study summarized. “This likely creates a perception among attackers that these are potentially profitable targets.”

‘Iowa nice’ flaw

Warner said local governments might come under fire from cyberattackers targeting “bigger fish,” such as important figures who live here or larger agencies with connections to those cities. Iowans, in particular, could be perceived as easy marks.

“People taking advantage of ‘Iowa Nice’ is a really common approach,” he said. “Iowans just generally want to help and anything they can do to make someone’s life easier. It tends to work against them because the people that are out there trying to steal or get in, they know that and can take advantage of that.”

ARTICLE CONTINUES BELOW ADVERTISEMENT

Though Hunter said Marion has made significant effort toward cybersecurity protections, “we never feel that it’s enough.”

“You’ve got a limited staff and a limited budget to put toward (cybersecurity), and the criminals out there have nearly unlimited time and resources to send whatever the next version of what they have out there after you,” he said.

“The minute you say you’ve done something well, that’s when you get attacked the next day.”

• Comments: (319) 398-8366; thomas.friestad@thegazette.com

Give us feedback

We value your trust and work hard to provide fair, accurate coverage. If you have found an error or omission in our reporting, tell us here.

Or if you have a story idea we should look into? Tell us here.

Give us feedback

We value your trust and work hard to provide fair, accurate coverage. If you have found an error or omission in our reporting, tell us here.

Or if you have a story idea we should look into? Tell us here.