While Long Beach officials continue to deal with a major cybersecurity breach, they’ve been tight-lipped about anything they may have learned about what happened, how serious it is, and what the long-term consequences might be.
But with cyberattacks on municipal governments now increasingly common, experts who consult on or study the issue can offer a detailed look at what typically happens in cases like this.
For Long Beach, the situation was discovered Nov. 14, prompting the city to take down certain systems for safety the following day; two days after that, the City Council declared a local emergency to address the problem.
The extent of the damage isn’t clear, and city officials have declined to say if the attackers have demanded a ransom, as often happens. It’s also not clear how long it will take the city to recover, but what’s happened to other cities and government agencies can provide some clues as to how we got here and a roadmap for what’s ahead.
Why cities are a target
Local government agencies can be both an easy target and a rewarding one, experts say.
While any organization can suffer from human error — someone clicks a bad link or opens an infected file — municipalities usually don’t put as many resources into updating and securing their systems as private companies, said Robert Braun, who co-chairs the cybersecurity and privacy group at law firm Jeffer Mangels Butler & Mitchell LLP.
Many cities still use some legacy software, which “wasn’t designed for security,” and many of their systems are interconnected, so there are lots of potential ways in, Braun said.
Government agencies hold a wealth of sensitive data hackers can hold for ransom and threaten to release or destroy — like many cities, Long Beach has payment details for utility customers and vendor accounts, and personal identifying information on employees, people who deal with the police department and more.
“The reason they go after these municipalities is they have money. This is a business for the attackers,” said Justin Cappos, a professor at New York University’s Tandon School of Engineering.
And importantly, cyber criminal groups seek targets that provide critical services, such as medical care or water and electricity, “as they will face the most pressure to restore services as soon as possible and consider paying the ransom,” Sarah Powazek, director of the Public Interest Cybersecurity program at UC Berkeley, wrote in an email.
Long Beach officials have not confirmed or denied whether they received a ransom demand. The city’s emergency services and utilities never stopped functioning and other systems have slowly returned to service, but officials have not made public whether any resident or employee data was compromised in the attack.
What comes next?
While it’s so far unclear how Long Beach’s systems were breached, the city has said it’s been working with a cybersecurity consultant and it called in the FBI to help investigate.
Soon after the problem was discovered, the city took its website and various services offline. According to Braun, that was a logical step.
“The first thing to do is not actually necessarily to find out how it happened,” he said. “It’s really ‘contain the issue, contain the problem’ — that’s what they are trying to do.”
The next step is to search the system for anomalies to help determine who got in and what kind of attack it was. “During this process, you’re trying to figure out what was accessed, what may actually have been exfiltrated,” Braun said, and consequently who may need to be notified that their information was compromised.
As to ransom demands, Powazek noted that the FBI doesn’t recommend compliance, and an international task force including the U.S. and nearly 50 other countries put out a statement this month that warned against paying.
“Why fund criminal activity, which is what you’re doing,” Braun said, adding that it could even be illegal to pay if the perpetrator is in one of the countries subject to U.S. sanctions.
Organizations almost never get back all the data that was stolen, and sometimes what’s returned is corrupted, he said.
And if there was a threat to release data unless payment is made, Cappos said, “You don’t have any real way, even if they promise that they won’t release it, to know that they actually won’t.”
Recovering and restoring services after a cyber attack is rarely painless, but Braun said how challenging it is depends on whether an agency has backup data and systems that are up-to-date and have been tested.
Then, they either clean and debug or replace any systems affected by the breach, install and retest them. That should be done according to priority — for example, hotels that Braun represents would look first at ensuring life and safety functions such as elevators, air conditioning and fire prevention are operable.
That may not have a big price tag, but if an organization doesn’t have good backup data, it will mean a lengthy process of reconstructing the information from other agencies, third-party vendors, and public records. And if older legacy software can’t be repaired, “Sometimes you’re going to have to create entirely new systems, and that’s going to cost a lot of money,” Braun said.
If targeted public agencies want to prevent future breaches, experts recommend prevention — investing in security systems and professionals — as well as eternal vigilance.
Too often, Cappos said, there will be a flurry of spending in the wake of an attack, and then officials will return to not focusing on cyber security.
“For better or for worse,” Braun said, “we live in a world where you should be constantly thinking (about) security, systems and procedures.”