Baltimore, United States, May 2019. A large-scale attack affects more than 10,000 city administrators’ computers along with 600,000 belonging to private individuals. Email inboxes are blocked, security cameras are blurred, some vital functions, such as water management, are disrupted. The hackers demand a ransom of $100,000 payable in bitcoins. The mayor refuses to give in and sets up an emergency system to continue operating municipal services, but the city will remain paralyzed for ten days and the financial damage is now estimated at $18m.
Pay a ransom or restore your data? Not all cities make the same choice. France has not been spared by this phenomenon. In 2019, according to the Cybermalveillance group, more than 1,200 local authorities were victims of cyberattacks.
In March 2020, information systems and data related to the municipal elections in Marseille, Martigues and the Aix-Marseille-Provence conurbation were the target of attacks affecting a total of around 300 machines, according to estimates from the National Information Systems Security Agency. The following month, it was the turn of two towns in the Morbihan region to be targeted.
The scenario is well-known. A simple email is enough to encrypt all or some of the data on a network, rendering it unusable, using malicious software (ransomware). To obtain the encryption password, the victim is ordered to pay a ransom. The only alternative is to set up a makeshift IT organization, asking municipal officials to use a personal Wi-Fi network for example, and then restore the encrypted data from backups, which may take weeks. Of course, a city is not a business and will not go bankrupt if attacked. And of course, cities are, like operators such as RATP Group or SNCF, subject to open data obligations and some of the data they process is therefore accessible to all. In the event of a cyberattack, cities and large infrastructure and network operators are indeed faced with major risks to citizens’ safety or health.
“Technology must be just as appealing an area as the city. It is vital that RATP Group be recognized as a trusted digital operator.”
Cities, which award public contracts, hold information on companies and their citizens which may be of interest to third parties. And the more they digitize, the more vigilant they must be. Today, the attacks target city hall computers, while tomorrow they could target traffic signals, connected lighting or driverless shuttles on the public transport network. RATP Group, a pioneer in driverless shuttles, is proactive regarding these risks, by promoting a security-by-design approach to manufacturers and by carrying out cyber audits on vehicles and their management infrastructure.
“Our challenges are above all those related to the cyber defense of critical infrastructure as well as the protection of the privacy of our employees and users,” notes Pierre-Marie Lore, RATP Group’s cybersecurity officer. “We therefore make our teams and managers very aware of these issues.”
Cities are starting to fight back, often in a collective way. In 2017, Lyon created the first European cluster dedicated to the cybersecurity of industrial and urban systems. Rennes, which is home to a cyber center of excellence, hosts a benchmark cybersecurity event every year, the European Cyber Week. Lille has made the International Cybersecurity Forum a very popular event.
In the Morbihan department, 60 towns have joined together to create a common platform for the management and protection of digital data. Others rely on the expertise of the public interest group Cybermalveillance or dedicated associations, such as Declic. The dynamic is still insufficient, but it is essential for the resilience of the cities of the future.
1 in 2
Nearly 1 in 2 French companies say they are worried about their ability to cope with cyber risk
“Today’s cities are already exposed, and smart cities will be more so.”
After banks and businesses, why is the public sector the new target for hackers?
In 2014-2015, hackers were mostly trying to steal credit cards. Then they turned to data belonging to very large companies, which they could ransom. But banks and large groups have learned to protect themselves and have invested in cybersecurity. In contrast, the public sector still does not spend enough money on protecting its information systems and recruiting experts. The hardware is sometimes old, and therefore more vulnerable to attacks. When carrying out a hardware inventory, it is common to come across shadow IT, a handful of computers that are permanently on, with no one knowing what they are used for, and no one daring to unplug them!
How can the public sector protect itself?
The best protected are those who have already been attacked. Things move slowly. A little faster at state level: Israel has dedicated a ministry to combating cybercrime and calls on a network of volunteer ethical hackers like me to raise awareness with city councils. To be optimistic, I would say that attacks at city level are more embarrassing than they are dangerous. What will pose real problems tomorrow is the smart city and the proliferation of connected equipment (parking meters, video cameras, lights), which will all be weak points.