Investigations underway after “cyber incident” in Cleveland

(TNS) — Cleveland authorities aren’t saying much about a “cyber incident” that forced the shutdown of City Hall on Monday, leaving residents in the dark about what confidential information may have been accessed, whether the city will demand a ransom and who is to blame.

In the immediate aftermath of a cyberattack, a lack of information is normal, according to two cybersecurity experts who spoke to cleveland.com Monday morning. Government officials themselves may still not know all the details, and even if they do know them, that information is often not immediately shared with the public, the experts said.

In the Cleveland case, city officials are not deviating from the norm, at least not yet. Aside from keeping City Hall and city offices in the Erieview Tower closed for a second day Tuesday, few to no new details were provided during a press conference with Mayor Justin Bibb on Monday afternoon.

City officials have said utility customer and taxpayer data stored at Cleveland’s central tax collection agency will not be affected.

Other than that, Mayor Justin Bibb’s team had few new details to share when cleveland.com sent a list of questions Monday about the incident, which was first publicly disclosed around 9 p.m. Sunday.

When asked what information was accessed, what type of “cyber incident” occurred, and whether city officials even know what data might have been affected and to what extent, spokeswoman Sarah Johnson repeatedly gave the same answer: “The city continues to evaluate the nature and scope of the incident.”

Without knowing what type of “incident” it is, it is difficult to estimate what impact it will have on the residents of Cleveland and on city government operations.

But money is a common factor in the vast majority of cyberattacks today, says Alex Hamerstone, director of consulting solutions at Fairlawn-based TrustedSec.

“It’s like you go outside and get wet. There are lots of things that could cause that. But it’s probably raining, right? The same goes for ransomware. They’re so common now and the motivation for hacking is so focused on money,” Hamerstone said.

If Cleveland were to face a ransomware attack, it would likely follow the example of other ransomware attacks on governments and businesses, such as the one that occurred in Baltimore in 2019.

Hamerstone describes how ransomware typically works: The hacker accesses a computer system, encrypts it, and shuts it down, leaving normal users unable to access the information it contains. The hacker then contacts the owner and demands money. If the owner pays, the hacker sends them a key that can be used to decrypt the encrypted data and regain normal access to the system.

When asked Monday whether the city would consider paying such a ransom, Bibb did not respond.

Lisa Plaggemier, executive director of the National Cybersecurity Alliance, told cleveland.com that governments and companies that pay ransoms are often back online and operational faster than those that refuse to pay ransoms.

For companies that refuse to pay, Plaggemier says the right infrastructure and backup systems must be in place to avoid long, drawn-out restart times.

“The recovery could take longer because they have to bring all the systems back online and possibly go back to their backups. And they have to go system by system to make sure everything is clean and there is no malware left,” Plaggemier said.

Bibb and other city officials declined to comment Monday on whether all of Cleveland’s important data is adequately secured.

When asked what city officials are doing about the “cyber incident,” Johnson said she could not answer because those steps are “confidential.”

It is unclear when the situation might be resolved.

Johnson also said the “cyber incident” was discovered through the normal operation of the city’s information technology systems. And she said state and federal officials, along with cybersecurity experts, are currently providing guidance to Cleveland on how to handle the situation. City Hall’s highest-ranking IT official is longtime information systems commissioner Kim Roy-Wilson, who took over in March after Chief Innovation and Technology Officer Roy Fernando resigned.

One of the few questions from cleveland.com that elicited a more detailed response from City Hall was whether one of Cleveland’s outdated computer systems could make the city more vulnerable to a cyberattack. Johnson said no.

“The City has made significant investments over the past few years to improve the security of its operations and utilizes best practices to maintain cybersecurity. However, due to the ever-evolving and persistent practices of threat actors, it is impossible to eliminate every risk of a cyber incident,” Johnson said.

Alex Hamerstone of TrustedSec said the age of computer systems does not necessarily increase vulnerability to cyberattacks, and reliance on paper documentation – still used for some city functions – can provide protection from a cyberattack.

When City Hall announced the incident Sunday evening, it said it was taking precautionary measures and shutting down the affected IT systems. Those shutdowns do not appear to have affected the city’s website, which appeared to be functioning normally on Monday. Johnson used her city email address to read and respond to cleveland.com’s questions on Monday, so the email service also appears to be functioning normally.

Some city services will not be affected, including police, fire, ambulance, animal control, the city court, recreation centers, garbage collection, airports and utilities such as Cleveland Water and Cleveland Public Power, Johnson said.

The regular operators of the city’s emergency number 311 were initially not on duty on Monday morning, but have since resumed operations.

City Hall and the Erieview Tower, which houses the health department among other things, remained closed Monday and will remain so Tuesday. City employees who work at those locations are being instructed not to come into work. Those who can work from home are doing so, Johnson said.

©2024 Advance Local Media LLC, distributed by Tribune Content Agency, LLC.