It was a contentious decision, spending that kind of money in the middle of the pandemic. But city staff said the changes were needed to fix an antiquated system and to protect Independence from a constant onslaught of cyber attacks.
"I don't mean to sound alarmist or hyperbolic," City Manager Zach Walker said during a July 20 council meeting.
But the threat was real, he said, noting ransomware attacks in places like Atlanta and Baltimore, where hackers took city data captive, demanding huge payoffs before returning crucial systems to functionality. Multiple analyses had found that Independence's systems were not well protected, he said. "This has happened to real cities out there," Walker said. "Those cities were taken down by ransomware attacks and had to pay a handsome price since then to unlock their systems. And even then, all the data hasn't fully been recovered."
His warning was prophetic: Independence, which is still implementing more security upgrades, has been dealing with an attack to its computer systems for days.
Independence's website began to come back online Friday afternoon, a full week after city officials first found the problem. But officials expected the site to intermittently go on and offline as they continued testing. The city first publicly announced the attack last Monday morning, saying it was discovered "before it could infect the full City network."
It's still unclear what kind of information might have been compromised. Much of the city's files — budget documents, building plans and council minutes — are records available to the public under the Missouri Sunshine Law.
But the city also stores private records regarding personnel and employee health. And it retains the personal information of some 57,000 water and power customers. Over the summer, Walker noted that the city's power grid, along with water and wastewater treatment plants, were highly automated and could be targeted by cyber criminals.
"This has certainly been crippling for us," Walker said in an interview on Thursday.
He said city staffers and contractors had taken systems offline after discovering the breach. They spent the week examining each system to see what information might have been compromised.
"They are just taking a painstaking, methodical approach before they begin to gradually bring systems back online," he said. "I think its more important for our team to do this right than to do it in any kind of a rush."
Ransomware works by attacking user files, encrypting them and essentially holding the information hostage in exchange for a payment. The attacks have increasingly plagued both private companies and public agencies.
In July, millions of customers had problems with products sold by Garmin International as the Olathe company battled a reported ransomware attack.
In August, Metropolitan Community College announced a ransomware attack that could have compromised the names, Social Security numbers, drivers license numbers, medical information and bank accounts of individuals. The college said it had no evidence that such personal information was extracted, though hackers had access to the network for nearly three months earlier in the year.
Similarly, Truman Medical Centers lost access to some of its computer system in 2019. Attackers demanded money to unlock the data and the Kansas City hospital agreed to "pay a small amount," KCUR reported. Truman said no health or financial information of patients was compromised and its cyber insurance carrier covered the cost of the ransom.
Independence is similarly insured, though it wouldn't say if any payment to hackers has been made.
"Any and all activities associated with this is a qualifying event," Walker told The Star.
Oftentimes, these attacks can infect a computer or network without notice. Users can unwittingly download ransomware by opening an email attachment, clicking an advertisement or following a link, according to the Federal Bureau of Investigation, whose local field offices investigate internet crimes.
Bridget Patton, spokeswoman for the FBI's office in Kansas City, referred all questions about the attack on Independence to city officials.
Because of the outages, Independence is waiving late fees and penalties for power and water customers. The city is accepting bill payments at the City Hall drop-off location or at the Utilities Center lobby or drive-thru. Currently, only cash, check and money order payments are being accepted, said city spokeswoman Meg Lewis.
While the city invested heavily in new cybersecurity measures this summer, implementation of those new systems is still ongoing. The council in July approved a nearly $1 million contract with Riverside Technologies Inc. for network improvements.
Additionally, the body approved spending than $3.4 million on two contracts with Minnesota-based Converge One Inc. for hardware and software upgrades and cybersecurity protections.
While those installations are not yet complete, part of the contract called for that company to monitor and respond to any breaches. Officials with Converge One could not be reached for comment.
Together, the upgrades were aimed at modernizing the city's aging technology infrastructure, consolidating various data centers and beefing up security. In July, Chief Information Officer Jason Newkirk said the work should be completed by April 2021.
He didn't want to discuss specific details about attempts to breach city firewalls in a public forum, but Newkirk said they are a common occurrence.
"We see attempts all the time," he said. "Every day."
(c)2020 The Kansas City Star (Kansas City, Mo.). Distributed by Tribune Content Agency, LLC.
