It’s now been a year since foreign cybercriminals hacked the city of Columbus and exposed the private information of residents and employees on the dark web.
A year with virtually no answers and near-zero transparency from Mayor Andrew Ginther’s administration, which wrongly claimed the attack by the Rhysida group had been “thwarted” and later mistakenly asserted the hacked data was encrypted when it was not.
The city even sued a citizen who corrected the mayor’s comments by sharing that he found Social Security numbers and driver’s license information for hundreds of thousands of people, as well as crime victims’ info and undercover officers’ identities.
City employees were unable to work fully for days. Employees who reported their bank accounts were compromised filed class-action lawsuits. Some systems remained down for weeks and months.
Columbus Mayor Andrew J. Ginther held a rare Saturday press conferenceon Aug. 17 to address the impact of Russian hackers gaining access to city networks the prior month. A long promised public report on what happened has not been issued.
And we still don’t publicly know what really happened or the full extent of the damage, as Ginther’s team conveniently uses legal and security excuses while repeatedly delaying a promised public report, originally expected last fall.
The known cost has been immense, with City Council recently approving $23 million to upgrade the city’s computer networks without asking any public questions of the administration or insisting on the release of the report. Council previously authorized $7 million for Dinsmore & Shohl for that report, along with legal and incident response services.
The $23 million will pay for a Zero Trust Network, a modern system that “assumes threats can exist inside and outside the network and requires strict verification for every user and device,” a city spokesperson told us.
That wording raised questions for us. Most companies have long used authentication systems to verify users through a variety of two-factor methods that go well beyond a simple password. Did one of America’s largest cities lack such a system before the hack?
Why is Zero Trust beginning to be installed a year later?
Columbus Chief Technology Officer Sam Orth speaks to Columbus City Council on Monday, Oct. 7, 2024 about the ongoing investigation into the cyber attack on the city that was discovered in July.
Columbus was warned
Keep in mind that this all happened after many other American local governments were hacked and federal authorities issued a Cybersecurity Advisory on Nov. 15, 2023, warning of ransom attacks and offering immediate steps that IT departments could take to thwart the threat.
“Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates,” the advisory said. “Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability … and phishing campaigns to gain initial access.”
The city of Cleveland then faced a crippling cyberattack a month before Columbus.
We still don’t know what Columbus did or did not do to combat this threat. Nor do we know why it took three weeks for Columbus leaders to respond to offers for help from the state’s Ohio Cyber Reserve, a unit of civilians tasked with helping cities protect their systems with best practices. Cleveland asked that group for help immediately.
“It was night and day difference in what they (Cleveland) asked us to do and the timing of it,” Kirk Herath, Ohio’s cybersecurity strategic advisor, told us last year.
How bad has it been?
A year ago when local media were trying to ask basic questions, City Hall made sure that no members of council, department directors and even other independent office holders would discuss their experiences or challenges of serving the public without computers.
As a Dispatch story last year reported: “No member of the nine-person City Council would return Dispatch telephone and email messages… . The council released a joint statement of concern, but did not offer details or comment on whether its members were satisfied with the city’s response to the hack.”
It’s time for answers
We’re not asking for city leaders to share details that would put systems at risk and increase legal exposure for taxpayers.
But surely there’s a middle ground where a full accounting can be made in the interest of serving the public and reasonable transparency.
How did the hack happen? Were city employees properly trained to spot phishing attempts by bad actors seeking access to city systems? Did IT leaders properly build their network to protect private information? Were any employees disciplined or fired for their roles in this debacle?
At the same time, we have to question the always cozy “Columbus way,” where City Council rarely, if ever, asks tough questions or offers critiques of the administration in public. Nor have members, who have received private briefings on the breach, discussed whether they are satisfied with how the city handled this situation.
The people who live and work in Columbus depend on city leaders to deliver a complex array of services, including first responders in emergencies, fresh water and social services, to name a few. Any threat that compromises the ability of the city to serve everyone must be addressed proactively and with transparency.
So we ask again, what really happened? And why won’t it happen again?
This editorial was written by Dispatch Executive Editor Michael Shearer on behalf of the editorial board of The Columbus Dispatch. Editorials are fact-based assessments of issues of importance to the communities we serve. These are not the opinions of our reporting staff members, who strive for neutrality in their reporting.
This article originally appeared on The Columbus Dispatch: Columbus spends big after hack without explaining what happened | Opinion