SAN FRANCISCO – Municipalities today are dealing with an unanticipated number of cyberthreats, Merritt Maxim, an analyst at Forrester, said last week at the RSA Conference 2020.

Local and state governments are increasingly being targeted by ransomware attacks, phishing emails and business email compromise. And emerging technologies being adopted by cities – like facial recognition, smart-city technologies like smart lighting, and 5G-driven IoT – are opening up municipalities to even more security and privacy threats. Worse, governments aren’t ready to keep up with defending against these threats.

Talking with Threatpost, Maxim discusses the biggest risks that city governments are facing today.

Below is a lightly edited transcript.

Tara Seals: Tara Seals, senior editor with Threatpost, and I’m here with Merritt Maxim of Forrester. Thank you very much for joining me, Merritt.

Merritt Maxim: Thanks for having me, Tara.

Tara Seals: So I wanted to talk to you a little bit about smart cities and municipalities in general and some of the security threats that they’re facing. Definitely a big story over the course of the last year, particularly when it comes to ransomware, right?

Merritt Maxim: Yeah, absolutely. As certainly we saw in the U.S., Baltimore was a prominent victim of a ransomware attack that disrupted city services pretty considerably. There’s been a range of other cities that have been impacted and of course this creates real disruption for citizens. They can’t get building permits, they can’t renew licenses, they can’t get birth certificates. And so the impact to consumers is significant, and the irony is that governments have been working to digitize more and more of their services or last years to be more citizen-friendly. And now these same services are now an attack point that hackers can compromise to create this kind of disruption.

Tara Seals: Well, and insult to injury, too, it seems as though as they’re making this digital transformation, and that’s very much a mandate for them, and at the same time, they’re not ramping up on their IT staff, let alone their security staff. Right?

Merritt Maxim: Correct. And the hackers are aware that these digitization projects are underway and they know that they’re potentially vulnerable. And that could not just be the city systems. It could also include the lighting — smart lighting — or the traffic-control systems. And again, these are not as much about, say, ransomware, but just maybe causing overall disruption just because you want to prove that these systems are vulnerable. You see some of that happening as well.

Tara Seals: Have there been any specific examples of that, that you’ve seen?

Merritt Maxim: There have been some, and there certainly have been experiments where researchers have proven that these systems can be vulnerable. And certainly the whole rise of video surveillance, whether it’s being used by law enforcement or by say a public-transit agency for purposes of monitoring crowds and things of that sort, those systems are also potentially vulnerable as well.

Tara Seals: Right. Now, you had mentioned something when we were talking before we filmed this interview about New Orleans and how that ransomware attack down there kind of completely disrupted their Mardi Gras plans and wreaked havoc.

Merritt Maxim: Correct. I noticed that in the paper that awhile ago. So New Orleans has had a couple of cyber-attacks, but they had one back in the fall. They did declare a state of emergency, a bunch of services were shut down. It was ransomware-related. Then they were able to restore a bunch of services, but a bunch of services were still unable to recover. Some of them required additional funding and budgetary processes and other factors. To mitigate these risks, you have to go through a formal government procurement process and as a result, some services like some of the permitting and other business-to-business services had to be done manually. For Mardi Gras, you need electrical permits to do things, you need permits for floats. And so I didn’t see if it had a significant disruption on Mardi Gras, but it did create additional challenges in that previously these things could be done online. You now had to resort back to a paper-based, manual, in-person approach to conduct these services.

Tara Seals: Right, right, right. Well, and again, that goes to the idea of cost too, right? I mean, it’s immensely expensive to try to recover from some of these attacks. Some cities have not paid up on the ransom and some cities have paid up. And it’s different for each municipality I would think in terms of whether or not they want to pay the ransom or not pay the ransom. But do you have any thoughts on that in terms of how they can weigh their risks?

Merritt Maxim: Yeah, there are certainly different opinions about whether it’s worth paying or not. And we’ve done some work on that, building the methodology to help companies evaluate whether it makes sense to pay or not. And a lot of that is driven upon understanding their recovery costs. In some cases their recovery costs could actually be more than the ransom itself if it’s a significant disruption. In other cases it may be harder to make that case, and that that could be helpful to determine it’s not purely a binary, don’t pay or pay. You have to kind of work through this and understand all the interdependencies and use that to make the best decision about that.

Tara Seals: Yeah, there’s a lot to take into account, I would imagine. So aside from ransomware, you had mentioned some of these nuisance attacks and as we move into the smart-city realm where you have the smart lighting and things like that, even potentially on-demand power generation and some of these other things that are coming down the pike to go along with 5G rolling out, what are some of the other concerns outside of ransomware that cities really should be taking into account?

Merritt Maxim: Yeah, there’s another kind of macro trend as well, which is that if you go by any of the kind of large surveys, whether it’s the UN or World Economic Forum, that the world is going to be increasingly urbanized, the percentage of the world’s population that will be living in large cities is going to increase over time, which is reflection of how we as a society are growing. But it also means there are more and more people in these concentrated areas. And it means that when systems are not available, disruption is even more severe than it might’ve been a few years ago.

Tara Seals: Good point.

Merritt Maxim: I mean there are currently 20 cities globally that have more than 10 million people and 40 years ago there was only one I believe. So there is more concentration in these megacities that again drive tremendous innovation and they’re obviously trying to service bigger and bigger populations. So smart-city services become part of that, whether it’s lighting, traffic, energy efficiencies…

Tara Seals: …Waste collection.

Merritt Maxim: Waste collection. Yeah. And again, all of these services now become a potential attack vector. And the challenge for an IT organizations is, each of these new services is now generating more events that have to be evaluated to determine if this is truly anomalous activity or is this just a factor of, it’s a rainy day and therefore people are behaving differently. And so, it creates a much biger challenge on the IT organization to be able to sift through this data to really understand, is an attack underway or is this just unusual behavior among the citizens because of some other external factors?

Tara Seals: Right. So does artificial intelligence become part of the story at that point?

Merritt Maxim: Yeah, and certainly machine learning and understanding those externalities so you can start to sift through. We talked with some cities last year that the amount of quote-unquote “security events” that get generated is in the tens of millions a day. And that can be everything from from a bus to a transit system to healthcare, and in just sifting through all that stuff it becomes a real challenge to understand, how do I prioritize the ones that really need further investigation. And that’s where AI and machine learning and analytics play a role in helping you sift through and prioritize those large datasets to find the most relevant examples.

Tara Seals: And so that goes again to the staffing challenge that we’re seeing in cybersecurity in general on a macro level, but particularly for cities. They’re working on shoestring budgets a lot of the time. I mean, they don’t have discretionary income necessarily to just kind of throw at things when they need to. So, what advice would you have for, let’s say like a mid-sized city looking to protect themselves from cyber-threats going forward? What should they prioritize, do you think?

Merritt Maxim: Yeah, I mean if they’re going to go smart, they should do the smart simulation, and really work with that supplier to understand how the system is designed, where the potential threats may emerge. That could mean engaging a third-party consultant and maybe even doing a penetration test on a system to see, can it be compromised and how challenging is that compromise, so they understand, predeployment, what the real possible risks are. Then they can possibly determine that maybe this product is not worth the risk. And also understanding what’s the process. If it’s like a permitting process they want to take online, and there is a backup alternative manual, paper-based approach, maybe the disruption is tolerable. But if it’s a transit system and it goes down, the impact is much more significant because now, people have to take alternative transport home. It creates lot of disruptions. And so understanding the service that you’re trying to digitize and what the impacts are of that being offline, can help guide decisions about what is the best approach. Whether for that service, if it even make sense to make it smart or to keep it the way it is.

Tara Seals: Yeah, that’s really interesting because obviously with this particular vertical, serving the public good is job one, right? Above and beyond anything else. So very interesting. All right. Any final thoughts on municipalities and cybersecurity before I let you go?

Merritt Maxim: Yeah, I think there was one other thing to mention, and that is privacy. There is a double-edged sword here. Consumers want more digital services, but then at the same time they want some level of privacy. So services that may give you the ability to interact with the city, but do you want to disclose that kind of data or participate in that collection? So being able to have video surveillance and things like that are certainly part of that discussion. And what kind of opt-in or consent mechanisms need to be in place? There have been some pilots that have been underway, and Toronto is one example, it’s been struggling to get that off the ground because privacy has been a real consideration, and there’s been a lot of back and forth about, how do we actually enable all this in a way that keeps consumers connected but doesn’t compromise their privacy?

Tara Seals: Right, right, right, right. And facial recognition is something that’s rolling out certain trial cities.

Merritt Maxim: And some cities have already implemented bans in response to that. So again, we’ll probably see more regulation around that. But again, that’s a good example of something where there has been growing consumer backlash about how that technology could be potentially abused and what it means to their overall privacy.

Tara Seals: Right. Right. Absolutely. All right, well thank you very much, Merritt. I appreciate it.

Merritt Maxim: Thank you, thank you.