A cyber attack that virtually hijacked the controls of more than 60 per cent of San Francisco’s municipal network should serve as a wake up call for IT managers in Canadian government jurisdictions, say technology experts.
San Francisco courts are scheduled to arraign, Terry Childs, 43, a network administrator with the city’s Department of Telecommunications Services.
He was arrested Sunday for allegedly changing passwords to San Francisco’s computer system and effectively “locking up” the city’s multi-million dollar fibre WAN (wide area network) system that handles sensitive data, critical IT operations, and much of the municipality’s network traffic.
As of press time, authorities still do not have the access codes that Childs created for himself.
“We continue to monitor the system to make sure we do maintain integrity of the network,” said Ron Vinson, chief administrative officer for San Francisco’s IT services department. Although Childs is in jail, officials fear he may have a device that could enable another person to access the system by telephone of some other remote gadget.
Meanwhile, Canadian technology analysts say the incident that has unnerved San Francisco authorities could happen in any Canadian city.
“This sort of thing can happen anywhere,” said Carmi Levy, research analyst and senior vice-president at AR Communications Inc., based in Toronto.
“Anytime you have a single person solely accountable for access to a given system and that person is not subject to routine oversight, you are vulnerable.”
His views are echoed by James Quin, a senior research analyst with Info-Tech Research Group in London, Ont.
Quin says he is not aware of a similar incident occurring in Canada, but added “in all likelihood something like this may have occurred many times in Canada – as it has in other places – but was never reported”.
The impact of such an attack, he says, could range from minor inconveniences such as a certain number of users being restricted in the performance of their tasks, to a catastrophic lock out of all city operations.
“It all depends on the processes the locked-out government has chosen to computerize”.
And the fallout of such a disaster on public sector operations could be serious, Quin noted.
He said possible scenarios might include:
- A spate of mistrials in city courts as judicial proceedings have to be suspended
- Delays in city services and maintenance work
- A hold up in businesses transactions, such as the processing of land transfer certificates or business licenses
An analyst specializing in public sector IT noted that security breaches involving government networks are bound to happen because these systems have been long ignored.
“In North America, a lot of the IT infrastructure is rusting and crumbling and is handled more like public sector nuisance,” said Alison Brooks, research director for public sector at IDC Canada in Toronto.
“It’s only given attention when situations hit crisis levels.”
This happens, Brooks said, because it is often hard to link investments to citizen service delivery. “Basically, the issue is it’s difficult to make investments for which the value will be recognized past one’s term of office.”
Authorities speculate the cost of getting systems back to normal could run into millions of dollars.
Childs, who has worked with the city for about five years has a base salary of $126,000.
The San Francisco Chronicle reports that according to a city official the computer network administrator was previously disciplined on the job for poor performance and that supervisors tried to but failed to get him fired.
Investigators believe it was sometime in June 20 that Childs began tampering with the city’s fibre WAN where records – such as official’s e-mails, city payroll files, the municipal Web site, 311 information call centre, confidential law enforcement documents where jail inmates’ bookings are recorded.
Child’s created a password that gave him exclusive access to the system. He is also alleged to have rigged a tracing system to monitor what other administrators were saying and doing related to his own case.
The police began investigating Childs’ activities sometime late June after they were contacted by suspicious IT department officials.
When Childs was arrested on Sunday, he gave the police a series of bogus passwords to the network and later refused to reveal the real codes.
Companies and government agencies must anticipate scenarios such as the one unfolding in San Francisco and be sure to design disaster recovery plans that can handle them, said Levy of AR Communications.
Employees who hold the keys to the kingdom can inflict massive damage if they decide to vent their frustrations on their employer, he said.
Here are steps – suggested by information security experts – for network managers to protect their domain:
Don’t give too much authority to one person – Employ organizational principles such as Separation of Duties and Least Privilege, said Quin of Info-Tech.
The principle of Least Privilege stipulates that users (including administrators) are granted only enough access to the network to meet requirements of their role. Anything above and beyond the bare minimum should not be allowed, as it can be exploited.
The Separation of Duties principle requires that tasks be divided into individual components that are handled by different people.
“Had San Francisco adopted these concepts, a single individual would not have been able to create this situation,” said Quin.
Ensure key personnel have backup resources – Backups should be arranged for people, systems and processes, to prepare for failure, says Levy. Managers should also use as much rigorous oversight on internal workers, as they would on external resources, he said.
Bolster recruitment and employee assessment practices – Keep close watch of behaviour that might indicate potential trouble, so as to anticipate and head off any disaster.
Reassess company policies regarding human resources issues – Investigate practices that improve employee satisfaction and talent retention. Determine if workloads, duties and employee expectations are in synch. Make sure workers have adequate channels to voice their concerns to management.