The city of Albany is the victim of a cyber attack, and few details are forthcoming.
How this happened, and what needs to be done to make sure it doesn’t happen again, are very much the public’s business.
Getting hacked is an unsettling experience. It’s the digital equivalent of someone breaking into your home. When the hack also comes with ransomware, it’s even worse — as if the burglar is still in the house and has locked you out.
So we understand Albany Mayor Kathy Sheehan may be rattled that the city was the victim of this sort of cyber attack. She should understand that city residents are doubtless rattled too. It’s not just her City Hall that was hacked; it’s theirs, too.
We can appreciate that in the midst of an attack on a government, prudence might dictate that officials keep details to a minimum while officials are trying to investigate, mitigate, and possibly even negotiate. What’s troubling here is that the public hasn’t even been told why the city is being so opaque, despite the mayor’s assertion that “we are committed to keeping you informed.”
What little the public does know is that the city revealed Saturday that it was struck by a ransomware attack, in which a hacker blocks the victim’s access to a system or personal files and demands payment. The extent of the problem remains unclear. Mayor Sheehan says no personal information about employees or residents is at risk. The city is taking a business-as-almost-usual approach, saying that municipal services go on, with the exception of access to birth, death and marriage certificates and licenses, which people can still obtain from other local governments.
But there are also reports that city police were affected as well, with access cut off, including in patrol cars, to internet-based services like incident and accident reports, which could slow response times. The mayor says dispatching was not affected, but even the police union complained of being in the dark about what’s going on. Hardly a comforting thought.
There are questions the city should be answering now, or should certainly be prepared to answer as soon as possible. For starters: How did this happen? Was it an individual lapse, or are there flaws in the city’s computer security system? Are there gaps in the city’s cybersecurity training? Are there lessons on how to avoid this that would be worth sharing with city workers and residents? And just how much ransom was demanded, and has it been paid?
To say, as the mayor does, that “this is the new normal” is not enough. Yes, these things happen in a digital age, but usually to people and institutions that, in retrospect, should have known better. Just ask the Democratic National Committee and Hillary Clinton’s presidential campaign, which both fell for “spear-phishing” emails designed to get recipients to reveal their log-in credentials, and suffered all sorts of embarrassment at the hands of Russian hackers and WikiLeaks in 2016.
Mayor Sheehan — who ran as something of a data wonk — surely knows all this. And so she should also know that Albany residents deserve more than a trust-us-everything-is-under-control posture. They deserve an explanation.