There may not be a shifty-eyed hacker plotting to take over Denver’s city government like the one who upended Baltimore’s on May 7, but the system has holes. Every computer network does, according to cybersecurity experts.
Denver officials won’t say where or what those holes are because, you know, they don’t want to get hacked.
“I can tell you that we’ve been looking at issues in Baltimore, Atlanta and CDOT, trying to avoid problems, but for obvious reasons we can’t say where any security issues might be because then we’ll tell the hackers how to hack us,” said David Edinger, the city’s chief information officer.
Edinger’s Technology Services department works constantly to find and patch cracks in the system that can let hackers in. They also have guidelines for 13,000 city employees that protect them from phishing expeditions, in which bad guys pretend to be good guys via email and get people to do things that expose the system.
“(Phishers) are focusing on what they believe to be the weak link, which is the uneducated users,” said Julie Sutton, the city’s information security manager. “That’s why we focus on the users.”
But Denver’s system isn’t airtight, despite constant attention, according to audits and cybersecurity experts who say that feat is pretty much impossible. Hackers continuously find new ways in, and cybersecurity guards continuously have to find fixes.
“You’d be amazed at how easy it is to find this stuff on the dark web,” said Fred Kneip, CEO of cybersecurity firm CyberGRX, referring to “exploits” or the tools hackers use to break in.
Kneip, who has worked with government organizations and private companies, guesses the number of holes in Denver’s system is in the hundreds, maybe thousands, which is not uncommon.
Hackers can paralyze cities by damming their revenue streams.
There’s more at risk than identity theft. Hackers used ransomware to attack Baltimore’s government computers, crippling city operations.
“A city makes money certain way — fines, fees, parking tickets, taxes,” Edinger said. “An attack usually comes in and prevents that from happening. It would usually stop the city from getting what it needs to run.”
Baltimore’s snafu has cost the city $18 million and counting, according to the Baltimore Sun.
Edinger thinks Denver is better positioned than Baltimore. For one, he said his office has never wanted for funding. It spends about $5 million a year on cybersecurity.
Past audits revealed cracks in need of cementing.
Edinger says Denver is better off than Baltimore because it has a “federated” or “centralized” model of security that standardizes information technology across all departments, allowing the government to patch problems and respond to crises quickly.
Yet audits have found security risks. One found that the city was unprepared for a disaster, in part because unauthorized people could access worst-case-scenario plans and change them, or even delete them.
An audit of the Denver Botanic Gardens, a nonprofit that gets ample city funding, found that people’s information wasn’t secure.
“The city has a primarily centralized approach to IT but there are a few outliers,” Edinger said. “Technology Services continually partners with these agencies to improve security posture with a more holistic approach and to implement best practices citywide.”
Sometimes the city invites hackers to hack the system.
“White hat” hackers are computer sophisticates who weasel into Denver’s computers on the city’s dime. It’s a stress test. Kneip says self-hacks are part of a responsible “security hygiene” regimen that includes periodic software audits and training.
The Technology Services division performs their own checks — “penetration testing” — but so does Denver’s auditor. That department contracts with Cornerstone, a company that offers ethical hacking and assesses vulnerability. Auditor Tim O’Brien has authorized more than $600,000 for Cornerstone since elected four years ago.
Cornerstone would not do an interview to talk about the services it performs. The audits analyzed potential risks, including at WiFi access points, and determined whether a cybersecurity “event” had taken place or is likely, according to the documents. The audits are otherwise threadbare and short on specifics for security reasons.
Whenever the city does find vulnerabilities, it’s expected, according to Sutton.
“I’m never really surprised because security is constantly changing,” she said. “You know they exist and you’re trying to close those holes. So I’m never really surprised that it’s there because that’s just the world we live in.”
This article was updated to correct the name of Mr. Kneip, whose first name is Fred, not Frank.