While much of the country’s attention has been focused on the Colonial Pipeline shutdown in response to a cyberattack recently — an event which has already sent U.S. gas prices skyrocketing upward — many Oklahomans have been dealing with the fallout of a separate cyberattack.
On April 21, hackers accessed the city of Tulsa network and infiltrated the system with ransomware.
A ransomware attack is similar to what it sounds like: hackers access a system and then hold sensitive information or network capabilities hostage in exchange for payment.
Such attacks intentionally put decision-makers in a difficult position, forcing them to choose between paying off criminal actors and risking harm to public infrastructure.
To limit the damage and prevent personal data from being stolen, Tulsa responded this past week by shutting off large portions of its computer system indefinitely — mothballing everything from city computers to animal control while working to keep critical infrastructure, including Tulsa’s 911 system, operational.
So far, Tulsa’s efforts to mitigate fallout appear to be what most cybersecurity experts would call for in the circumstances.
But it will take weeks or months to assess the full fallout from the cyberattack and understand what vulnerabilities allowed the perpetrators to hack a major American city in the first place.
Indeed, as Congress mulls action to tighten cybersecurity restrictions — just weeks after President Biden installed a former NSA official as the nation’s first National Cyber Director — the attack on Tulsa underscores the need for public and private actors to reexamine their cybersecurity protections and implement response plans that can be followed in the event of a cyberattack.
From a legal perspective, there are at least three things that every business or governmental entity should do immediately to minimize the threat of cyberattacks.
First, all businesses and governmental actors should ensure that they understand how their network or website works and what sensitive information, if any, is accessible through it.
Understanding this can help inform what protections are needed and if any federal or state law requires that certain protections be taken. Particularly in light of recent changes in state data privacy laws across the county, businesses need to make sure that they and their vendors are complying with new and often misunderstood data security requirements.
Second, infrastructure operators — essentially any public or private entity which, like the city of Tulsa, performs important public functions — should assess whether existing government resources are available to help improve their cybersecurity.
The Cybersecurity and Infrastructure Security Agency (CISA), which was launched by President Trump in 2018, often performs cybersecurity audits free of charge and can help create custom plans to improve cybersecurity.
Additional resources are also available for certain industries. For example, water treatment plants can consult with the American Water Works Association about their cybersecurity needs and are now eligible for USDA-subsidized funds to improve cybersecurity for their monitoring systems.
Third, and critically, all businesses and government entities should have a cybersecurity response plan in place.
Such a response plan should help train employees on how to prevent, identify, and mitigate a cyberattack or data breach.
By keeping response plans up-to-date and practicing how to carry out the plan in real-life, businesses can help minimize the fallout from a cyber-attack and ensure that they are complying with all notification requirements.
The difference between recognizing a cyberattack within minutes versus hours can be significant.
And knowing when to involve authorities or regulators can help stave off allegations of a cover-up while building trust within the community, addressing vulnerabilities, and helping to raise awareness to prevent similar attacks.
While the cyberattack on Tulsa and the shutdown of the Colonial Pipeline are unfortunate and frustrating, they present a great opportunity to improve America’s cybersecurity.
Taking appropriate measures in response to these cyberattacks can help prevent future cyberattacks.
Anthony J. Hendricks and Jordan E.M. Sessler are attorneys with Crowe & Dunlevy, and members of the cybersecurity & data privacy practice group.