Saint John should share details of ransomware attack, cybersecurity expert says
Public shouldn't be 'kept in the dark' about extent and impact of damage, cybersecurity expert says
More than two weeks after a ransomware attack caused the City of Saint John to shut down its online systems, the city is still not sharing any details about how the attack happened, which systems were targeted, what information was possibly compromised and what exactly it's doing to respond.
At Monday night's council meeting, city manager John Collin said the city "will not provide details that inform the criminals who attacked us on their effectiveness or lack thereof."
"Nor will we comment on our strengths or limited vulnerabilities, since we have no intention to provide a roadmap to any future attackers or scammers," Collin said.
A ransomware attack on Nov. 13 forced the city to take its network offline. That allowed it to "isolate [its] networks from the outside world and to contain and then eradicate the virus," Collin said.
Collin said he expects a return to normal within the coming weeks, but noted "we will not reactivate any of our network or reconnect to the outside world until we are sure that it is safe to do so."
In the meantime, Collin said, the city will provide information "that is important to our community," including impact to services and whether any private data was compromised.
He said the city has not confirmed any personal data leaks, but it hasn't made a final determination on that. Residents are advised to watch for any irregular activity on their bank accounts and credit card statements in the meantime.
Ali Dehghantanha, a cybersecurity expert at the University of Guelph, said he doesn't believe that releasing more information about the attack would tip off attackers.
Dehghantanha said it's likely the attackers know what information they're holding hostage.
He said there's benefit in telling the public what information could be out there, and giving guidance about changing passwords and other precautions.
I don't like that we, people, the public, are being kept in the dark, because there could be a lot of help we can offer.- Ali Dehghantanha, cybersecurity expert
Dehghantanha said he's seen other cities in similar situations share more information.
"I don't think releasing the reasons they believe people need to check their banking information would cause any harm," he said. "They need to tell us."
The city should also explain what other information is at risk, he said.
"What about other private information that usually is not protected as much as bank information?"
Not sharing information publicly also means the cybersecurity community can't help as much as it potentially could, Dehghantanha said.
"I don't like that we, people, the public, are being kept in the dark, because there could be a lot of help we can offer."
The city is using a gmail address to communicate with media, and many city employees still don't have access to email or phones. This includes the Saint John Police Force, whose spokesperson Jim Hennessy declined to comment on the attack other than to say police and fire are responding normally.
The city said that because of the network shutdown, its website, some phone lines, email and online payments are not working.
It's not clear whether some or all of these services are offline because the city shut down its network or because they were directly affected by the attack.
No legal obligation to share details
Collin said the cyberattack is being investigated by police, but did not specify which police force.
University of New Brunswick cybersecurity expert Dr. Ali Ghorbani said the city is under no legal obligation to share any details about the attack, except personal data leaks.
He said organizations affected by ransomware should not disclose information that exposes the major vulnerability or weakness that created this problem, how the attack happened, and what technology was used to to make the attack successful.
"So as long as they stay away from disclosing their infrastructure problems and ... the complexity of what has happened, the rest of the information, I think, should be communicated to those who have been affected."
Ghorbani said the longer the shutdown goes on, the more difficult it will be to bounce back from the attack.