Columbus City Council Invests in Cybersecurity with Zero Trust Network
In a decisive move to bolster its cybersecurity infrastructure, the Columbus City Council voted on Monday to fund a "zero trust network." This initiative comes nearly a year after a devastating ransomware attack crippled the city’s operations, highlighting the urgent need for enhanced digital security measures.
The Zero Trust Network Framework
The ordinance approved by the council outlines a significant investment of $23 million aimed at modernizing the city’s IT infrastructure. The zero trust network employs advanced security measures, including micro-segmentation and continuous identity verification, to mitigate cyber risks. This approach adheres to the principle of “never trust, always verify,” ensuring that access is strictly controlled and monitored.
Councilmember Nick Bankston emphasized the importance of this investment, describing it as a transformative step for the city. He noted that the project will impact over 20,000 pieces of equipment across city offices and data centers, reinforcing the city’s commitment to safeguarding residents’ information and maintaining secure services.
Addressing Evolving Cyber Threats
Jennifer Fening, Deputy Chief of Staff to Mayor Andrew Ginther, highlighted the necessity of investing in cybersecurity infrastructure at all levels of government. She pointed out that cyber threats are continuously evolving and becoming more sophisticated. The zero trust network framework, developed by cybersecurity experts, is designed to adapt to these changing threats, providing a robust defense against potential breaches.
Fening indicated that the full implementation of the system could take up to two years, with initial efforts focusing on the city’s core network and largest facilities before expanding to other locations.
How the Zero Trust Network Works
Cisco, a leading tech company, describes the zero trust network as utilizing "microperimeters" to protect specific assets, such as data, applications, and services. This means that even if a user gains access to one part of the system, they cannot automatically access other sections. The system requires users to authenticate themselves based on various parameters, including device, location, time stamp, recent activity, and the nature of the request. This layered approach significantly reduces the risk of unauthorized access.
Fening explained that the city’s cyber network will be structured into micro segments aligned with organizational units, such as departments or workgroups. This design limits unnecessary network traffic between segments and prevents unauthorized movement, further enhancing security.
Lessons from the Past Cyber Attack
The decision to invest in a zero trust network follows a significant cyber attack last year by the criminal group Rhysida, which forced the city to shut down most of its systems. The aftermath of the attack was severe, with personal information of thousands of residents, employees, and visitors leaked online, including sensitive data such as driver’s licenses and social security numbers.
A whistleblower brought attention to the data leak, which included the names of undercover police officers and other confidential information. The city faced backlash for initially downplaying the incident, and it is currently dealing with multiple lawsuits from victims of the breach.
Moving Forward with Transparency
Columbus’ Department of Technology is set to begin implementing the zero trust network with the city’s core infrastructure, gradually expanding to other facilities. The city has committed to releasing a report detailing the effects of the cyber attack, although a timeline for this report has not been provided.
In the wake of the attack, the city also paid $7 million to the law firm Dinsmore & Shohl for forensic analysis and to develop a comprehensive report on the incident. Bankston assured that the city would share relevant information about the cyber attack when appropriate, reinforcing the commitment to transparency and accountability.
Conclusion
The Columbus City Council’s investment in a zero trust network represents a proactive step toward securing the city’s digital landscape. As cyber threats continue to evolve, this initiative aims to protect residents and ensure the integrity of city services. By adopting industry best practices and standards, Columbus is taking significant strides to safeguard its information and infrastructure against future cyber attacks.