Columbus City Council voted Monday to fund a "zero trust network" to help the city prevent future cyber attacks, one year after a ransomware attack crippled the city.
The ordinance on Monday's agenda said the city wants to use the system to strengthen cybersecurity and modernize its IT infrastructure with a $23 million investment. The system employs micro-segmentation, continuous identity verification and other advanced security measures to reduce cyber risks by limiting access and exposure, following the principle of “never trust, always verify.”
Prior to the vote, Columbus City Councilmember Nick Bankston said that investing in this tool is a huge undertaking and will help the city adopt a "best practice and standard" in the cybersecurity industry.
"[T]his is transformational for our city," Bankston said.
Bankston also said the project will touch over 20,000 different pieces of equipment around city offices and at the city's two data centers. He said the city is taking responsible, proactive steps to ensure that residents can trust their local government to keep their information safe and services running securely.
Columbus Mayor Andrew Ginther's Deputy Chief of Staff Jennifer Fening said in an emailed statement the city is investing in its cybersecurity infrastructure at the federal, state and local governmental entities, including the City of Columbus.
"These threats are constantly evolving and increasing in sophistication. Cybersecurity experts and researchers have developed the Zero Trust Network framework to adapt to these threats," Fening said.
Fening said it could take two years to fully implement the system citywide.
Tech company Cisco describes the tool as using "microperimeters" to surround specific assets, such as data, applications and services. This means if a user accesses one part of the system, they can't automatically access every other section.
The tool makes users authenticate themselves not just by user identity, but also by parameters such as device, location, time stamp, recent activity and description of the request.
Cisco's website says this prevents any potential attackers from gaining access to the entire network if they do penetrate any cyber defenses.
Fening said a Zero Trust Network assumes that threats can exist both inside and outside the network.
Fening said with the city's cyber network, its "micro segments" will typically be aligned with organizational units such as departments or workgroups and are intended to limit unnecessary network traffic between segments and are designed to prevent unauthorized movement between segments.
Fening also said since the cyber attack last year, the city’s IT systems have been restored.
This investment comes nearly one year after the city suffered a cyber attack by the cyber criminal group Rhysida. The city shut down most of its systems in response to the attack, taking months to get everything back online.
While Ginther said otherwise at first, personal information of thousands of city residents, employees and visitors leaked to the dark web. A whistleblower alerted news media to the leak, which included driver's licenses, social security numbers and addresses.
Names of undercover police officers and other sensitive information was also found online.
The city later silenced the whistleblower and cybersecurity expert, Connor Goodwolf, with a temporary restraining order before coming to an agreement with him that prevents him sharing anything that has personal identifiable information such as social security numbers, driver's license numbers, bank account information and other sensitive information. He's also not banned from disseminating any data from the city's crime databases.
The city is facing multiple lawsuits from alleged victims of the cyber attack.
Columbus' Department of Technology would start implementing this with the city's core network and largest facilities and later expand it to other buildings over time.
The city stated in the past it plans to release a report detailing the effects of the cyber attack. Goodwolf also said he plans to release a report of his own and a tool that allows people to see what information leaked to the dark web.
Fening did not say when this report would be released.
The city paid $7 million to the law firm Dinsmore & Shohl to conduct forensic analysis and develop a report about the hack.
Bankston said in a statement before the vote that the city will share information on the cyber attack when appropriate. No other councilmembers commented on the legislation Monday evening.
"[W]hat we can say is this: we’re taking action to make sure our systems — and our residents — are protected against the evolving threat landscape going forward," Bankston said.
