Two cyber attacks on Riverside’s fire and police department servers have hamstrung law enforcement in ways previously unknown to the public, including the possibility Riverside could permanently lose access to one of the state’s police computer networks if attacked again, a Dayton Daily News investigation found.
The ransomware cyber attacks in April and May — which have cost the city tens of thousands of dollars — shut down the police department’s records management system used to create and store investigative reports.
The attacks forced Riverside police officers to use a backup system on the Ohio Law Enforcement Gateway, a statewide computer database operated by the Ohio Attorney General’s Bureau of Criminal Investigation for local police departments. But four days after the Dayton Daily News revealed the May cyber attack hit the city, the AG’s office revoked the city’s access to the gateway to shield the network from damage and protect confidential information from exposure, a spokeswoman said.
The Dayton Daily News investigation found police not only lost the ability to access and print past reports — as acknowledged by police Chief Frank Robinson in public statements — but at one point lost the ability to make digital reports altogether. Losing the gateway forced officers to hand write reports and type incident narratives into Microsoft Word so that they could be scanned into the system once restored, an internal memo said.
By the time Robinson made his statement in July, the ability to make digital reports was resolved by getting the usual records system back up and running, he said. But the AG’s office had not then — and still has not now — fully restored access to the gateway network, meaning the department can’t fully use other gateway functions unmentioned by Robinson to the public.
The gateway “is our backup reporting system, the system we use to create photo lineups for investigations, how we enter evidence that needs to be processed at the BCI lab and the quickest way to obtain criminal history on suspects,” Major Matt Sturgeon wrote in a May 24 email to the fire chief and assistant city manager. “This is really hampering (our) effectiveness.”
“This is vital!” Sturgeon wrote nearly a month later.
In a memo to the chief this week after the Dayton Daily News brought its findings to the department, Sturgeon told the chief that the gateway’s loss has impacted operations, “but we have found the means to make due by other paths.”
Officers now use another computer program to create photo lineups, according to the memo. Instead of directly accessing criminal history on the gateway, officers now radio dispatch and wait to obtain the information. And instead of using the gateway to make state crime lab requests and receive finished lab reports, the department had to make handwritten lab requests. Until last month, officers had to pick up the completed reports at the state crime lab in Madison County.
“The loss in no way leaves our citizens vulnerable when they call for police services,” Sturgeon wrote in the memo.
Robinson reiterated this in an interview Tuesday: “I think the main thing we want to make sure people understand is that we are doing exactly what we should be doing every day to make sure the public is as safe as possible. There’s no slack in how we’re responding or prioritizing our calls or anything like that.”
The Dayton Daily News used Ohio’s public records laws to obtain more than 250 pages of internal city emails and memos. The newspaper’s examination and subsequent interviews also found:
• In order to protect the gateway, the AG’s office has a three-strike policy for agencies that fall victim to cyber attacks. The AG “does not have a remediation” to restore gateway access after a third strike. The attacks in April and May count as strikes No. 1 and No. 2, meaning if Riverside is hit again, the department will be “permanently blocked” from the gateway, unless the AG’s office is satisfied the issues are remedied.
• Agencies that use the gateway are required to notify the AG’s office of security breaches, but an AG spokeswoman said the state was not contacted about either ransomware attack. City Manager Mark Carpenter this week said he was “surprised” by the spokeswoman’s statement, because city staff had internal discussions about the need to alert the state. Assistant City Manager Chris Lohr later acknowledged Riverside “may have overlooked notifying” the AG.
• The AG’s office learned about the attacks through news reports and suspended Riverside’s gateway access on May 14 — four days after the Dayton Daily News revealed the second attack to the public and 10 days after Riverside’s computer network was compromised for the second time. Matthew Curtin, a Columbus-based cyber-security expert, applauded the AG’s office for yanking access, calling it “a pretty good example of how a provider of sensitive information governs access to its information.”
• Presently, one Riverside records clerk is authorized to access past reports on the gateway from computers in Huber Heights. The same day the Dayton Daily News reported the police department lost gateway access, the city manager emailed the police chief to “move quickly” to establish gateway access in Huber Heights. The limited access was granted on July 26, a day later.
• Riverside’s “data at rest” — essentially information stored on, but not in transit over, the police department’s network — uses “very basic controls with no encryption,” according to an email from Riverside’s IT contractor. Encryption uses a cipher, or code, to protect data and prohibit unauthorized parties from being able to read it.
Lohr, the assistant city manager, said the city is “considering” encrypting the data in coming months. He said paramedics transfer HIPAA-protected information over an encrypted connection to a web-based cloud program not hosted by the city.
Curtin, who founded Interhack Corp., called it a “bad practice” for any police department not to encrypt sensitive data.
“If you have sensitive information and you don’t protect it with anything more than a password, you are doing nothing to protect it from a number of attacks, including just stealing the thing,” said Curtin, a former Ohio State University computer science senior lecturer. “The fact that you have the password is irrelevant.”
City officials estimate gateway access could be fully restored in the next 30 to 90 days, once Riverside meets the stringent security guidelines dictated by the AG’s office.
“We have to take action, and we want to make sure we do it right,” Carpenter said this week.
“We’re looking to invest in some new equipment and building a more secure network,” Carpenter said. “In order to make the network secure, initial investment will be in the neighborhood of $50,000.”
Ransomware is a type of malware that encrypts, or locks, digital files and demands a ransom to release them, according to the FBI. Atlanta is among the largest municipal victims. Everyday users of computers can fall victim to malware, too.
“Readers should understand that cyber security is not an IT problem,” Curtin said. “The vast majority of the kind of problems we’re seeing right now come down to users being fooled into the wrong thing, including clicking on the wrong thing, going to websites that don’t make sense for them to go on, and generally doing things that are stupid.”
More local coverage:
The Dayton Daily News spent four weeks obtaining and reviewing hundreds of pages of internal city documents to investigate how two cyber attacks continue to hamper operations at the Riverside Police Department. Your newspaper subscription is an investment in public safety and transparent government.