St. Paul finds low-tech workarounds to keep city running through cyberattack response

Services in St. Paul plodded along at an analog pace Wednesday, as local officials worked for a fifth day to respond to a cyberattack that shut down or slowed many city systems.

Police responded to calls but sometimes used radios instead of laptops to communicate. Staffers at recreation centers and libraries posted signs on computers warning they wouldn’t connect to the internet. Online bill payment systems weren’t working, but the city said it would waive late fees.

And city leaders sought to reassure residents of Minnesota’s second largest city that their most critical services were still intact.

“To be crystal clear, there is absolutely no problem with our emergency response,” Police Chief Axel Henry said in a Wednesday afternoon news conference, where he and fire officials sought to dispel rumors and promised residents they would get a response if they called 911.

St. Paul officials have said they noticed signs of a cyberattack on Friday and shut down some systems in hopes of preventing its spread. It remained unclear Wednesday who was behind the attack, what data they were seeking and whether they obtained it.

“We don’t know at this point what the goal was of infiltrating the city system,” Henry said.

Mayor Melvin Carter has said the FBI is leading the investigation into the St. Paul attack. Alexandria Marsters, a spokesperson for the FBI’s Minneapolis division, said Wednesday that agents were “lending our investigative expertise” but had no further updates to share.

“The city of St. Paul did everything they could immediately, and was over the whole weekend working together,” Walz said, calling the city’s response “fantastic.”

“They basically closed all the doors and shut things down, and now it’s about walking back through all that,” he said.

Some cybersecurity experts say the attack in St. Paul highlights the vulnerability of cities, even after many of them have already bolstered their defenses against the increasingly common attacks.

“I think, in general, municipalities are most susceptible to cyberattacks because they are less technological and they have less budgets for technology” when compared to private corporations, said Nir Perry, founder of Cyberwrite, a New York-based company that helps insurance agencies quantify what municipalities might need to pay out during an attack.

Minnesota has taken steps to better track cybersecurity attacks.

Many state agencies were already required to disclose cybersecurity incidents, but there hadn’t been a clear path for other public entities to do so, said the bill’s author, Sen. Melissa Wiklund, DFL-Bloomington.

“We may not hear about cyber incidents every day, but we do know that cybersecurity actors are trying every day to get through protection measures,” Wiklund said Wednesday.

Logging the details of past incidents can help identify patterns in who was targeted and how breaches occurred, Wiklund said.

A multiday outage is fairly rare but “it certainly happens,” said Brian Huilman, department chair at Minneapolis College’s School of Information Technology. He noted that when an attack happens, people working in IT must quickly weigh the repercussions of shutting down systems against the risk that an attack might spread if they remain running.

“Believe me, there is a huge discussion that goes on in those situations because of the negative media attention, the damaging impact [on] the systems and services and everything else,” Huilman said. “But, they clearly thought this was the best approach to protecting things and being able to figure out and then mitigate what actually happened.”

Henry said that many electronic tools — including body cameras, parking meters and ticket writers — appeared to still be working Wednesday.

While acknowledging that some people could have trouble accessing wireless internet or that there could be some delays getting copies of police reports, Henry said that officers are trained to find ways to work around technology outages.

For example, Henry said officers spend one week training with their computer closed and instead sending messages out over the radio.

“It is like having a telephone and saying you can’t text right now. Well, then, you’ll just call me,” Henry said.