The recovery from the cyber attack on the City of New Orleans continues.
The breach happened six months ago, and while city leaders say they’re making progress and being transparent — WDSU Investigates has found, that transparency only goes so far.
On a hot summer day in June, new computers have arrived at city hall.
Part of an effort to replace and repair the system that was hacked late last year.
And that costs money – lots of it – over $7-million dollars.
The mayor says progress is being made daily.
WDSU Investigates obtained a break down of what’s being spent by city hall.
Some of it is very run of the mill:
More than $500,000 for “emergency forensics and secure network infrastructure.”
$780,000 for “network security, endpoint monitoring and email monitoring.”
And over $800,000 to “restore email functions.”
“We find ourself about 80% complete with our recovery effort,” said Kim LaGrue, the city’s head of Information Technology.
But when we drill down on the numbers and the contracts — WDSU Investigates learned there are some big ticket items — deals for $112,000, $60,000 and $50,000 that are marked as “redacted.”
No vendor listed or how that person or company was chosen.
The city is taking a stance that while it preaches transparency, it’s not a safe practice right now.
“Is there a reason why you all are not making some of the contractors public on your list?” asked WDSU’s Travers Mackel.
“Yes, yes – they speak directly to the level or type of security tools that we have purchased and that is highly confidential and to give that out would expose out security posture,” said LaGrue.
“Again, your concern is that if the company is identified then that points out a security vulnerability?” asked WDSU Investigates Executive Producer Chris Slaughter. “Yes, yes it does,” responded LaGrue.
The hack happened on her watch as head of IT.
She’s unapologetic about not disclosing how public money is being spent to keep the city safe.
And city records show that LaGrue’s department is set to spend $1 million to “replace legacy software” and another $880,000 on “networking devises for NOPD vehicles” — and she says, due to security, those vendors may not be disclosed publicly.
“The types of security vendors that we are engaging with — giving that information or releasing that information is a major security risk to us,” said LaGrue.
“I would be hesitant to put out that information,” said Bob Oster.
Oster is a cybersecurity expert with a company based in Harahan.
He says the city’s defense — of not releasing names of vendors and security software — though unconventional, is legitimate.
“That is a very fine line because of course you want to know who’s getting a million dollars of the city’s money – but so does a hacker,” said Oster.
“We don’t want to be that kind of vulnerable again,” said LaGrue.
The city tells us the system is not foolproof, and may never be.
LaGrue admits that in recent months there have been more attempts to hack the city servers. All of those attempts have failed.
Experts say no public government system ever is 100% safe.
“I tell my clients there is no such thing as 100%, but we have put together the best suite of products that we can put together that we hope work, and hopefully the city has done the same thing,” said Oster.
Because no matter how much money is spent on upgrades, new technology and security, it’s an uphill battle for public government entities to stay safe.
“As far as I know, the bad guys are still winning, because it’s very difficult to track them down,” said Oster.
The city had a $3 million insurance policy to cover the cost of the work on the system at city hall.