Let's see... You hire a computer security company to find out if you have security issues, they find out that you do and that they are pretty egregious. What do you do? If you are Los Angeles, this - from Info Security Magazine:
Los Angeles Utility Accused of Cybersecurity Coverup
The Los Angeles Department of Water and Power has been accused of deliberately keeping widespread gaps in its cybersecurity a secret from regulators in a large-scale coverup involving the city's mayor.
The allegations were made by Ardent Cyber Solutions LLC, a company hired by the Department of Water and Power (DWP) in April 2019 to perform cybersecurity work.
In a 10-page claim filed against the city earlier this year, Ardent states that it uncovered an "extremely high number of unpatched vulnerabilities" in the company's "corporate IT network."
Please note here: An unpatched vulnerability is a situation where the IT Vendor has become aware of a security issue either through their own testing or through a customer complaint. They have located the issue and developed a repair for the issue and have notified all of their other customers so that they can update their own systems. Doing this requires some level of awareness of the customer's (City of L.A. in this case) IT staff and a bit of proactive accountability on their part.
According to Ardent, DWP board president Mel Levine and DWP’s senior executives were informed of the security issues by email on August 12, 2019. But rather than address the issues, Levine, the DWP, and city officials made “false statements and failed to disclose material facts” in a bid to cover them up.
In the claim, Ardent states that city officials and DWP staff "acted to conceal these facts from federal and state regulators, bond rating agencies, purchasers of municipal securities issued by the LADWP and the public at large."
It is further alleged that Los Angeles mayor Eric Garcetti personally ordered the cancellation of Ardent's DWP contract on August 12, 2019, as a “retaliatory measure” after the company alerted officials to the utility's cybersecurity problems.
And this is not the first time with the Department of Water and Power:
The DWP headquarters were raided by the FBI in August last year as part of a probe into the city's handling of litigation that sprung from the bungled rollout of a new DWP billing system. No one was arrested or charged in connection with the raid.
No accountability, unelected bureaucrats in charge of the administration, culture of corruption. Sounds like a wonderful place to work... Tip of the hat to Computer Security guru Bruce Schneier for the link.
Leave a comment