Clickability tracking pixel

Annapolis, Md., System Nearly Repaired After Cyberissues

The city’s 12-year-old licensing and permitting system was taken offline after suspicious sites were discovered on the server. The ongoing repairs come at a time when the city is looking to replace the system altogether.

by Brooks Dubose, The Capital / November 16, 2020
Annapolis, Maryland Shutterstock/Sean Pavone

(TNS) — Annapolis' license and permitting system, eTrakit, could be back up and running as soon as this week. The company selected to replace the program has a history of working with the city and dealing with cybersecurity issues, most recently battling a ransomware attack that did not compromise city systems.

"Not to jinx me, but we are testing it now. It seems to be working and could be ready next week," said Planning and Zoning Director Sally Nash, of the eTrakit system that contains all of the city's permits, inspections, licenses and other documents about development projects.

The 12-year-old program has been shut down for almost two months after suspicious sites were discovered on its server, managed by Central Square. The program has been offline ever since. As a stopgap, the city has provided a rudimentary website to view the status of permits.

Meanwhile, the company tapped to replace eTrakit, Tyler Technologies, has had problems of its own. In late September, the Texas-based company was hit by a ransomware attack, a form of malicious software used to infect a computer system in exchange for money. Hackers hit Baltimore with a massive ransomware attack in May 2019.

Tyler Technologies provides software to state, county and municipal governments across the country.

The ransomware attack "was solely directed at our internal corporate network and phone systems — not Tyler client systems. The environment where we host software for our clients is separate from our internal corporate environment and was not impacted by the security incident," Tyler spokesperson Nina Minney said in an email.

City Manager David Jarrell announced last month that Tyler would replace eTrakit with a new service next year. It already provides Annapolis with financial planning and cybersecurity services, and the city is implementing a time entry and management software from the company, Jarrell said.

The platform, known as EnerGov, uses geo-location data and mobile apps to help the city automate permit processing and regulate land development activities such as site plan reviews, permit issuance, inspections, and code enforcement cases, Minney said.

Despite the ransomware incident, Jarrell said, "We are comfortable that Tyler was transparent about how they handled the unfortunate incident, and that at no time was the city's data in jeopardy. We immediately disabled remote access from Tyler to our servers and changed all passwords that may have been known or stored by Tyler, just to be on the safe side."

The company also provided daily updates about its recovery efforts, he said.

The new system is expected to take six to eight months to install and cost $520,000. The city is shifting money from police and fire department salaries and benefits and then filling in that money with federal coronavirus aid funding to pay for the system. The U.S. Treasury Department approved the tactic as legal use of dollars from the Coronavirus Aid, Relief and Economic Security Act, Jarrell said.

The city could have paid for the eTrakit replacement directly without the budget gymnastics, Jarrell said, but a Dec. 30 deadline imposed by the Trump administration to spend all CARES money has forced municipalities nationwide to get creative.

Some residents have worried that personal information may have been compromised on eTrakit, but that's not the case, Jarrell said.

"No, eTrakit is simply a front-end web server that retrieves the requested information from the Trakit database and displays it," he said. "The attackers did not gain administrative privileges to the server, and the server is strictly segregated from the internal city network. Furthermore, we do not accept online payments through eTrakit, so there is no customer information to steal."

Cybercrimes are typically reported to the FBI's Internet Crime Complaint Center, but because the eTrakit server's attack was superficial in that it did not penetrate the city's network, it wasn't necessary, Jarrell said.

The suspicious sites were for offshore betting and illegal sports streaming, he said, adding that to his knowledge Central Square hadn't approached federal law enforcement about the attack, "but we have not asked them this directly."

A request for comment from Central Square was not returned. The company has previously declined to comment for "security and confidentiality reasons."

©2020 The Capital, Distributed by Tribune Content Agency, LLC.

Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.

E.REPUBLIC Platforms & Programs