Update: Lee Haller, who served as director of Pittsburgh’s Department of Innovation and Performance since December 2016, resigned on Aug. 3, 2018, for a job in the private sector.
With numerous warnings of the financial, public safety and privacy threats that hackers pose to local governments, Pittsburgh officials purposefully give residents little insight on the city’s security flaws.
Except Pittsburgh spilled its own secrets.
In a report touted by Mayor Bill Peduto as foundational to his plans to overhaul city technology, several portions focusing on supposedly sensitive cybersecurity information have blue bars placed over them, intending to render the text unreadable.
Yet the very document stressing the importance of security is itself insecure.
A PublicSource reporter simply copied and pasted what the city attempted to redact and later determined that off-the-shelf software to view PDF files could actually remove the city’s blue redaction bars.
Pittsburgh Communication Analyst Keyva Clark said the city has no comment on the fact that it disclosed its own sensitive information. But she asked that PublicSource be careful in its reporting.
“We understand that you were able to read this report in its entirety,” Clark said. “We would hope that you would not publish anything that would cause any risk or danger.”
The city did not inform PublicSource of any specific risks.
Municipal data — which can include financial information and confidential public safety data — can be lucrative for hackers. And attacks an cause governments to come to a grinding halt, as they have recently in Atlanta and Allentown, Pa.
What appears to be the most sensitive information easily uncloaked is the location of the city’s main data center as well as the disaster recovery site where vital data is backed up in case the main center is hacked or physically destroyed.
“I absolutely would have fought tooth and nail to redact that,” said Howard Stern, who served as the city’s technology director until January 2012.
“Say someone, a bad guy or a terrorist, really wanted to destroy the city’s data…” said Stern, “If they knew where they were, they could destroy it.
PublicSource is not publishing the location of the recovery site. We are reporting other redacted information that speaks to general vulnerabilities the city knew about for more than a year.
And most of what Pittsburgh attempted to conceal with blue bars is fairly vague, too. Generally speaking, Deloitte found that Pittsburgh’s plans for dealing with catastrophic data failure and communications about security across departments were lacking. No detailed technical vulnerabilities were discussed.
Some decisions appear arbitrary. One portion of the report, criticizing Pittsburgh’s physical security of its data center, is redacted in one place and printed without redaction elsewhere. So why redact at all?
Pennsylvania’s Right-to-Know Law allows public agencies to redact information from public documents if they meet certain criteria, generally focused on public safety and privacy (though agencies can still decide to release the information).
PublicSource filed a Right-to-Know request for the report after being told it was not yet public. The response from the city included a letter explaining that redacted portions of the report “highlights specific weaknesses in our security infrastructure.”
The letter then cites two exemptions provided by the Right-to-Know Law as their reasoning.
Melissa Melewsky, media law counsel for the Pennsylvania Newsmedia Association, explained that state courts and Pennsylvania’s Office of Open Records tend to grant leeway to agencies that claim disclosures could harm public safety.
And if a document points out a weakness in a particular facility, then an agency can reasonably use the law’s exemptions to guard the information, Melewsky said. But there is no mandate that the information be shielded from the public.
“Without the public knowing there’s a weakness, there may not be an incentive to fix the weakness,” Melewsky said.
Lee Haller, director of Pittsburgh’s Department of Innovation and Performance, said the city is “constantly evolving the tools” to minimize the city’s risks. His department also directly responded to information learned from the March 2018 Atlanta attack to try to make Pittsburgh a less likely target.
It is unclear if Pittsburgh has remediated the weaknesses outlined in Deloitte’s report. Haller declined to discuss the lessons learned in the report or efforts to address known security flaws.
J. Dale Shoemaker contributed to this report.
Jeffrey Benzing is PublicSource’s public safety reporter. He can be reached at jeff@publicsource.org, 412-515-0062 or on Twitter @jabenzing. He can be reached securely at PGP: bit.ly/2Au8Ca9
This story was fact-checked by Mary Niederberger.
This story appears as a part of Open Data PGH, a joint reporting project by PublicSource and Technical.ly on open data trends in Pittsburgh.
