Dave Scott

Akron faces a deadline to restore its website to full functionality so it can collect the next round of income taxes from city employers.

More than two weeks after the May 16 attack, the city is still inspecting computer code to fix vulnerabilities.

During those repairs, much of the site is disabled, preventing access to the police crime-tips page, community-events pages and news releases for city administration and the police and fire departments.

The tax page is the center of attention.

Richard Schmahl, the city’s chief information officer, said the site is down not because of vandalism but so the applications can be fixed, and investigators, including the FBI, can scrutinize them.

A Turkish group penetrated the site, posted a political message and took data with names, address and Social Security numbers and put them on a public site. That site has been taken down.

“We disabled this stuff,” Schmahl said of the city website. “Until we can get these Web apps written so that they can’t be penetrated again, we didn’t want to leave these Web apps up and running. We just shut them down to make sure nobody could get back in again.”

The attack came one day after employers made their May fund transfers for income taxes. That service also remains down, but the city is not hurting because most of those transactions will come in the last few days before the next deadline, June 15.

“People don’t pay their taxes until the last minute,” Schmahl said.

So far, Schmahl said, the city is making most of the fixes with the aid of its own employees, some of whom are being paid to work overtime. He said a decision will be made soon about whether to hire outside help.

Before the website is brought online, an outside company will be asked to perform “penetration tests” to see if any vulnerabilities remain.

Schmahl did not know when penetration tests last were done. There have been none since he was named the city’s first chief information officer, Dec. 1, he said.

“They should be done on a regular basis, but they are expensive,” Schmahl said of the tests. “It’s not a cheap thing to have done. Again, you try to just have your business model where you ask, ‘What are your chances of attack versus what you want to spend?’ You can never have everything safe. No matter how many locks you put on your door, there’s a window somebody can crawl through.”

The city’s next tests will come after the current upgrades are finished, he said.

“I’d like to get [upgrades] done maybe a week before the 15th so we can get the pen[etration] test done.” Schmahl said.

When that is finished, the city will resume plans for a new website sometime this year.

The city still experiences Internet attacks daily.

Schmahl said it’s hard to express how many.

“Tons, tons. And if you saw how many hits we get on our website and in our firewall and intrusion detection and all the stuff we are stopping already, after a while, it’s truly like people crying wolf all the time,” he said. “You don’t want to admit it, but it does make you complacent at times.”

Dave Scott can be reached at 330-996-3577 or davescott@thebeaconjournal.com. Follow Scott on Twitter at Davescottofakro.