The city of Cleveland, which has already fallen victim to destructive cyberattacks twice in the past year, received sharp condemnation from the Ohio State Auditor for failing to implement even basic cybersecurity measures. In a letter sent to Mayor Justin Bibb, the city council, and the audit committee, Ohio State Auditor Fabian Dalfın harshly criticized systematic deficiencies in the city's digital infrastructure security, pointing out gaps that leave Cleveland vulnerable to further attacks.
This year's cyberattack paralyzed the operations of the Cleveland Municipal Court and the Housing Court, forcing them to suspend activities temporarily. Just a year prior, another cyberattack led to the closure of the city hall, disrupting the city’s daily functions. According to experts, these incidents are not merely technical failures but evidence of a deeply ingrained indifference to cybersecurity in city management.
"The city has an official cybersecurity policy, but its execution has been inconsistent and chaotic," — Dalfın wrote in his report obtained by The New York Times. He emphasized that Cleveland not only fails to regularly review security reports but also has not implemented multi-factor authentication (MFA) in key structures such as the municipal court and the Department of Utilities. MFA, which requires users to verify their identity through multiple methods to access systems, has long been regarded as a standard security measure, similar to seat belts in cars, as noted by Alex Harmston, Director of Consulting Solutions at Trusted Sec.
"It’s shocking that in 2025, a major American city does not use MFA," — Harmston told The New York Times. "This is not just an oversight — it’s a systemic failure that puts citizens' data at risk, as they are required to interact with these systems without alternatives."
The audit report also called for the creation of a mandatory cybersecurity training program for all users of municipal networks, citing the lack of preparedness as a critical vulnerability. "The city must act immediately to prevent another catastrophe," — Dalfın emphasized, adding that the current state of affairs is "unacceptable" for a city of Cleveland's scale.
The city's response was restrained. A city hall spokesperson stated that Cleveland is "reviewing the report" and collaborating with state agencies to improve its practices. The municipal court, in turn, promised to provide a response by Friday but refused to comment on camera. Such restraint only heightened concerns about how seriously the city is taking the crisis.
Experts warn that Cleveland is not an exception but rather a symptom of a broader problem in municipal management across the country. "The public sector often lags behind the private sector in cybersecurity, but the stakes here are much higher," — Harmston noted. "Citizens cannot simply stop providing their personal data to the city as they might refuse a service from a private company."
As Cleveland prepares for the next round of reforms, the question remains open: can the city overcome its shortcomings before the next cyberattack causes even greater damage? For a community that relies on the stability of municipal services, the answer to this question is not only a matter of technology but also of trust.
