Baltimore still isn’t able to provide basic city services two weeks after a powerful ransomware attack. And a full recovery may take months, Mayor Bernard C. “Jack” Young says.
The damage includes police surveillance cameras that are shut down and utilities payment systems that were forced offline. Broad phone and email outages are also forcing city workers to do what work they can with personal laptops and email accounts, Ars Technica’s Sean Gallagher reports.
Baltimore’s real estate market was effectively shut down for two weeks, leaving people unable to buy or sell homes before the city developed a paper-based workaround Tuesday, the Baltimore Sun’s Ian Duncan reports.
The Baltimore damage highlights the far-reaching consequences of ransomware — which hackers use to lock up a victim’s computer systems and data and demand a hefty fine to release them — on U.S. cities and the costs to American citizens.
It also raises the specter of how outdated city computer systems are vulnerable to even worse attacks. One of the greatest fears is that ransomware could affect emergency services -- including, say, crippling police and ambulances -- and endangering public safety. While those services were unaffected in the recent Baltimore attack, the city knows it’s vulnerable because it's been hit before. A ransomware attack in 2018 shut down for several hours an automated system Baltimore emergency workers use to locate people who call 911 and pinpoint the nearest police car or ambulance.
It's a major problem across the U.S. There have been more than 170 ransomware attacks that hit state and local governments since 2013, according to the research firm Recorded Future. And once ransomware attackers realize they’ve compromised a city, they often “take advantage of the fact by targeting the most sensitive or valuable data to encrypt,” the Recorded Future report states.
And there's a big financial cost no matter which direction city leaders choose. It's expensive either to pay the ransom, or stand up to them and deal with the eventual damage. Baltimore has been tight-lipped about how the attack occurred because the FBI is investigating it. But officials did say they refused to pay the ransom, which totaled about $100,000 in bitcoin.
In the best-known case, a ransomware attack against Atlanta — which prosecutors pinned on Iranian government-linked hackers — cost that city’s taxpayers more than $9 million. The attack shut down online city services, required police and courts to file paperwork by hand and forced the city to halt court proceedings for anyone who wasn't already in jail.
The FBI now says it “doesn’t support paying a ransom.” But that guidance came out following a backlash after a top official acknowledged the bureau sometimes did suggest companies pay if there was no better way to unlock their systems. According to Recorded Future, 17 percent of cities attacked with ransomware pay the ransom.
Cities are especially vulnerable to digital attacks because their IT systems tend to be older and more complex than those of private-sector organizations. And they’re often struggling with tight budgets that result in too few staff charged with keeping those systems secure.
Things are especially bad in Baltimore.
“According to a 2018 strategy document, Baltimore spends about half of what other cities budget for IT, and the Office of Information Technology only controls about 1 percent of the total budget,” Sean reported. The city also burned through four IT chiefs who were all fired or forced to resign within five years before Chief Information Officer Frank Johnson took the helm in 2017, Sean reported.
Cybersecurity experts were quick to point out how that shortsighted IT management may cost the city a lot of pain in the future.
Here’s the Center for Democracy and Technology’s Maurice Turner:
Gov math is funny: won’t budget $ for prevention but always find $$$ for recovery.— Maurice Turner (@TypeMRT) May 20, 2019
Worst part is “many city workers have had to resort to using their own laptops w/o a connection to city networks, as well as personal e-mail & cell phones”.
So secure 🙄https://t.co/v4ce0JvT5v
And former NSA hacker Jake Williams:
There are some serious problems with Baltimore's DR plan. It's obvious that investment was missing across city infrastructure before the ransomware attack. What is it going to take to get municipalities to pay attention?https://t.co/lQjD2iohSh— Jake Williams (@MalwareJake) May 20, 2019
Some cities are trying to hedge against ransomware attacks by buying insurance that pays out in the event of cyberattacks. Baltimore, however, lacks that coverage, Sean reported. “So the cost of cleaning up … will be borne entirely by Baltimore's citizens.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The Trump administration is considering blacklisting another Chinese company from U.S. markets over digital spying concerns, my colleague David J. Lynch reports.
The possible move against Hikvision, the world’s largest maker of video surveillance technology, comes less than a week after the Commerce Department added the Chinese telecom Huawei to a list that will restrict U.S. companies from selling it software or components. Commerce later granted companies a 90-day reprieve to finish up business with Huawei. “Hikvision supplies surveillance cameras that the Chinese government has deployed throughout the Muslim-majority Xinjiang region to combat what it describes as separatist terrorism,” David reported.
The company was among five Chinese firms Congress banned from selling to the government in a defense policy bill last year citing national security concerns. The others were: Huawei, ZTE, Hytera and Dahua.
Huawei, meanwhile, is taking its case to European governments and describing the United States as a bully, the Wall Street Journal’s Emre Peker and Dan Strumpf report. “Now it is happening to Huawei. Tomorrow it can happen to any other international company. This is dangerous,” Huawei’s Vice President for the European Region Abraham Liu told reporters in Brussels, according to the report.
European governments may be receptive. They have a history of pushing back on U.S. pressure where Huawei is concerned and have been especially resistant to U.S. pleas to ban the telecom from their next-generation 5G wireless networks. “Europe, along with the Middle East and Africa, generated 28 percent of Huawei’s $107 billion in revenue last year and was the company’s fastest-growing region,” the Journal reported.
“European telecom companies — which have used Huawei gear in their networks and often also sell Huawei smartphones — have so far stuck by the company. Vodafone Group PLC and BT Group PLC, two big U.K. carriers, have publicly said they want to continue using Huawei gear in their 5G networks,” according to the report.
PATCHED: The lack of diversity among government cybersecurity workers could lead to groupthink and not spotting new threats, Rep. Cedric Richmond (D-La.) said Tuesday.
During the opening of a hearing by the House Homeland Security Committee's cybersecurity subcommittee, which he chairs, Richmond cited studies that found just 11 percent of the cybersecurity workforce is female and less than 15 percent is African American or Hispanic.
“My concern is that having such a homogenous workforce could lead to blind spots and, potentially, intelligence failures — particularly for federal agencies like the Department of Homeland Security,” Richmond said.
He also criticized the Trump administration for producing an executive order focused on enlarging the cybersecurity workforce this month without making explicit efforts to improve its diversity.
"Officials reportedly explained that they ‘hoped diversity would be a natural byproduct’ of the order,” he said. “This is exactly the type of thinking we cannot afford to have if we are serious about reversing trends.”
PWNED: A federal judge is allowing to move forward a lawsuit challenging Georgia’s outdated voting machines and demanding that hand-marked paper ballots be used across the state, the Associated Press’s Kate Brumback reported Tuesday.
“The lawsuit argues that the paperless touchscreen voting machines Georgia has used since 2002 are unsecure, vulnerable to hacking and unable to be audited,” Brumback reported.
“The state’s voting system drew national scrutiny during last year’s midterm election in which Brian Kemp, a Republican who was the state’s chief election officer at the time, narrowly defeated Democrat Stacey Abrams to become Georgia’s governor,” the report notes.
Since the election, Georgia approved a new set of voting machines statewide that include a paper record but aren’t marked by hand.
Here’s more on the case from election security reporter Kim Zetter.
The plaintiffs assert that the state's continued use of paperless DRE— Kim Zetter (@KimZetter) May 21, 2019
machines is an undue burden on their fundamental
right to vote in violation of their constitutional rights to due process and equal
protection. Here's the ruling and opinion: https://t.co/0vRZt6PMjO pic.twitter.com/wFzk93rlX0
Cybersecurity news from the public sector:
Cybersecurity news from the private sector: