Tyler Moore is the Tandy associate professor of cybersecurity at the University of Tulsa.
The May 7 ransomware attack that has paralyzed Baltimore’s city government for much of this month is a case in point. It is true, as the New York Times reported May 25, that the attack used a hacking tool developed by the National Security Agency that is now being exploited by criminals and state actors. Nonetheless, basic cyber-hygiene, were it in place, could have greatly limited the damage in Baltimore or stopped the attack altogether. The ransomware, called RobinHood, worked only because city computers had not applied freely available software patches and were operating without effective backups.
Despite the preventable nature of the attack, the costs to Baltimore are very real and continue to mount. Essential city services, from obtaining permits to closing home sales, have been unavailable. The problem has frustrated Baltimore residents and inhibited commerce.
The concept of ransomware is not new, going back at least to 2006, yet it did not become pervasive until a reliable and relatively anonymous form of online payment became available to cybercriminals in recent years. It turns out cryptocurrencies, most notably bitcoin, are well-suited to the task. Criminals can unilaterally establish accounts for receiving extortion payments, bypassing the traditional financial system and making it much harder for law enforcement to deter attacks and catch perpetrators.
Early ransomware attacks targeted individual consumers, but cybercriminals quickly realized that greater riches could be had by targeting organizations. That echoes the evolution of phishing attacks, which began by stealing bank credentials from consumers but have since shifted largely toward “business-email compromise” in which employees in charge of business accounts are tricked into transferring tens — even hundreds — of thousands of dollars at once. The FBI reports $1.2 billion in adjusted losses from such attacks in 2018 alone.
Ransomware attacks tend to select victims that rely heavily on information-technology resources, have relatively weak operational cybersecurity practices and have the means to pay substantial ransoms.
The first industry targeted heavily by ransomware was health care, which exhibited each of these characteristics. System downtime in a hospital is hugely expensive and can literally be a matter of life and death, and the software running in devices on many hospital IT networks is often outdated and cannot be easily patched.
Municipal governments also are expected to provide reliable services without downtime. IT budgets in government, at all levels, are usually tight. Governments operate on procurement cycles that are often out of step with the pace of IT innovation. In the marketplace battle for talent, governments struggle to offer competitive pay for IT professionals. Consequently, municipal-government computer systems tend to be old and basic cyber-hygiene is often neglected.
Cybercriminals have caught on to this vulnerability and have launched ransomware attacks targeting more than 20 municipal governments this year, including Atlanta’s, according to NPR. Given thousands of jurisdictions and the continuing constraints governments face, these attacks are unlikely to stop anytime soon.
Should the victims pay the ransom? Baltimore’s mayor, Bernard “Jack” Young, has publicly debated the issue but so far has refused to pay the bitcoin ransom, which amounts to about $100,000. Instead, the city is relying on workarounds to try to restore operations.
The ransom question presents a hard choice. A narrow cost-benefit analysis weighing the harms to Baltimore residents compared with the costs of paying a single ransom indeed favors payment — and cybercriminals do tend to hold up their end of the bargain, releasing control of computer systems, so future victims will also pay up. When demands are not met, the criminals inevitably make good on threats to erase records because they have already encrypted the data to make it unreadable, sending a strong message to future victims.
But there are potential negative effects from paying a ransom that extend beyond a single attack.
Paying sets a precedent that encourages the criminals to extort other cities, or even Baltimore once again. If cities established a norm to never pay ransoms, then the cybercriminals might give up the practice. But the difficulty of coordinating responses, and the practically infinite number of available targets, makes this unlikely.
Another potential drawback of ransom-paying: It could fund rogue nation-states or terrorist organizations. The source of the Baltimore attack isn’t known yet, but others perpetrators are known — for instance, U.S. intelligence agencies have identified North Korea as the source of some attacks.
The better long-term response is to invest in data backups and recovery mechanisms, because technology failures can happen for many reasons, most of which are not malicious. Large enterprises whose customers need timely access to resources are irresponsible if they don’t have such a plan in place. As for municipal computer systems potentially held hostage, it’s up to citizens to demand that their governments adequately fund IT budgets to meet the rising threats.