The head of the Baltimore information technology office apologized Friday for doing a poor job of sharing information as it tried to respond to the ransomware attack that began last month.
IT chief Frank Johnson faced criticism during a budget hearing from City Council members, who said other agency leaders and residents were left in the dark.
“We will improve communications in situations like this,” Johnson said. “My sincere apologies.”
The budget hearing offered council members the opportunity to quiz the IT department’s leaders after the ransomware hit on May 7, but, under an agreement with city leaders, questions about who was responsible for the attack, the FBI’s role in investigating it and what data might have been lost were ruled out of bounds. That left some council members groping for “safe questions.”
But Council President Brandon Scott, Budget Chairman Eric Costello and Councilman Zeke Cohen all faulted Johnson and other city officials for not sharing information quickly enough about how the ransomware was affecting city services.
“You can’t just have people go in the dark,” Scott said.
Cohen said the lack of information caused some of his constituents “enormous distress.”
And Costello said the response left him “profoundly disappointed.”
David McMillan, the city’s emergency management director, said he had been holding twice daily conference calls with agency leaders.
But Scott said he had been told by people on the calls: “I felt like I just wasted my time.”
The hack significantly disrupted the city’s operations. The property market was briefly frozen; water bills are not being issued; and communication between police and prosecutors was hindered.
The city is still recovering a month later, with employees slowly being allowed back into their computers and email accounts.
The city’s budget office has estimated the cost of the ransomware attack at $18.2 million. That includes the cost of buying new hardware, hiring contractors to help clean up the mess, and lost or deferred revenue.
Baltimore has been hit with ransomware attacks in each of the last two years. The city’s computer security chief told budget writers last year that she was stretched thin after an attack on the 911 system and discussed plans to upgrade firewall defenses at the perimeter of the network.
Councilman Isaac “Yitzy” Schleifer said his review of the IT office’s budget request for the coming year only mentioned cybersecurity once and he asked if Johnson planned to reallocate any funding.
Johnson said it was too soon to say whether he would seek to move money in his budget in response to the new attack.
“Absolutely everything is being re-evaluated to harden the environment,” Johnson said. “We’re not yet at the point where we’re going to make specific recommendations on how we’re going to shift dollars around.”
Johnson already proposed adding an additional four employees to his office’s security team, doubling its ranks as part of a plan to rely less on contract workers.
And he said that the IT office took steps to improve its defenses after Atlanta fell prey to a different breed of ransomware last year, including installing a new detection system that the council approved.
“If we hadn’t done so, the current crisis that we’re in would have been much worse,” Johnson said.
The hackers behind the attack locked up city files using a tool called RobbinHood and demanded a ransom of about $76,000 in the digital currency bitcoin to provide the keys. Mayor Bernard C. “Jack” Young refused to pay.
During the hearing, City Solicitor Andre Davis said the option of paying was “thoroughly examined.”
“There were discussions at the highest levels of city government with experts, with law enforcement,” Davis said. “It was not a decision made in a couple of minutes.”
The mayor’s office has said the city has a team investigating the incident and another working on bringing systems back online. But officials say it could be months before all the damage is repaired.