Baltimore’s city government has been crippled for more than a week by a ransomware attack that locked down key data and prompted the shutdown of other systems to prevent further infection. Now the costs are becoming clear — homeowners unable to pay back bills to avoid their properties going to tax sales, alerts to warn drug users of dangerous batches of opioids suspended, real estate transactions brought to a halt, not to mention whatever it’s costing the city in lost productivity and the direct expense of seeking to neutralize the threat and recover the data. It is, at this point, safe to say that paying the approximately $76,000 ransom the hackers demanded would have been a lot cheaper, and some (including former Mayor Sheila Dixon) are saying that’s what we should do.
It’s not a ridiculous idea. Of the many, many other cities that have faced ransomware attacks in the last few years, some have paid, and those that haven’t generally spent far more than the ransom amount to get their systems back, a process that can take weeks or more. The worst case example is probably Atlanta, which suffered a devastating ransomware attack last year. A report obtained by the Atlanta Journal-Constitution estimated the cost to recover from the attack at as much as $17 million. The requested ransom in that case? $52,000.
On balance, though, Baltimore is probably right not to pay, for both practical and philosophical reasons. As a practical matter, ransomware hackers don't always live up to their promises to provide keys for the data they have encrypted. That happens about a third of the time when organizations pay to unlock their data. And sometimes hackers will leave behind malicious code in the compromised systems that can be reactivated later. (That happened to the Colorado Department of Transporation, which generally got good marks from analysts for its preparation and response to a ransomware attack last year — it was widely credited with having good systems to contain the problem and securely back up its data. But it still wound up spending at least $1.5 million to recover.) And philosophically, paying the ransom amounts to sending taxpayer money to criminals — not something most elected officials are eager to do. Private companies targeted by ransomware attacks can more easily approach the issue as a pure cost-benefit analysis — and unlike governments, they don't have to say whether they chose to pay. That may be why about 45 percent of organizations targeted by ransomware pay up but only about 17 percent of governments do.
We would also say that paying the ransom only encourages more ransomware attacks, but hackers appear to require no encouragement. The cybersecurity firm Recorded Future has documented 169 ransomware attacks on state and local governments since 2013, with more than 20 of them already this year. And Baltimore is already on its second ransomware crisis of the last 14 months; ransomware briefly disabled 911 and 311 services last March.
In light of that, though, it’s fair to ask whether Baltimore could have or should have been more prepared.
The city government does have back-ups of much of the data, but it is taking time for IT staff to make sure it isn’t infected before bringing systems back online. Other data was already being stored in the cloud, but technicians need to make sure the terminals used to access it are clean. That’s not easy, given that there are some 8,000 computers across city government. We don’t know how the hackers gained access to the system, whether through a brute force attack (that is, bombarding the system with possible username/password combinations until one hits), a phishing attack in which workers are duped into opening a malicious email, or some other means. But it’s definitely worth evaluating the level of cybersecurity training city employees get, tightening policies on the strength of passwords and the frequency with which they must be changed and determining whether the city takes sufficient advantage of multi-factor authentication on key systems. Ensuring that software is updated regularly with the latest security patches is also crucial. Investing in IT infrastructure may seem like a luxury until a situation like this shows just how dependent residents are on a functional government computer system. We hope that the new cybersecurity committee City Council President Brandon Scott announced this week will point the city in the right direction.
And there’s one more thing Baltimore should have done before and absolutely needs to do now: buy cybersecurity insurance. Mayor Bernard C. “Jack” Young was beating that drum back when he was City Council president, and a spokesman says he is now going to make it happen. It’s too bad Baltimore didn’t make that decision after its first malware attack. The city doesn’t yet have a tally of what it’s spending to bring systems back online. But between overtime for its IT staff and outside consultants helping with the recovery, and lost transfer and recordation taxes, among other things, it’s easy to imagine the tab running into the millions. Given Baltimore’s vast needs, that’s money that could definitely be better spent somewhere else.