Baltimore IT director who was at helm during ransomware attack and city’s recovery is on leave

Frank Johnson, the Baltimore IT director who led the city through its recovery from a crippling ransomware attack this summer, is on leave, the mayor's office said. His deputy, Todd Carter, is serving as acting director. Johnson is shown speaking in this file photo.

Frank Johnson, the Baltimore IT director who City Council members have criticized for his leadership during this summer’s recovery from a crippling ransomware attack, is on leave, the mayor’s office said Tuesday.

His deputy, Todd Carter, is serving as acting director.


Lester Davis, a spokesman for Democratic Mayor Bernard C. “Jack” Young, confirmed that Johnson was on leave. Davis declined to comment on the reasons for that or when Johnson might return, saying it was a confidential personnel matter.

Davis said the city’s recovery from the ransomware is all but complete and the mayor is confident Carter will continue the work of securing the city’s computer networks in Johnson’s absence.


“This has no bearing or impact on the city’s continued restoration and recovery," Davis said, calling Carter, “prepared to step in and lead.”

Johnson could not be reached for comment. The Baltimore Brew news site first reported his leave.

Johnson joined the administration of Democratic Mayor Catherine Pugh in late 2017, crafting a strategic plan to overhaul the city’s IT systems. With a salary of $250,000 he is the top paid city official, but he took a significant pay cut from his prior role as a senior salesman for Intel to join city government.

Johnson told The Baltimore Sun in June that he took the job because he saw an opportunity to “digitally transform the entire community."

But he has faced significant challenges in his almost two years on the job and scrutiny of a kind he did not receive in private industry.

Since Johnson took over, the city has twice fallen victim to ransomware attacks. The first in the spring of 2018 was minor, but the one that began in May left the city reeling. Real estate sales were briefly halted, city employees lost access to email, and water bills could not be issued for three months. The cost of the attack has been estimated at $18 million.

The city’s Department of Public Works began issuing water bills again in early August, restoring the last major public service the attack disrupted.

Council leaders publicly criticized Johnson for his handling of the attack’s aftermath and he acknowledged the city did not have a written disaster recovery plan before the second incident.


Democratic Councilman Eric Costello, chairman of a new council cybersecurity committee, faulted Johnson Tuesday for that lack of such a plan and poor communication in the wake of the attack.

“I think that Frank is not the right person to lead the city’s IT efforts," Costello said. "I’ve been very vocal about that.”

Stefanie Mavronis, a spokeswoman for Democratic City Council President Brandon Scott, said the president’s office was told Monday morning that Johnson was on leave.

Mavronis said the cybersecurity committee Scott set up would monitor the ongoing recovery effort. Costello said an initial committee hearing has yet to be scheduled.

Carter only recently joined the city, having previously worked in a senior IT role for Exelon. He could not be reached for comment.

Costello said he did not know what the mayor’s long-term plan was for leadership of the IT office, but said Carter was “intellectually capable and responsive."


“Those are things I’m looking for in the leader of an agency,” Costello said.

Johnson’s leave follows a pair of senior IT department managers being replaced in July. The mayor’s office said at the time that those moves were not connected to the ransomware attack.

The city has not explained how its network fell victim to hackers, who locked up files and demanded payment for the keys. The mayor refused to pay and the city began the arduous job of cleaning its systems, restoring its files and getting services back online. In the meantime, some functions were carried out using pen and paper or ad hoc workarounds such as hastily set up Gmail accounts.

In July, the city disclosed it paid $5 million to vendors helping with the recovery and budget officials expected the cost to ultimately reach $10 million. The remaining projected costs were a result of lost and deferred revenue.

Other cities and public agencies have turned to insurance to cover the costs of cyberattacks, but Baltimore did not have a dedicated insurance policy. Officials are now considering purchasing one, but a planned August vote by the city’s spending board to approve a policy was postponed so board members could be briefed on it.

The spending board is set to consider $3 million in funds transfers to cover IT spending at its Wednesday meeting, including $1 million that the board’s agenda says will be used to “protect email, internet, permits and billing city applications from ongoing cybersecurity threats.”


The board is also scheduled to hear from the city’s auditors about a routine review of the IT department’s performance from July 2016 to June 2018.