Baltimore officials did not welcome help from Maryland information technology experts for the first week after City Hall’s computer networks were locked up by hackers on May 7 — a delay that is adding to a chorus of complaints about the city’s response.
At the Maryland Cybersecurity Council meeting last month, a senior official for Maryland’s Department of Information Technology briefed the group on Baltimore’s response to the ransomware attack that continues to cripple several city payment functions.
“Initially, for the first week or so, it was very hard to actually get people in there to work with them, and I think that’s because there wasn’t this working, trusted relationship happening prior to the event,” said John Evans, the state’s chief information security officer, according to a transcript of the May 22 council meeting obtained by The Baltimore Sun. “We almost felt a little bit like being kept at arm’s length.”
Evans could not be reached for comment, but he told the council he wasn’t criticizing the city but said rather it offered a lesson about why local jurisdictions and his agency need to establish policies to jointly respond to cyber attacks.
Lester Davis, a spokesman for Mayor Bernard C. “Jack” Young, said the state has “been a godsend” regardless of when its assistance began.
“We were thankful that the state was there and has been there,” Davis said. “When you’re talking about 21st-century cyber warfare the playbook is still being written.”
But some City Council members said they were troubled to learn that the city’s information technology officials did not have a working relationship with their state counterparts.
Evans told the cybersecurity panel that the state’s help would have been accepted “much faster” if a preexisting “cohesive relationship” had existed between state and city information technology staff.
“Since my guys have been there, I think there’s been some — they’ve contributed to some really significant work, and I think we could have been getting through things faster had that already been in place,” he said, according to the transcript.
Councilman Eric Costello, a co-chairman of a committee investigating the ransomware attack, said the lack of such a relationship deprives the city of valuable state resources. The city’s information technology office operates with a nearly $40 million budget compared to the state IT agency’s nearly $175 million budget.
“The city would have been better positioned if we had access to those resources,” Costello said. “If we don’t have a relationship, we don’t have access.”
Council President Brandon Scott said the city should have as close a relationship with state officials as it does with federal authorities, who quickly responded to the attack last month.
“If they have a working relationship with our federal partners, they should have the same with our state partners,” Scott said. “It’s unacceptable for them not to have a relationship.”
During a budget hearing Friday, council members criticized Frank Johnson, the city’s information technology director, for his handling of the aftermath of the ransomware attack. They said his office had done too little to communicate with other agencies and elected leaders.
Costello said attacks on computer systems are now inevitable.
“The problem is how we responded to it,” Costello said. “He didn't respond the right way.”
Michael Greenberger, a cybersecurity council member who attended last month’s meeting, said Evans’ comments were delivered to support his presentation about how to improve cooperation between local and state IT officials — similar to how Maryland and local emergency management personnel regularly practice for hurricanes, epidemics and terrorist attacks.
“I can understand how that happened,” said Greenberger, director of the Center for Health and Homeland Security at the University of Maryland’s law school. “In the best of all worlds, the city people should know who the state people are and vice versa.”
But a week-long delay is “understandable” with the FBI on the scene and “all hell breaking loose,” he added.
“Emergency management is nonpartisan,” Greenberger said. “The ransomware shows us we have to move in that direction of doing joint exercises between the state and local jurisdictions.”
A spokesman for the Maryland Department of Information Technology said Gov. Larry Hogan’s administration “is working closely to help with the restoration of Baltimore City’s systems and is providing state and contractual resources, including five employees detailed to the city.”
“Local jurisdictions are encouraged to collaborate with [Maryland’s Department of Information Technology] on the sharing of best practices to strengthen their cybersecurity posture and IT infrastructure,” spokesman Patrick Mulford said in an email.
Davis said Hogan and Lt. Gov. Boyd Rutherford have given Baltimore all the help it has requested and more.
“We couldn’t have asked for more help from the state,” Davis said. “They’ve bent over backwards to help us out, and that will be their posture for the foreseeable future.”
In his briefing before the state cybersecurity council last month, Evans acknowledged that current working relationship.
“We've been working closely with Baltimore City,” Evans said. “At any given time, there’s four to five state personnel pretty much around the clock working with Baltimore City.”