After crippling ransomware attack, Baltimore council members look for answers

Baltimore's cybersecurity committee is beginning to work on recommendations on policies, practices and technology needed to strengthen the city’s IT system after May's ransomware attack. In this file photo, a sign on the front of the Abel Wolman Municipal Building warned visitors that "SYSTEMS ARE DOWN" due to the ransomware.

By about 3:30 a.m. on that May morning, it was clear something was very wrong in Baltimore.

It was the beginning of a ransomware attack that would hamper city government for months. But because Baltimore lacked the bandwidth for 24/7 cybersecurity monitoring, it took hours for officials to realize the extent of what was going on.


“Not all of the alerts were identified,” said Gayle Guilford, the city’s cybersecurity chief. “It was due to limited staffing and limited funding.”

Democratic City Council President Brandon Scott established the Cybersecurity and Emergency Preparedness Committee in June, charging the group with analyzing the attack and developing solutions to prevent another one.


The committee met for the first time Wednesday and will work for the next several months to make recommendations on policies, practices and technology needed to strengthen the city’s information technology systems.

Council members pressed agency leaders during Wednesday night’s hearing on the timeline of events and what lessons can be learned from how the attack unfolded. Guilford said they’re working on building the ability for constant monitoring, so that if city systems are attacked again, they could react immediately.

“The idea is to figure out exactly what happened, did we respond the right way and what can be done to reduce likelihood of a future attack," said Democratic Councilman Eric Costello, who is co-chairing the committee.

But city leaders couldn’t go into much detail about the attack itself during the hearing. It remains under criminal investigation, said Sheryl Goldstein, the mayor’s deputy chief of staff for operations, adding that federal officials have asked her and others not to share sensitive details with the public.

During the May attack, hackers gained access to city systems, encrypted files using ransomware and then demanded payment for the decryption keys, which Democratic Mayor Bernard C. “Jack” Young refused to pay. It disrupted employees’ email service, halted water billing, suspended real estate transactions and cost the city millions.

Maryland Policy & Politics


Keep up to date with Maryland politics, elections and important decisions made by federal, state and local government officials.

The city’s spending board approved a plan last month to purchase $20 million in cyber liability insurance to cover any additional disruptions to city networks over the next year.

Future committee meetings will deal with cybersecurity training, developing backup plans and creating a tech advisory council.

Costello questioned why he’s never been required to do cybersecurity training by the city.


Acting IT director Todd Carter, who took over after his predecessor left in the wake of the ransomware attack, said by early 2020 the city will develop a plan for mandatory training.

Democratic Councilman Isaac “Yitzy” Schleifer, a committee co-chairman, said the city didn’t communicate effectively with employees during the first few days of the attack, leaving people — including council members — in the dark about how to go about their business.

Carter said that, should this happen again, the city would know to communicate vital information better.

“It’s terrible to have gone through this and learned the hard way," Goldstein said, “but these are things you’d see much improved if this were to happen again.”