For two weeks in mid-June, hackers held Lake City hostage. A ransomware attack locked down the north-central Florida municipality’s entire computer network, taking email offline and disabling the internet-based phone system. The town’s 6,500 residents found themselves cut off, unable to pay utility bills or process building permits. The hackers demanded a bitcoin payment of $500,000 to unlock the networks. As municipal services ground to a halt, the city felt it had no choice but to pay.
It turned out that Lake City wasn’t alone in being targeted. Just south on Florida’s Turnpike in Riviera Beach and Key Biscayne, hackers demanded and received $600,000 each on separate, but similar attacks. The recent attacks weren’t limited to smaller cities. Atlanta and Baltimore paid out millions, both in ransom and recovery costs, following ransomware attacks over the last 12 months.
Early on, corporations had been the primary prey of ransomware bandits. Targeting of the public sector is a relatively new phenomenon, but one that has garnered heightened attention from the media. A recent report estimated that more than 170 state and local governments fell victim to ransomware attacks over the last five years.
While six-figure ransom demands have become commonplace, the true cost of these attacks reaches far beyond the ransom payment itself. Atlanta shelled out $52,000 to hackers following a 2018 ransomware attack. However, the city estimates that total cost of the attack to date is closer $7.2 million. According to Mayor Keisha Bottoms, the attack knocked almost all city agencies offline, affecting everything from scheduling court cases to online bill payment, and caused decades of official correspondence to vanish.
Corporations responded to the initial wave of ransomware attacks by strengthening their cyber defenses. Governments, particularly on the local and state level, have been slower to react. In the race to build out municipal cyber infrastructure, some entities have skimped on security measures.
“Government knows it needs to change, but they move slowly compared to how quickly private business can pivot to manage their exposure to a new threat,” said Gary Hayslip, a cybersecurity expert and former chief information security officer for the City of San Diego. “Until it is mandated that cities, counties and states meet a specific level of security and have to periodically demonstrate it as is done in business for compliance, government entities will continue to be low-hanging fruit and cybercriminals don’t mind eating them for lunch.”
Cybercriminals zero in on targets that require the least effort while offering the largest potential reward. Cities often fit this description, according to AttackIQ’s Chris Kennedy who says municipalities will often wait to upgrade outdated infrastructure.
“(Cities) chug along on this old legacy infrastructure, and that old legacy infrastructure is the stuff that is often exploited,” Kennedy says.
Another problem unique to state and local government has to do with personnel. Cities and their in-house IT staff are often overstretched, understaffed and underfunded.
“It can be an overwhelming problem if you’re not adequately staffed,” Kennedy said.
Once a government entity is hit with a ransomware attack, its options are extremely limited. Law enforcement officials almost universally recommend against paying off the cybercriminals, arguing that this only invites future attacks. While refusing to pay the hackers may prevent later harassment, it can also significantly burden on the effected institution. For many cities, time equals money. The longer IT services remain down, the greater the financial damage.
As recent events illustrate, many municipalities opt to pay the ransom. While insurance may cover most of the cost of the ransom payment, it might not come close to covering the collateral damage these attacks can inflict.
“Hallmarks of a good cyber insurance plan or policy would include not only coverage for damage to systems or damage to data, but fraud coverage, extortion coverage, coverage for breach response, public relations expense,” said Jonathan Meyer, partner at law firm Sheppard Mullin and former deputy general counsel in the Department of Homeland Security.
Ultimately, the best insurance may come in the form of proactive measures taken to harden a city’s cybersecurity posture while laying out contingencies to reduce damage and protect critical data.
Center for Technology Innovation fellow Niam Yaraghi recently wrote in an article for the Brookings Institute, “The best defense against ransomware attacks is putting basic security safeguards in place. It will most likely dissuade hackers that are after a quick buck and are not motivated to spend time hacking into a secure system while there are easier targets out there.”
Federal cybersecurity experts have also taken notice of these localized ransomware attacks. The Department of Homeland security recently released a set of security recommendations to help protect private and public organizations of all sizes, which includes the following steps:
A qualified managed service provider that understands the unique needs of government clients can help implement all of the above recommendations. These consultants can perform a thorough assessment of the city’s security posture and implement the appropriate safeguards and policies that harden defenses, sending would-be hackers looking elsewhere for “softer” targets.
Contact Valeo Networks to learn more about our security services geared to the needs of government and municipal clients.