The recent ransomware attack that immobilized Baltimore’s computer systems represents the latest in a line of similar cyber attacks against cities and towns across the United States. Three weeks after the attackers struck, city government systems remained crippled, leading municipal leaders to ask for federal assistance to help finance a cleanup that’s likely to cost at least $18.2 million. The mayor now says that a full recovery may take months.
Meanwhile, security experts warn this is a harbinger, not a one-off. Thomas MacLellan, Director of Policy and Government Affairs for Symantec, cautions that towns and cities nowadays have “a big target on their backs because attackers will use the same [tactics and techniques] borrowed from successful attacks to branch out. The attacks against cities like Baltimore, Atlanta and others should be a wake-up call to other midsize cities and towns. It’s time to up your cyber defenses.”
Per a number of press reports, lax security allowed cyber criminals to break into Baltimore’s IT systems. Looking back, the early warning signs are now apparent; since 2012, four Baltimore CIOs were either dismissed or resigned amid complaints that basic security protocols had routinely been ignored. According to MacLellan, similar conditions are present in many other municipalities across the country. And where security lapses exist, ransomware attackers are sure to follow.
It needn’t be that way. There’s plenty that cities can do to protect themselves against these attacks. Here’s what the experts say can be done.
Baltimore’s Vulnerabilities are Everyone’s Vulnerabilities
Let’s first briefly consider why the Baltimore attack was so successful. By all accounts, the city’s IT infrastructure was largely unprotected and ripe for a break-in. Besides not having enough security experts on staff, the city was dependent on aging legacy systems which were frequently left unpatched.
That’s not a unique problem. Security researcher Vitali Kremez, who helped track down and analyze the ransomware called RobinHood that was used in the attack, says that American cities are typically under-resourced and understaffed when it comes to cyber security.
“Because they lack these kinds of resources, they’re vulnerable, and they’ll be targeted,” he said.
The timing of the resource crunch comes as local officials continue to face barriers improving their state’s ability to address cyber security.
Larger cities like New York and Miami generally can afford to protect themselves and have the sophistication to do it. Beyond that, however, many municipalities struggle with cyber security, according to MacLellan. “They lack the resources, expertise, and basic cyber hygiene practices to adequately defend themselves.”
The timing of the resource crunch comes as local officials continue to face barriers improving their state’s ability to address cyber security. A 2018 survey of CIOs by COMPTIA found that 82 percent of CIOs said the most common challenge was the increasing sophistication of threats with a close second being the inability to attract and retain top-tier security and privacy talent at 71 percent.
Cyber criminals operate like any other for-profit enterprises and go after low-hanging fruit. And these days, that means cities, where local budgets are under increasing pressure.
Locking Out the Bad Guys
Given all that, what can cities do to protect themselves against ransomware? Plenty. Disaster recovery expert Asher DeMetz says that municipalities ought to adopt a multistage approach.
- First, they need to protect themselves, so they don’t get hit. Also, they should take measures designed to make sure they can recover in the event they do get hit.
- They also should focus on basic cyber security practices, including using proxy servers to halt malicious downloads, disabling USB thumb drives and similar devices, and using security software to protect against email threats and malware. They should also segment their networks so that if ransomware or other malware gets through, it remains contained in only one portion of the network and doesn’t spread widely.
- In the event of an attack, cities must have a strong backup solution, including offsite backups that are totally air-gapped so that if ransomware hits, it can’t hit the main backup.
- Lastly, they need to practice recovering from a ransomware attack, so if it does happen, they can re-image and get back to work quickly.
MacLellan added that cities should follow best-practice security frameworks, such the NIST Cyber Security Framework. He allowed, though, that many cities don’t have the resources and personnel to do that, “and so they should do what a lot of states are beginning to do, contracting for managed cyber security services or a managed SOC (Security Operations Center) to handle their security.” That way, he noted, cities will get the highest level of security possible, without having to hire high-priced staff or buy expensive infrastructure.
He added that cities should buy cyber insurance. That will protect them from footing potentially multi-million-dollar recovery costs in the event of attacks. According to reports, Baltimore didn’t do that and is now on the hook to pay a substantial bill.
CIOs and CISOs need to be more proactive in warning elected officials and top municipal executives about the cyber threats they face and the resources and solutions required to protect against them.
Beyond that, MacLellan added that cities “should work more closely with their state or partner cities or counties, to share buying power and scale up.” Working closely also means sharing information and advice.
Ultimately, he said, CIOs and CISOs need to be more proactive in warning elected officials and top municipal executives about the cyber threats they face and the resources and solutions required to protect against them.
“They need to articulate the liabilities to the people who hold the purse strings. They have to say, ‘Our risk profile looks like this, here’s what it will cost to shore up our defenses, and, based on what we’ve seen from cities like Baltimore and Atlanta, this is what recovery would cost after a successful attack.’ Going through a process like this will help build the business case for things like managed services.”
“In the end,” MacLellan continued, “Cyber security needs to be budgeted as an operational expense not as a capital expense. Those cities that can build and sustain an effective and adaptable cyber security program are not only more secure, they are less appealing as a target.”