City leaders vowed after the May 7 ransomware attack on Baltimore that the city’s IT would not only recover, but return stronger than ever.
But what, beyond boosting the budget for the Baltimore Office of Information & Technology, must they do to ensure the money is well-spent and city IT is not only hardened against crooks but made more functional for citizens?
“It’s going to require more than just investment. It’s going to require a holistic view. It’s going to require a view across all the city’s agencies and a reckoning with 20 years of crud – information technology crud – that’s out there,” says tech journalist Sean Gallagher in Part 2 of his interview with The Brew.
Gallagher notes some specific problems, like the fact that the city hosts its own email, which creates both a headache and a security risk for Baltimore government.
Switching to hosting by a third party responsible for security could remove a huge burden and better safeguard the network, he says. Making use of cloud-based services would also save costs and boost security.
A Baltimore resident as well as IT and national security editor for Ars Technica, Gallagher discusses questions that citizens may have about how they could be affected by the attack that has paralyzed much of the Baltimore’s online services. Questions like:
Did the hackers get sensitive government information or the personal data of residents?
And how much will the attack ultimately cost taxpayers?
But the point he returns to repeatedly was the opportunity the Robbinhood attack presents Baltimore to transform its information system if it undertakes fundamental reforms and ushers in a culture change.
“Slapping new desktop computers on peoples’ desks with a new operating system and new malware protection is not fixing the problem,” he says. “It solves the problem of someone getting malware on their desktop computer, but it doesn’t fix everything that’s behind it.
“Info tech and cyber security has to be a central mission of the city,” he continues. “It has to be something that the mayor buys into, that the mayor has some real understanding of.”
BREW: What’s next in terms of getting the city’s network running again?
GALLAGHER: The incident response teams that come in to deal with this sort of thing are not cheap. They are the information security equivalent of SWAT teams. They come in and try to first figure out when this all started. So they may have to go back weeks or months depending on how long the malware has been sitting on the network.
It’s going to be very costly. The fact that the city doesn’t have any kind of cyber insurance policy to help pay for incidents like this represents a huge oversight by city leadership.
I would think that after last year, after what happened with Atlanta, that they would have at least thought about having a rainy day fund set up.
“The fact that the city doesn’t have any kind of cyber insurance policy represents a huge oversight by city leadership.”
The other problem is, if somebody came in to do insurance, they would want an audit of the system before they did it and the bill for the insurance would have been more expensive than the ransomware.
What about the “just pay the ransomware” argument?
A lot of people try to discourage that. I know many small towns have paid the ransom because they don’t have the capability of restoring. In some cases, some of these ransomware people have even told them what the vulnerability was they used to come in so they could fix it, so nobody else would come in after that.
The problem with paying the ransom is that the vulnerability that let the attackers get in in the first place is still there if you haven’t figured it out. Then somebody comes along next week and now you gotta pay them.
What about the possible theft of city documents by the hackers?
There’s a Twitter account out there that claims that it’s associated with the attack and that they stole documents off of the city system. They posted a picture of it, and it was, I think, a 2017 subpoena in a lawsuit against the city having to do with snow removal or something.
If in fact somebody had been in the network long enough to essentially collect the data that was pulled in from, say, discovery in a lawsuit against the city – that’s a huge breach. That’s a major concern. I personally think that Twitter account claim is bogus. I think they got the data from somewhere else.
“It’s entirely possible that they did steal stuff and that the ransomware was just the final kiss-off.”
But it’s entirely possible, depending on how long they were in the network, that they did steal stuff and that the ransomware was just the final kiss-off.
Meaning that they were in the network and they covered it up by running a ransomware attack. That is something we have seen in ransomware attacks in the past.
Well, we did just have a corruption raid on City Hall by the FBI. . .
I don’t think Catherine Pugh had anybody going in there! This was written well enough by somebody who understands how Windows administrator stuff works. Somebody familiar enough with the services that run anti-viruses on Windows and things like that. It was somebody who was a professional cyber criminal who did this.
Can the city really know that no data was lost?
No. And that’s a serious concern. Think about this for a minute. People can’t pay their taxes right now to the city. Think what kind of personal information is associated with your tax records.
And what about your water bill? What personal information is associated with that? What sort of sensitive information about non-police enforcement is available?
Have other municipalities had sensitive data stolen?
I can’t point to any specific municipality, but there was a health insurance network that was hit by Chinese hackers and massive amounts of data were stolen.
There was the Marriott breach, the Starwood breach, in which peoples’ emails and travel records – records of where they stayed in different hotels and such – were part of the breach. That was likely connected to a broader state-actor attack.
Then there was what happened in the U.S. Office of Personnel Management, where the security clearance investigations that were done for every federal employee were stolen.
There’s a lot of data the city has that’s not very useful for a criminal, but there’s a lot of financial data they have and we don’t know if people have been poking around in those systems for however long.
A number of people – security people – have told me they believe there have been bad actors poking around the inside of Baltimore city’s network for forever.
“A number of people – security people – have told me they believe there have been bad actors poking around the inside of Baltimore city’s network for forever.”
And there’s no way the city would know about most of them because they don’t have the level of tracking to be able to know. (The mayor said that the city is installing activity tracking software now.)
How much will this attack likely cost altogether?
I think it will be in the tens of millions of dollars, and that’s just direct costs. It may very well run into the hundreds of millions of dollars once they’ve completely fixed the problems that are the root causes of this.
The direct costs are going to be buried in man-hours and in and in contractor fees. I would like to see some transparency in what the city is doing. But at the moment, it’s hard to be transparent when all your networks are down!
How can the city avoid future security breaches?
The city could be much more secure and save a ton of money if it were looking at ways to, say, use cloud services such as Microsoft Office 365 for Government, which is designed for environments that have high regulatory requirements. They maintain the service and they maintain the security.
Other obvious things: Why is the city hosting its own email? Running its own email servers? If it’s because they’re using some kind of unified messaging with the phones or something – I mean the tech they’re probably using is at least a decade old – could they not be saving money by doing it in a different and more secure way?
“The city could be much more secure and save a ton of money if it were looking at ways to use managed cloud services such as Microsoft Office 365 for Government.”
And why is the city hosting these web applications? Why haven’t they gone to somebody to do it for them that can maintain the security?
The city’s own security team and software development teams are too small to properly maintain all the software.
There’s a number of services that the city has put behind security services such as Cloudflare, that prevent things like denial of service attacks. But over a quarter of the more than 100 internet sites associated with the city are connected to the internet directly from the city’s own data center.
What should a forward-thinking mayor do to steer the ship in the right direction?
If I were mayor, I would say: Okay let’s run the city like a business. Because now there’s a big disjuncture between how the city uses business technology and its business practices.
I think that the business processes of the city could be dramatically improved by embracing some parts of information technology that the city has only half-heartedly embraced.
Outsourcing email would dramatically improve security and take a huge headache off of the city in terms of administration of systems.
We also have to take a deep look at the city’s whole infrastructure because we’re now sticking Smart City stuff on top of old stuff, and there’s going to be a reckoning at some point.
“Outsourcing email would take a huge headache off of the city in terms of administration of systems.”
One of the things that somebody has to do is find out what’s not working. Find out what we actually use. We also need to get people who understand technology down into each of the business units of city.
It’s fine to have BCIT, but you need to have people who understand technology at the department level. Especially at the leadership level because they need to decide how to run the city in the future and how to best leverage new technology to it.
In the end, does it get down to leadership?
Pretty much, yes. Slapping new desktop computers on peoples’ desks with a new operating system and new malware protection is not fixing the problem. It solves the immediate problem of someone getting malware on their desktop computer, but it doesn’t fix everything that’s behind it.
Info tech and cyber security has to be a central mission of the city. It has to be something that the mayor buys into, that the mayor has some real understanding of.
The other reason the city is sort of in this halfway place is because we have such a big an info tech gap between different population in the city in terms of having access to technology, understanding technology. There are problems that go back to the school system and beyond. We are not developing skills – we’re not giving people access to technology.
So it’s going to require more than just investment. It’s going to require a holistic view. It’s going to require a view across all the city’s agencies and a reckoning with 20 years of crud – information technology crud – that’s out there.
It’s a tall order, and I honestly don’t know if city government is up to it.