Baltimore Mayor Bernard “Jack” Young faced a crisis less than a week into his new job when a ransomware attack hit the city’s computer systems — cutting off emails and shutting down online bill collections for everything from utilities to real estate transactions.
Speaking to reporters the day after the attack, Young said, “I really don’t know the policy” on paying a ransom. “I’ve just been in this office what, six, seven days, but I’m quite sure there is a policy,” said Young, who served as city council president and rose to the mayor position after Catherine Pugh resigned days earlier on May 2 amid an ethics investigation.
Despite his uncertainty about Baltimore’s policy, Young had no questions about his stance. “I will not pay a ransom to anybody,” he said.
What started out as resistance in the face of hackers’ demand for $76,000 to unlock the city’s systems has led to a national stance among mayors who have pledged not to give into the growing number of ransomware attacks targeting big cities and small towns across the country.
Almost two months after Young’s initial reaction to the Baltimore attack, the U.S. Conference of Mayors unanimously passed a resolution that pledged to stand “united against paying ransoms in the event of an IT security breach.” The resolution, co-sponsored by Young and Las Vegas Mayor Carolyn Goodman, was adopted by more than 1,400 mayors nationwide.
Now, with almost weekly reports of ransomware attacks on U.S. cities, the Conference of Mayors is urging Congress to pass the State Cyber Resiliency Act to provide federal aid to states and local governments to bolster their cyberdefenses.
“The Baltimore case raised the bar,” said Sherban Naum, senior vice president at the cybersecurity firm Bromium. “You even have certain elements of the U.S. government saying ‘We have to help them.’”
A June House Homeland Security hearing on cybersecurity threats highlighted the extent of the problem. “There have been at least 170 ransomware attacks carried out on county, city or state governments since 2013–including over 20 reported so far this year,” said Rep. Cedric Richmond, D-La., citing research by the cybersecurity firm Recorded Future.
He suggested the actual number of ransomware attacks was probably “far higher” and said he was working on a “comprehensive package” to address the matter, but gave no indication of what that would be.
Underscoring Richmond’s comment, a report out Wednesday from the cybersecurity firm Barracuda found that more than 70 state and local governments have suffered ransomware attacks so far this year.
Estimated damages from ransomware attacks worldwide exceeded $8 billion in 2018, according to research by Cybersecurity Ventures. In June, officials from the Florida cities of Riviera Beach and Lake City paid ransoms of $600,000 and $460,000 respectively. Additionally, cities face mounting costs to recover from the attacks.
The Baltimore attack cost an estimated $10 million in expenditures and potentially an additional $8 million in lost or delayed revenue, according to Councilman Isaac “Yitzy” Schleifer. A 2018 ransomware attack on Atlanta cost the city government an estimated $7.2 million, according to Mayor Keisha Lance Bottoms.
In 2018, nearly 1,500 ransomware attacks were reported to the FBI at an average loss rate of over $3 million.
The mayors’ no-ransom payments stance comes with the risk that cities will never recover valuable data from hackers, but the conference believes it’s a necessary step to reduce the incentive for hackers who carry out these attacks.
“Federal authorities are clear that these kind of ransom payouts are counterproductive,” said Lester Davis, a spokeman for Baltimore’s mayor, stating there is no guarantee that a city gets its information back.
“It just made sense for the conference,” Davis added. But the resolution is not a binding policy preventing cities from paying ransoms and there is no federal law preventing local governments from paying ransoms.
Meanwhile, ransomware attacks continue, increasing in sophistication and coordination.
In August, 22 government targets in Texas were hit with ransomware. The evidence points to a single actor who coordinated the attacks, according to the Texas Department of Information Resources.
“The adversary is not going to stop because someone says I’m not going to pay,” Naum said.
Naum said cybercriminals attacking critical infrastructure like a power grid could make the hacks “so painful that there really is no choice” but to pay for the sake of the constituents..
“Hopefully the unification of messaging isn’t just that we’re not going to pay, it’s that we are fundamentally going to change the way we operate our infrastructure,” said Naum. “That would be the best outcome.”
For Baltimore, the city’s outdated IT infrastructure needed updates “regardless of paying” the ransom, Davis said. “These were maintenance issues that had been delayed and deferred in previous administrations that we were going to have to do.”
According to the Baltimore City IT Department, the investments in the city’s IT systems would need to increase from $30 million to nearly $130 million to meet industry benchmarks.
The State Cyber Resiliency Act would provide federal aid to states and local governments to follow the cybersecurity best practices set by the National Institute for Stands and Technology.
“We see that state and local budgets are insufficient for tackling cyber threats,” said co-chair of the cybersecurity caucus and bill co-sponsor, Sen. Mark Warner, D-Va., in an email.
In a letter of support to the bill’s co-sponsors, representatives from the National Governors Association, the National Association of State Chief Information Officers, the Governors Homeland Security Advisors Council and the National Conference of State Legislatures said, “The new grant program authorized by the State Cyber Resiliency Act would prioritize best practices at all levels of government and help participating state and local governments coordinate resources, better respond to threats, and plan for a strong and resilient cyber future.”
The Department of Homeland Security’s nascent Cybersecurity and Infrastructure Security Agency, or CISA, created in November 2018, is developing a plan to counter the attacks facing government targets.
“We will also use our insight, expertise, capabilities and reach to assist our state and local government partners in improving their cybersecurity posture and defending against the outbreak of ransomware,” said Chris Krebs, director of CISA, in an agency document addressing its cybersecurity priorities.
While the federal government organizes its strategy, the city of Baltimore is charting a new course as well. For Baltimore’s mayor, whose decision not to pay the ransom turned into the national resolution, the risk still remains.
“One of the first things that the mayor did when he became mayor was to instruct the city solicitor to purchase cybersecurity insurance,” said Davis, the mayor’s spokesman.