Themes Emerging from Cyber-Attacks on Baltimore City Government
One week ago, Baltimore City government servers were hit with a ransomware attack which resulted in certain non-critical services being knocked offline for an unspecified amount of time, some of which may continue to be down as of this post. The attacks crippled numerous systems which enable workers to conduct their daily business. The Mayor’s office stated that critical services—police, fire, EMS, and 311—were not impacted directly. The Mayor has also tweeted that personal data does not appear to have been stolen. Instead, reported impacts include cancelling a City Council meeting, preventing citizens calling or emailing the Department of Public Works and closing down intake at the Department of Transportation’s vehicle impound lot. Last year, the city’s 911 system suffered a ransomware attack which disabled its computer-aided dispatch (CAD) system. The two attacks highlight several emerging themes:
Attacks Impacted Availability of Ordinary Services. In both cases, the city retained its ability to provide critical services in real-time, although hamstrung by the failure of normal online functions. Thus, using the “CIA” data security triad (confidentiality, integrity and availability) as a reference, the two attacks on Baltimore very much impacted the availability of city services. Such attacks lack immediate drama but have a cumulative impact, as city personnel are forced to do business manually. As of last Thursday—two days after the ransomware threat was delivered—a spokesperson for the city workers’ union stated that most employees had no access to email, and that credit card payment processing systems were out of commission. Doing things manually saps time away from advancing the city’s strategic goals and fulfilling basic delivery of services to citizens. For example, although the police retained their ability to respond to calls following the more recent hack, they could not (and perhaps still cannot) use official email service to share information about ongoing investigations.
Attacks Exemplify Municipal Vulnerabilities. These attacks are symptomatic of the new reality facing municipalities: they are prime targets for cyber-attacks. Cities are tasked with providing critical services to hundreds of thousands of people. Therefore, cities maintain vast stores of sensitive data in their online system: names, addresses, credit card accounts, criminal records, medical records, and so on. As important, city IT departments struggle with a lack of trained personnel (a nationwide problem) and unwieldy legacy computer systems. Baltimore’s own public IT plan bears this out. Discussing an initiative to centralize cybersecurity and other IT functions, the plan warns that a failure to consolidate will result in: “[c]ontinued inability to provide expertise, quality assurance and quality control at the department level for cyber security, DevOps, data integration and data collection.” In other words, only by bringing all city networks and systems within the ambit of a centralized IT center can scarce cybersecurity resources be deployed effectively.
Response is as Important as Prevention. In both 2018 and 2019, it does not appear that Baltimore was specifically targeted by sophisticated hackers. Rather, with respect to the attack on the 911 CAD systems, the city’s vulnerabilities were discovered without much effort by automated scanners which identify and exploit commonplace weaknesses. In the more recent attack, authorities have not yet found and/or disclosed the attack vector, but we do know that a similar attack (same ransomware) hit Greenville, North Carolina just a few weeks ago. Once the attack penetrated the City’s network, it appears to have spread device-by-device, disabling each in turn and prompting City leaders to order personnel to shut down all devices. The Mayor stated that backup systems exist, but that they cannot be accessed without risk of further damage.
Cloud-based computing and storage, careful segmentation of interrelated networks, and differentiated, controlled access to each segment, can all help contain such attacks, investigate the breach and support a rapid recovery. Whether such measures were in place, or were overcome, is not publicly known as the FBI continues its investigation and city spokespeople defer to that investigation. While it is true, as the Mayor has pointed out, that cyber-attacks are inevitable, the city should strive for better resiliency in the face of such attacks.