In just her third month of office, the mayor of Atlanta learned the hard way that digital defense is a top priority. On March 22, a cyberattack brought the town to its knees. For the next five days, all 8,000 employees of the city were forbidden to turn on their computers, the municipal court could not validate warrants, police officers wrote out reports by hand and the city stopped taking employment applications. Online services ground to a halt, and nobody could pay their traffic tickets or water bills.
For the hackers, part of an international cybercrime ring known as SamSam, this was a textbook case of ransomware: Hackers used encryption to lock up the city’s files, temporarily changed all file names to “I’m sorry” and demanded ransom. If Atlanta did not pay $51,000 within a week, the file corruption would become permanent. The city hired Dell SecureWorks and Cisco Security to work to restore its systems.
The Atlanta case is riveting because it affected a major US city directly. This case eclipses the 2017 breach that set off tornado sirens all over Dallas. It is by no means, however, an isolated or atypical incident.
Ransomware scams have become widespread. SamSam has also attacked the Colorado Department of Transportation, which managed to restore its system without paying a dime – until SamSam struck again a week later after learning how to strengthen their offense. The group collected over a million dollars from just 30 targeted organizations in 2018 alone.
SamSam, in turn, is but one of dozens of such ransomware outfits, and damages are skyrocketing. Eastern European hackers launched the first ransomware attacks in 2009. By 2016, criminals had commanded $1 billion from ransomware attacks, according to an FBI estimate. The next year, North Korean hackers hit tens of thousands of victims in over 70 countries in the single largest ransomware incident to date, crippling Britain’s public health system, Russia’s Interior Ministry and numerous private firms. Soon after that, Russian hackers paralyzed Ukrainian systems, ATMs stopped working in Kiev, government agencies faced a freeze and Chernobyl resorted to monitoring radiation levels by hand.
A 2016 survey by the International City/County Management Association and the University of Maryland found security breaches surprisingly common among US city and county governments. A full quarter of local governments surveyed had experienced cyberattacks as often as once an hour, though not all of those attacks succeeded. A third of those attacks involved ransomware.
Municipal governments fit the profile sought by ransomware rings: They had the resources to access $50,000, it would cost more than that to restore their compromised systems and stolen data, and they could not run effectively offline for the days or weeks it would take to do that restoration by hiring experts. Other frequent targets are hospitals, universities and police departments.
Despite the enormity of the threat, more than half of the local governments in the survey had developed no formal cybersecurity policy, and 66% had no written strategy in place for recovering after a breach.
Atlanta serves as a wake-up call. It is joined by many comparable attacks on systems worldwide. Both the number of attacks and the cost per attack is rising. As the Chief Information Officer for Arlington County, Va., David Jordan, concludes, local governments must now rank cybersecurity as high a priority as public safety: “A smart local government will have fire, police and cybersecurity at the same level,” said Jordan.