The world is a dangerous place. Perhaps it’s always been that way. Nature is governed by evolutionary competition, politics take shape where interests and power meet, and economics are ruled by free markets and comparative advantages. It’s a brutal, cutthroat business. And yet, things seem even more dangerous today.
In an increasingly connected, digitized world, nobody is safe from cyber attacks. Even major, metropolitan cities are getting attacked by hackers. And the demands of these hackers are only increasing as they become more emboldened with each successful attack. The prime example that stands out is the recent cyber attack on Baltimore.
The Baltimore Hack: Just the Facts
According to reports, on May 7 2019, hackers disabled about 10,000 government computers throughout Baltimore, preventing their use and access by locking their contents away in a digital vault controlled by the attackers. If a ransom of $100,000 was not paid, the hackers threatened they would “brick” all affected devices. For two weeks, the attack caused city employees to be locked out of their email accounts while Baltimore residents lost access to essential services, including government websites and municipal pay portals.
To make matters worse, this is not Baltimore’s first ransomware attack. In March 2018, a separate attack knocked the city’s 911 and emergency response systems offline for 17 hours. Apparently, the city learned little from the event, or perhaps simply not enough to prevent a recurrence.
In large scale, infrastructural attacks such as the one waged on the city of Baltimore, hidden costs abound and indirect consequences are difficult to quantify. Putting a dollar figure on the destruction is never really going to fully capture the extent of the havoc wrought. That said, according to Baltimore’s budget office, total costs hover somewhere around the $18 million mark. That’s 180 times the cost of the ransom demanded!
How Did We Get Here?
What casual observers might not know about the 2019 Baltimore hack is that a key part of the malware used to hold the city’s critical digital infrastructure for ransom was actually paid for by the city’s residents and the rest of their US compatriots. EternalBlue, something like the digital equivalent of a skeleton key, was developed by the NSA to assist their cyber snooping efforts and as part of a strategy to "stockpile vulnerabilities." EternalBlue exploits a vulnerability in the way that Microsoft machines use the SMB protocol to allow unauthorized third-parties to assume control of the devices.
As disturbing as that is, the situation got a lot worse when a hacker group known as the Shadow Brokers leaked the exploit chain online in April of 2017. It didn’t take long before EternalBlue was being put to devastating use, with it serving as the backbone to global WannaCry ransomware attack less than a month later. Now it's being used to paralyze vulnerable American cities. Talk about chickens coming home to roost!
Since the cat got out of the bag and EternalBlue was leaked, it has been used by North Korea, Russia and China to hack a multi-billion dollar path of destruction across the globe. So, when Baltimore’s computers suddenly ceased normal functioning and began displaying cryptic messages like “We’ve watching you for days,” and “We won’t talk more, all we know is MONEY! Hurry up!,” officials soon realized they were simply the latest victims in a long line of EternalBlue-fueled cyber malfeasance.
A Conflicted Calculus
While Baltimore is most definitely not the first city to be attacked, mayors and city officials are still struggling to navigate these choppy waters. One of the biggest examples of a failed response to a ransomware attack comes from the city with the world’s busiest passenger airport, Atlanta, Georgia. When Atlanta was attacked last year, city officials decided not to pay the ransom. The consequences were catastrophic, with the city spending some $2.6 million in recovery efforts necessitated after having spurned a $51,000 ransom demand.
On the other end of the spectrum, there are examples where being too acquiescent to an attacker’s demands backfired as well. Like when Kansas Heart Hospital paid the ransom demanded to free their computers and decrypt their files only to see the attackers double down and demand further payment. More often than not though, the ransomers honor their word. Like when Riviera Beach conceded $600,000 to hackers to free Police and Fire Department computers and restore essential services.
Of course, even when a besieged organization or city ponies up to successfully free their IT and data, one has to wonder if they’re not just kicking the can down the road — ultimately making the problem even worse. For instance, after Riviera Beach coughed up the bitcoin, two other Florida towns, Lake City and Jackson County, were similarly extorted. Conversely, if tomorrow all of a sudden all ransomware victims refused to pay, it stands to reason that there would no longer be any incentive for hackers to carry out such attacks.
Indeed, it’s with that rationale in mind that the FBI categorically advises ransomware victims not to pay. Of course, life is complicated and categorical logic often lack wisdom.
Suppose, as was the case in Riviera Beach, that you have your police department under cyber attack. Officers are forced to take statements and prepare reports by hand. It slows you down, it’s a pain to organize and keep track of the pieces of paper, and it’s tedious to refer back to or search. It’s true that an inefficient police station can have more serious knock on effects and I don’t mean to belittle the impact, but by and large such an assault could be withstood.
But when your computer system extends to your evidence database and when the deadline for payment comes and goes with no money exchanged, your devices are bricked and the information they held is forever lost. You may have murder trials in process and DNA evidence may be lost. Perhaps you don’t have enough genetic material to redo the tests. Or perhaps you’re holding onto the digital DNA profile of a since deteriorated cold case sample you haven’t yet matched.
For most people, a description of these messy real life implications (or 500 other possible examples) makes it clear that a categorical policy non-payment simply is not feasible. And yet, in July 2019, the U.S. Conference of Mayors unanimously pledged to no longer countenance payment of cyber ransoms. So what gives?
The truth is that the conversations that take place behind closed mayoral doors are likely very different and decidedly more nuanced than the categorical declaration and united front presented at the Conference of Mayors. The resolution denouncing ransomware appeasement was most likely designed to send a message to would-be attackers: the jig is up and the party’s over, we will no longer play your games. And yet, the game will almost certainly continue wherever ransomware successfully holds hostage critical city infrastructure.
What to Do
It’s a horrible thought — that cities are forced to capitulate to criminals and in so doing all but guarantee that others will be hit, or they can refuse to surrender and suffer the slings and arrows of outrageous fortune. Neither choice is a good one nor can either be categorically declared the wrong choice. And while it’s unclear what approach offers the best route forward for an entrapped city, the Baltimore hack at least makes one thing clear: cities need to take the threat more seriously and do more to prepare before they get hit.
Here’s a 12 step approach to help cities steer clear of a no-win scenario:
- Get coverage.
First thing’s first. Cyber insurance should be purchased. That way, if all else fails, at least the city’s residents and public coffers won’t feel much pain from the attack.
- Think like the enemy.
City officials should be working to build a list of the most “attractive” targets for cyber attack. The things to focus on here are critical infrastructure points like police departments, fire departments, hospitals, airports, seaports, military bases, power stations, waterworks plants, and the like.
- Take stock.
Once a comprehensive list has been made, administrators will need to take stock of all the connected technologies that those installations are running. This work will be assisted by the use of CMMS and inventory management systems where applicable.
In some cases it may be deemed appropriate to invest in cyber mapping solutions that automatically identify and categorize all network endpoints. Where such systems are not in place and cannot be installed, the work will be considerably more tedious — cross referencing spreadsheets entries against the results a dragnet field inspection.
- Build a dossier.
Once all connected assets are located and indexed, relevant managers will need to be assigned to collect available hardware and software details for each device.
- Deal with weak spots.
With that information in tow, machines that are dangerously and irreparably deprecated will need to be decommissioned. Machines that are un-patchable and un-updatable but not considered to be at high risk, will need to be flagged and outfitted with special mitigations, security policies, and architectural accommodations. All devices that can be safely patched and updated, must be.
- Test the foundation.
At this point, it would make sense to bring in auditors to review the quality of service and security for each listed network.
- Reinforce the foundation.
Remediations should be implemented based on audit results and in conjunction with the recommendations of an oversight committee and non-vested industry advisers. Default passwords should be changed, encryption should be used, and multi-factor identification should be made standard practice.
VLANs, and security groupings should be reconfigured to restrict communications and reduce the attack surface to a minimum. Each VLAN and security group should be subject to tailored governance that ensures security without compromising functionality. Unless operationally necessary, RDP should be disable and ancillary ports should be closed.
- Arm yourself.
IT solution stacks should then be reviewed with a mind to integrate, automate, and expand capabilities. Where tools are used redundantly, only the best should be kept. Where processes are overly manual, applicable automation solutions should be considered. Where gaps are found in the management regime, new tools should be introduced. Where general solution don’t pass muster, more sophisticated, purpose-specific solutions should be procured.
Network visualization and monitoring tools should be put into place. Anomaly detection systems should be configured and continuously deployed. Anti-viruses should be updated and installed wherever suitable, Firewalls should be erected, and automated system backup technologies should be rolled out.
- Continuously patrol.
New threats should be continuously monitored, new vulnerabilities should be regularly patched and mitigated, and blacklists should be routinely updated.
- Rehearse and review.
Roles and responsibilities need to be clearly defined and assigned for cyber preparedness and response, both at the municipal level as well as in the individual targets within the city. As the old saying goes, practice makes perfect. Police departments, fire departments, hospitals, etc. will all need to conduct semi-regular training exercises simulating cyber attack scenarios. The idea is to put all your theoretical plans to practical test. Any lessons learned will then need to be compiled and integrated into your cyber strategy.
- Rinse and repeat.
This whole process should be undertaken anew every three to five years.
- Work on a sustainable solution.
Set aside annual budget to invest in a cyber task force jointly commissioned and funded by an alliance of US cities. The goals of such a task force should include (a) raising awareness around the problem, (b) working to advance digital forensic techniques so that cyber extortion schemes can be more effectively traced, (c) lobbying for legislation that holds dark web platforms and facilitators accountable for second-party crimes, and (d) developing new recovery technologies to undermine the threat of file-locking and permanent data destruction.
Long Story Short
The 2019 Baltimore hack serves as a powerful case in point demonstrating not only our fundamental cyber vulnerability, but our profound lack of preparedness. Cyber threats are all around us and attacks on our public infrastructure are inevitable. Today's hackers aren’t the script kiddies of the past; they’re well-organized, well-tooled and increasingly emboldened. They’re no longer content vandalizing websites and ripping off little old ladies with cliched phishing ploys. Now they’re coming for us all and they’re targeting us as efficiently as possible — through the cities in which we all live, work, and mutually depend.
And it’s not just rogue elements looking for a payday either. Increasingly, political conflicts are playing out in the cyber arena — and sadly public infrastructure seems to be moving more and more into the field of play.
Welcome to the 21st Century. Cities must now worry about well-organized cybercriminal operations as well as hacker soldiers. The times have clearly changed. The question remains, what are local governments and public infrastructure administrators going to do to protect us?