Ransomware: A ‘Soft Nuclear Weapon’ Aimed at Government

We're in a new era of digital extortion. We need to do a lot more to block and mitigate attacks like the one that crippled Atlanta.
April 6, 2018
ransomware
(Shutterstock)
By Frank Shafroth  |  Columnist
Director of the Center for State and Local Government Leadership at George Mason University

In the wake of a ransomware attack that disrupted computers in at least five of the city of Atlanta's 13 departments, much of the city's business was reduced to the pre-computer era of longhand. Police had to file their reports on paper. Residents were unable to pay their water bills. Vital communications such as sewer infrastructure requests were limited. A week after the March 22 attack, in which hackers demanded a ransom of $51,000 in bitcoin, some city employees were allowed to turn their computers back on, but a city spokesperson said that "it will take some time to work through and rebuild our systems and infrastructure."

And yet the hacking of Atlanta's computers wasn't the only ransomware attack against a government in recent weeks: At the same time that Atlanta's computers were under siege, Baltimore's 911 system was disrupted, forcing the city to resort to manual dispatching for nearly a day. A few weeks ago, Leeds, Ala., paid ransomware hackers $12,000 in bitcoin. And the common but notoriously effective strain of ransomware called SamSam that was used to hack Atlanta's computers was the same one used in February to disrupt Colorado Department of Transportation systems.

It's a new era of digital extortion for the nation's cities, counties, school districts and state governments, at a time when far too few of them are even minimally prepared to respond. According to a 2017 survey by the International City/County Management Association, 44 percent of local governments report that they regularly face cyberattacks. More distressingly, 28 percent do not know how often they are attacked, 41 percent don't know if their systems have actually been breached, and more than half don't count or catalog attacks. Atlanta was counseled at least a year ago on its vulnerabilities -- warnings it did little to address.

This is, of course, a global challenge. Around the world, few local-government leaders understand the seriousness of the threat, according to Tamir Pardo, the former head of Mossad, Israel's national intelligence agency. He described ransomware and other forms of cyberattacks as "soft nuclear weapons" aimed at government.

So, for state and local leaders, the question is what will be required to prevent attacks or mitigate damage from successful ones. A fundamental step in creating a culture of cybersecurity is to recognize that the most serious threat comes from within, so it's vital that users be trained in cybersecurity protocols -- that they be made aware of what not to click on, what to report and what actions to take. Governments at all levels should establish stronger cybersecurity policies and prioritize funding for cybersecurity.

One area in which funding is key is in building the capacity, through what's known as "persistent data capture and storage," to thwart a ransomware attack by being able to roll back to a clean, uncorrupted copy of data that is being held hostage. A jurisdiction's storage costs will increase with each data capture. But inaction could put much at risk. "We must actively prepare for cyber threats of the sort that have been demonstrated in places like Atlanta," the CIO of one large urban county told me, asking that he and his county not be identified lest hackers take his comments as a dare. "If smart cities and communities are the brightly lit days of the increasingly connected world of local government technology, cyberattacks are the dark and stormy nights."

The CIO I spoke to is an advocate of governments adopting blockchain, ironically the very technology that supports the cryptocurrency in which ransomware attackers commonly demand to be paid. "The methodology is virtually impenetrable. The most logical place to introduce this technology is in local government," he said, adding that his county is ramping up to implement it with "our core records we collect on constituents."

There are plenty of other steps for local government leaders to consider, including:

• If your government does not already have a chief information security officer, hire and empower one.

• Engage with the Multi-State Information Sharing & Analysis Center, which is responsible for improving the overall cybersecurity posture of the nation's state, local, tribal and territorial governments.

• Ask the federal Department of Homeland Security do a "SWOT analysis" -- searching out strengths, weaknesses, opportunities and threats -- of your digital infrastructure.

• Ask the state to put some skin in the game, especially if your local government is a small one.

All is not hopeless. Cybersecurity best practices -- keeping systems patched, storing segmented data backups and having a ransomware preparedness plan -- can offer real protection against SamSam-style infections, says Dave Chronister, founder of the "ethical hacker" firm Parameter Security. "Ransomware is dumb," Chronister told Wired after the Atlanta attack. "Even a sophisticated version like this has to rely on automation to work. Ransomware relies on someone not implementing basic security tenets."