Since May 7, 2019, the city of Baltimore has been debilitated by a ransomware attack on its IT systems. The ransomware, dubbed “Robbinhood,” encrypted hard drive data to prevent access to information ranging from the email accounts of the city’s nearly 10,000 employees to its payment systems used for property taxes and utility bills. After initially coordinating with the FBI, the city refused to pay the ransom demanded by the attackers, 13 bitcoins (approximately $75,000) in total, seeking instead to rebuild systems from backups and other means.
Despite Mayor Bernard “Jack” Young’s declaration that “Baltimore is open for business,” returning the IT systems to full functionality may still take several weeks. Moreover, the city’s director of finance estimated the cost of the attack at over $18.2 million—$10 million for the technical recovery and new equipment, and $8.2 million in lost or deferred payments.
Apart from whether the city should have paid the ransom, the aftermath of the attack leaves several questions for city officials and lawmakers, including (i) who was responsible for the attack, (ii) what the city’s cybersecurity posture was before the attack and (iii) how state and federal governments can assist. A thorough forensic and criminal investigation of the matter will include a root cause analysis, possible suspects and a set of recommended remediation steps, but it will not address the role of state and federal government agencies in preventing or responding to such attacks.
The increase in disruptive ransomware attacks on municipalities from Albany to Atlanta in recent months has disrupted critical public services across the country. This raises the question of whether state and federal governments should take a more active role in supporting local governments by provide technical resources or necessary capital to prevent, or recover from, such attacks.
In response to the attack, the Baltimore City Council established the Committee on Cybersecurity and Emergency Preparedness, seeking improved state-level coordination with Maryland’s Department of Information Technology. According to reports, the city’s information technology officials refused assistance from the state IT department in the early days of the attack; however, pledges have since been made to improve this relationship. With a budget nearly three times as large as that of the city’s IT department, the Department of Information Technology could have expedited the response in addition to assisting with patching legacy systems, the Committee believes.
The Committee further requested that Maryland governor Larry Hogan seek a federal emergency and disaster declaration to give the city federal assistance for costs and repairs related to the attack. Mayor Young similarly asked Reps. Elijah Cummings and C.A. Dutch Ruppersberger to investigate reports that leaked tools created by the NSA may have been used to launch the attack. While concerns about NSA culpability have largely been dismissed, Rep. Ruppersberger believes the federal government “needs to do more to help municipalities better protect their networks.” The Department of Homeland Security’s new Cybersecurity and Infrastructure Agency, in fact, is tasked to help public and private sector organizations with their cybersecurity resilience. However, outside of congressional calls for bolstering election security, actions to assist victim municipalities have not been set and would likely require more directed appropriations requests from Congress, similar to requests for natural disaster relief.
The city of Baltimore’s challenges in responding to this matter remind municipalities and those providing service to their governments and constituents that proactive cyber readiness is critical. Furthermore, as municipalities around the country face mounting challenges in defending their networks, the Baltimore example should motivate local governments to begin consulting with state and federal lawmakers about the methods and means by which they can seek assistance when disaster strikes.