The new City Council committee discussed the ways in which the ransomware hackers were able to infiltrate Baltimore's IT infrastructure at its first meeting this week.
The Baltimore City Council convened a new cybersecurity committee last week, giving officials and the public an opportunity to openly discuss details of the large ransomware attack for the first time since it took place in May.
Organized by City Council President Brandon Scott, the Cybersecurity and Emergency Preparedness committee will eventually develop policy suggestions aimed at averting another attack, said Eric Costello, city councilor for the city's 11th district and committee co-chair.
"We're going to put together a report with recommendations, but that's a ways down the road," he said, speaking with Government Technology.
For now, the committee — which held its first meeting last Thursday — was on more of a fact-finding mission for answers about why the city's executive branch responded to the crisis the way that it did.
The meeting provided details of the attack from incident first responders' perspective: officials first began seeing signs of the large-scale attack around 3 a.m. May 6; by around 8 a.m., they had identified roughly what kind of strain of malware was being used, but had not been able to contain it. From there, it was a race to work together with federal and private partners — who were alerted fairly immediately — to isolate the problem and mitigate fallout.
But Thursday's meeting also focused heavily on what went wrong in the response process, honing in on perceived gaps in its continuity-of-operations processes. These concerns were of a part and parcel of complaints previously made in the wake of the attack, including that former IT director Frank Johnson had not created a cyber-response plan and that the city had also lost data in the attack due to bad backup practices by staff. Most prominently, state and local leaders accused the administration of not maintaining adequate lines of communication during and after the crisis.
Isaac "Yitzy" Schleifer, city councilor for the 5th district and co-chair of the committee, gave voice to some of the frustrations that councilors had with how the mayor's office failed to streamline communication and policy in the wake of the attack.
"We were sitting in our offices not really sure whether to disconnect or not. We were getting conflicting stories from different people, and there wasn't a steady flow of information as to what city employees should do," he said.
On tap to answer these questions were a host of emergency response and IT officials, including Todd A. Carter, the city's acting CIO, who stepped in after Johnson left in October.
Carter, who began working for the city the day before the attack, asserted that mistakes had been made, but attributed some of the inital failure to a lack of departmental staffing and funding. He also pushed back on the notion that there had been a lack of communication with city staff.
"We briefed [the] Council President and the Mayor at 2 p.m. on the 7th as to the nature of the incident and then there was ongoing communications moving forward with top officials in the administration. I would keep in mind that it was an evolving situation, so I think our knowledge of what was happening and the level of impact ... we were diagnosing those and communicating it and getting into our response rhythm," Carter said during the meeting.
There was also a disagreeance between city councilors and Carter as to whether alerts from the BMORE ALERT system — an emergency notification system used by the city — had been sent in a timely manner following the attack. Councilors claimed they hadn't received alerts about the attack, while Carter countered that the system had worked the way it was supposed to. Plans to establish a Slack channel — a cloud-based instant messaging device — as an external backup communication tool are also being discussed.
In this fashion, the meeting brought out a contrast of concerns and perspectives between the executive branch staff that responded to the attack, and the public officials who felt sidelined during that response. Other voices in the fray included David McMillan, head of emergency management, as well as Chief Information Security Officer Gayle Guilford.
Sheryl Goldstein, the deputy chief of staff of operations for the Mayor's office, said during the meeting that the BMORE ALERT system should be tested for its effectiveness more robustly, while also commenting that a better approach to communicating with the public and the city council would be prioritized in the future.
Carter said newly purchased and installed IT and cyberdefenses, which he declined to comment on specifically, would better protect the city.
"We've put in a number of tools that would minimize how, if we were attacked again, someone could move around in our environment and cause such widespread damage to files, computers and processes," Carter said. "We've added a number of tools and processes to protect our servers, our firewalls, our network. We've added different types of monitoring that gives us a better insight as to what is happening and when."