The city has been slowly getting its operations and systems back online after a cyberattack in early May, but debate over the administrative response to the attack is still causing controversy.
It has been a little over a month since a ransomware attack hit the city of Baltimore, locking up officials’ data and temporarily crippling key parts of the city’s administrative operations.
While much work has been done to correct course, the recovery from the episode has been slow.
The hacker, who has not been identified, asked for a ransom of 13 bitcoins, equivalent to some $80,000. Refusing to pay, the city has since suffered an estimated $18 million in lost revenue and recovery costs, and the damage to certain service delivery has yet to be undone.
Last week, officials said they had a majority of city operations back up and running, though key functions — mostly bill pay systems — are still requiring workarounds that inconvenience city residents.
“Mostly everything is working. The pay systems are what we are still struggling with,” said James Bentley, communications officer for the Mayor’s Office, speaking with Government Technology. The affected systems include the city’s water billing system, its e-permit system, and certain real property transactions — all of which have had to revert to manual payments or other workarounds.
Staff operations are another area where efficiency is still a work in progress. As of last Monday, the city was reporting that 65 percent of the city’s staff had been able to login to their computers, send and receive emails. The hope, Bentley said, is that by the end of this week, around 95 percent will be back online and re-authenticated.
Despite their efforts, the city's administration has been criticized for how they initially handled the attack. Among other things, complaints about lack of communication and inadequate information sharing — often vital in the aftermath of a cyberincident — have been levelled by both state and city council officials alike.
"I am profoundly disappointed in the response to the incident, the lack of communication that has come from your office as a result of it," complained one City Council member, Eric Costello, to administration officials at the latest meeting. This sentiment — that the administration had been — was shared by other Council members.
Similarly, city administrators apparently did not accept help from Maryland IT experts during the first week following the attack, potentially leading to greater damage, according to The Baltimore Sun. The state's senior CISO John Evans told the newspaper he felt the city had kept state officials "at arm's length" due to a lack of trust.
But basic precautionary measures may have also helped to prevent the attack in the first place.
Herb Lin, a cybersecurity expert, Stanford University senior research scholar and Hoover Institution fellow, said that one of the surest lines of defense for communities is adequate funding of cybersecurity and a prioritization of defense by management. This is easier said than done, he added, noting that smaller cities are more vulnerable than larger ones, as they have less money and resources.
"The ransomware that hit Baltimore would have been prevented by a patch that Microsoft had issued in 2017 — that is, two years earlier," Lin said, speaking with Government Technology. "People should be installing patches. Everybody knows that. But saying you should be installing patches and actually doing it are two different things. It takes effort, it takes money, it takes follow-up and so on."
Lin further commented that as these types of attacks become more and more common, communities will have to make basic defenses a priority.
City officials have pushed back on some of the criticism levelled at their administration.
Sheryl Goldstein, the deputy chief of staff for operations for the Mayor’s Office, said that officials have been too busy to focus too heavily on complaints. Goldstein, who only joined the administration in May, has been leading the effort to reanimate the city’s systems along with Chief Information Officer Frank Johnson, of the Baltimore City Information Technology Office.
“I think that Frank and I are perhaps guilty of spending too much time trying to fix things and get the work done,” she said. “Perhaps our ability to communicate that to our City Council partners was not as strong as it could have been. I think we’re all committed to doing a better job of communicating.”
Those efforts first focused on containing the ransomware, then creating a safe environment from which the affected systems could be repaired. Since then, Goldstein said, efforts have focused on bringing things back online and getting staff back to work.
Currently administrators are attempting to reauthenticate the 10,000 people who work for the city, a big task that is taking time.
Similarly, apps that were used to service various business needs for the city are being brought back into circulation. This process of bringing the applications back online will be lengthy and will not be automatic, Goldstein said.
“That’s going to be a lengthier process. Right now we’re really working with BCIT on benchmarks and timelines for those processes so that we can get our agencies prepared for what this will look like over time,” while also readying residents and customers for what to expect moving forward, she said.
Goldstein said that, in an effort to prevent future attacks, the city is consulting with cybersecurity experts to develop stopgaps.
“We’ve brought in some experts in cybersecurity that are working with us to develop methods, mechanisms and tools to secure the network and keep it secure going forward,” she said. “We also have plans to make cloud-based our finance and HR functions.”
In addition to adding fuel to conversations about the defensive measures cities can take to prevent these kinds of attacks, the Baltimore incident has also stirred a debate about the potential role the federal government may have to play. This is because the cyberattack exploit that may have been used during the Baltimore incident may have been a leaked National Secury Agency tool known as Eternal Blue.
In May, The New York Times reported that this tool may have been used, while the spy agency subsequently denied that its software was the culprit.
James Bentley, with the Mayor's Office, said that it has not yet been determined what kind of tool was used during the attack, though the FBI is currently conducting a forensic analysis to make that determination. More information could not be provided at this time, he added.
The accusation has caused a debate about whether the federal government bears some responsibility for cyberattacks of this nature and whether defenses need to be increased around high-tech cyberweapons. Some have levelled extreme criticism at the government for its inability to control these weapons.
Lin said that he believes the federal government should have these kind of powerful cybercapabilities, but that they need to be well guarded.
"I happen to be one of those people who believe they should have them [cybertools], but not if they can't control them," he added.
Editor's note: Herb Lin's title with Stanford University was corrected.