The city of Atlanta's ongoing recovery from a crippling ransomware cyberattack in March offers a chance to improve its network security and architecture, the interim CIO told the City Council recently.
The enterprise-level disruption to Atlanta government services following the March 22 ransomware cyberattack left city employees unable to turn on their computers, inhibited residents’ ability to pay bills and temporarily reduced police to writing reports by hand — but now presents City Hall with a chance to rebuild smarter and stronger, its interim technology leader said recently.
The incident’s effects continue to be felt, Atlanta’s court system was only recently restored and a police department spokesman confirmed to Government Technology that the agency has lost some access to archived in-vehicle video and camera systems.
But in a June 6 presentation of the Atlanta Information Management (AIM) department budget to the Atlanta City Council, Interim Chief Information Officer Daphne Rackley said the city has a singular opportunity to drill down on security as it rebuilds, revisiting its network design and ensuring that it is appropriately compartmentalized against future attacks.
The cyberattack, which may have originated with a virus from the Samas or SAMSAM family, sought the ransom payment of around $50,000 in bitcoin. Officials have said little about its origin or that aspect of their response.
The impact of the breach was immediate, shuttering many city computers and printers for about five days; prompting police to handwrite incident reports; requiring the manual processing of nearly 20,000 cases at Atlanta Municipal Court and halting online or in-person ticket payments; halting online water bill and business license payments and renewals through at least March 30; and forcing the cautionary disabling of the Wi-Fi at Hartsfield-Jackson Atlanta International Airport, the nation’s busiest airport, until April 2.
In its recovery, the city’s incident response team partnered with a host of federal and private-sector partners including the FBI, U.S. Secret Service and Department of Homeland Security; and with groups from Microsoft, Cisco and security solutions provider Secureworks.
Online water bill payments were restored after being down nearly seven weeks, the Atlanta Journal-Constitution reported on May 8; and the court’s online bill payment option and docket boards are available again, the local KCBS affiliate reported on June 11.
Carlos Campos, director of the Atlanta Police Department’s (APD) public affairs unit, confirmed to GT that the agency’s WatchGuard in-vehicle video system, “commonly known as dash cam,” continues to be significantly impacted by the cyberattack.
“The cyberattack caused us to lose access to archived video in almost all of our cars, though some of the camera systems are still operational and some video archives still exist,” Campos said in a statement, indicating APD hopes “we can work with our vendors to restore the system.”
Campos did not respond to additional questions about the extent of the impact to the department and its caseload. But in the statement, he said: “While dash cam is a valuable tool, it does not always make or break criminal cases. We have not been made aware of a specific impact on any pending cases at this time.”
Nearly 35 percent of the city’s 424 total applications were “impacted” by the breach, Rackley told the City Council during her presentation. Of those 147 apps, 49 that were impacted were “critical,” she said, showing the council a slide identifying the status of 95 mission critical applications.
The AIM Fiscal Year 2019 proposed operating budget is nearly $35.1 million — an increase from FY 2018 of nearly $516,000. Overall, the budget includes $500,000 for “IT network upgrades,” Mayor Keisha Lance Bottoms said in her budget message. But according to Reuters, Rackley has indicated her department could need as much as $9.5 million more due to the breach.
AIM took “a principled approach” to the rebuild effort, Rackley said, rebuilding critical apps in a “current reinforced environment” and ensuring security was in place.
“We have been able to stand up a lot of applications in what we call our reinforced environment. Meaning, we took our current environment and said ‘How can we make it as safe and secure as possible while we rebuild the new network environment,’” she said.
Prior to the attack, AIM had centralized its service desk and migrated “some” core apps to the cloud, Rackley said, indicating these strategies benefitted it during the breach.
She explained the city could improve “overall IT financial management” by boosting visibility and transparency — and potentially establishing an IT investment advisory board including council members, city representatives and external partners.
Doing so, Rackley told the council, could offer it “detailed visibility” at a budget line item level and generate ideas for how to redistribute funds and optimize costs for the overall budget. The interim CIO said she hoped an advisory board might be seated later this summer.
As AIM and the city work to enhance its overall cybersecurity and improve the reliability and effectiveness of its infrastructure, Rackley said, it’s crucial to re-examine network design and architecture to ensure “appropriate segmentation” so that should another incident happen, “we have a better way of isolating the effect of any attacks.”
John Gaffney, the city’s deputy chief financial officer, told the council that despite the feeling that a lot of time may have passed since the cyberattack, “we’re relatively early in the process,” noting that “even from our [cyberinsurance] policy perspective, we’re still in the response phase.”
The policy, he said, “will technically cover us until we’re up and running on the new and more secure network and that could be months away,” adding that he expects “there would be an allocation of not only the response costs enterprise-wide, but then also any recoveries that would come back from the cyber claim.”
The council, Atlanta City Council President Felicia Moore told GT, is “poised to be as supportive as we certainly can,” and should approve the budget on June 18.
“I don’t think anybody doesn’t want to do what we can to fix what’s wrong and try to mitigate any potential happenings in the future,” Moore said.
But at the meeting and in an interview, she and Councilman Howard Shook also expressed their desire to know more about the cyberattack’s cost and to be able to share more information with the public.
“The executive branch is sort of keeping that close to the vest. I think people want to get enough of a briefing that we have a good sense of it and not read about it in the paper,” Moore said.
“What kind of changes or updates are we going to see in here relating to the costs of the cyberattack and how those, where those costs will be spread,” Shook asked at the meeting, including himself among people who would rather err on the side of releasing too much information, given that bad actors seem able to find it anyway. An official told the councilman that updated numbers would be made available before the budget’s adoption.