The Ransomware Attack in Baltimore: A Failure of Organizational Resilience

Baltimore City Hall

Baltimore City Hall AP Photo/Patrick Semansky

 

Connecting state and local government leaders

COMMENTARY | Employing best practices and adhering to international standards can help organizations and governments weather cyber attacks and other disruptions.

Beginning in early May, a successful phishing scheme paralyzed part of the city of Baltimore’s computer networks through a ransomware attack. The attack took hold of multiple computer systems used to run the government, remotely encrypting all the systems’ files. The attackers demanded around $80,000 for the systems’ release. As Baltimore officials continue to deal with fallout from this cyber attack, with at least the water billing system still not up and running, the lack of organizational resilience both in and out of cyberspace is laid bare. The attack crippled city operations, with city emails and voicemails unable to be accessed for weeks, and the malware took down the systems through which city residents pay water bills, property taxes, and traffic citations, as well as the city’s ability to officially close real estate sales.

While many of those functions were back up and running by early July, lingering issues and the estimated $18 million cost of recovering from the attack are a testament to the reality that in 2019, cyber technology undergirds and connects some of the most fundamental aspects of everyday life. These systems are central to the basic function of government and because they serve the public, the network repairs and rebuilding must be done with organizational resilience in mind. Employing best practices and adhering to international standards, such as standards on information security and business continuity, can help organizations and governments weather cyber attacks and other disruptions.

The first step in improving organizational resilience is to perform a benchmarking audit to understand an organization’s strengths and weaknesses, taking stock of issues like governance risk and the supply chain.

To improve organizational resilience, organizations need to adopt a stance of preventative control, mindful action, performance optimization and adaptive innovation to embed competence and capability throughout the organization. From the initial benchmark and understanding of areas in need of improvement, organizations should examine which areas are defensive (stopping bad things from happening) in nature and those that are progressive (enabling good things to happen).

In Baltimore, the failure to put up basic cyber defenses played a large part in the attack. A critical vulnerability in Microsoft software, famously exploited in 2017’s WannaCry ransomware attacks, was still present in the city of Baltimore’s computer systems at the time of the attack. Microsoft introduced a patch for the vulnerability in 2017, yet the city never updated its systems to defend against this well-known threat. Even massively important organizations like the Baltimore City Government are not adequately preparing for cyber threats, and the consequences of this oversight are now being felt by individuals and businesses throughout the Baltimore area.

Importantly, Baltimore is not an outlier when it comes to lax cybersecurity. Just last year the city government of Atlanta was hit by a ransomware attack, and a recent article in the Washington Post highlights how poor funding for IT departments in city budgets around the United States makes many local governments vulnerable to cyber attacks. The New York Times recently noted that even in cities that are insured, and therefore able to pay a ransom, those payments don’t mean all services are restored immediately.

Baltimore also missed opportunities for progressive organizational resilience. Reports from Baltimore officials speculate that the ransomware attack was initiated through phishing efforts. While phishing attacks are difficult to deter, regular training of city employees on good cybersecurity hygiene could have possibly foiled this attack before it started. Training and education are among the methods of progressive organizational resilience that organizations can add to their efforts.

The lack of plans on what to do in case the computer networks went down also stymied Baltimore officials. In an attempt to get city systems back up and running, city employees created free Gmail accounts. These workarounds were initially shut down by Google because they triggered Google’s automated security system when numerous accounts were being created from the same IP address, and because of the type of use for these accounts, should be under Gmail’s paid G-Suite service. A lack of contingency plans also left anyone trying to sell a property within Baltimore in a lurch. While not infected with malware, the system that creates and processes lien certificates used in processing deeds had to be shut down. That meant the city had to implement a manual procedure that required sellers to sign an affidavit that they will pay any outstanding taxes or other liens on the property within 10 days of being invoiced by the city.

The cost and long-term effects of this cyber attack and lack of organizational resilience in Baltimore will be felt for years to come. Hopefully, as the city recovers and examines its systems and processes, officials will decide to implement the principles of organizational resilience and abide by best practices to ensure business continuity. Because computer networks are so central to the delivery of services, it is paramount that governments safeguard their collective cybersecurity and stay updated on evolving cyber threats and to remain vigilant about cyber defenses.

Willy Fabritius is the Global Product Champion for Information Resilience at BSI.

NEXT STORY: One State's Plans to Expand Connected Vehicle Technology

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.