Time has run out on the city of Atlanta to respond to cyber extortionists who have successfully crippled several critical systems across the city. From first responders like the police department, which has been prevented from using certain databases, to the judicial system, city-wide payment processing for traffic fines and other areas, many citizen services in Atlanta were taken offline by a sophisticated ransomware attack. Meanwhile public servants have been relegated to switching back to analog carrying out paper-based work to maintain the semblance of business as usual in the bustling city. The cyber criminals who perpetrated this attack demanded payment of $51,000 in bitcoin, lest Atlanta face wider repercussions from this exploit, such as the deletion of critical data, crippling of systems, among other possible consequences. Whether Atlanta paid the cyber ransom or not, cities are in the crosshairs of cyber and other man-made risks posing serious threats to national security.
Atlanta joins a growing number of municipal, state and government-level targets to fall prey to an increasingly complex cyber threat environment. Just as a heating and cooling vendor served as the backdoor to Target’s breach, cities may very well be a backdoor to broader cyber vulnerabilities affecting U.S. national security. In short, our lawmakers and governments are not immune to a risk that evolves according to Moore’s Law – a painful lesson Atlanta’s public servants learned during an arduous recovery. All too often, cyber criminals who seek monetary gains from their ransomware attacks exploit so called soft targets, which makes many government agencies easy prey. This is so due to the lack of synchronization of critical systems, harmonization among the numerous third parties’ states rely on to render their services, as well as the difficulty in attracting high-demand cybersecurity professionals who can make a more lucrative career in the private sector. It does not help that governments, like private enterprises, do not typically treat cyber risk like an enterprise-wide threat, but rather consign it to cash-strapped and ill-equipped IT departments and vendors.
City and government cyber resilience is not aided by the placebo effect that cybersecurity technologies and “safe brands” can create. These blindsides conspire to make the public sector particularly vulnerable to cyber threats. Add in the effect of human errors, indifference and deliberate actions (“between the keyboard and the chair” risks) and hardening the information systems of an entity as complex as a city comes into focus. All the more so as government transparency, public accountability and digital transformation are highly sought-after goals. The increasing reliance in cities on connected devices to measure everything from traffic flows to water levels and issuing fines through ubiquitous speed cameras, creates an enormous and highly vulnerable attack subsurface. The internet of things (IoT) has opened a veritable Pandora’s box of cyber threats that even well-heeled private entities are struggling to contain. Cities will be hard-pressed to get ahead of self-sovereign cyber threats, as well as making the absolute amount of cybersecurity spend a proxy for safety. Many city leaders may come to rue the day they connected every citizen service to the internet, without thinking through the potential for unintended consequences.
Mercifully Atlanta’s cyber-attack had a financial motive and or a path to negotiation. Similar exploits aimed at proving a political point or sowing panic, such as cyber terrorism or an act of cyber warfare, are much harder to respond to and recover from. This highlights the reality that cyber risk is more of a continuity of government threat than a matter of privacy and the provision of basic citizen services. In Atlanta’s case, how many months could a city go on under the presumption of business as usual if its critical systems were taken down? Cyber risk is all too often conflated with a breach of privacy and citizen or customer trust, when in reality it is a business continuity threat. Because many cities rely on private sector cybersecurity consultants to “harden their systems,” they often take a similar tack as private enterprises. Namely, hardening databases that store so called “crown jewels,” such as health records, citizen information, tax records, among others. A veritable arms race of cybersecurity spending primarily benefits consultants and technologies, yet many vulnerabilities remain, the human element is often forgotten, and no panaceas exist.
While citizen services are vital, especially when it comes to the provision of essential government services, in the priority list of where to place cybersecurity resources, continuity of government comes first. This much is true at the state level and continuity of government begins with the state house, critical infrastructure, first responders, such as police, fire departments, emergency medical care and finally the provision of basic citizen services. By this measure, cities like Atlanta must begin reframing the economics of cyber threats from a value at risk lens, rather than a cost of remediation or notification approach, which is the dominant model in cyber risk management. By looking at the economic value at risk in Atlanta, or the share of the city’s GDP exposed to cyber threats, $2.62 billion could be eradicated due to this faceless and infinitely patient threat according to the Lloyd’s City Risk Index. Indeed, cyber-attacks are highlighted as the third most consequential threat to the city of Atlanta, a rank held for North American cities, where more than $93 billion in economic output is at risk. The second and third order effects of cyber threats can hobble the global economy.
Combining city and state requirements to maintain a balanced budget, the measure of economic value at risk together with the reality that taxpayers are the first line of financial defense, makes a compelling case for pooling “blended” risk capital into government cyber risk transfer approaches. Structures that recognize cyber threats (even when monetary demands are relatively small) as potential catastrophic losses can help shield limited public coffers from the economic consequences of these risks. Indeed, Lloyd’s research shows that for every 1% increase in insurance penetration, there is a corresponding 22% decrease in the share of risk borne by taxpayers. Cyber risks unlike property damage, which tends to be a finite and easily calculated economic exposure, can cause incalculable harm. Therefore, when it comes to cyber threats, prevention is much better than cure. In short, even if you are fully insured, a cyber threat will be painful.
Just as the great city of Atlanta has a fire brigade to save lives and limit property damage, cities and indeed countries, must consider creating cyber fire brigades as a common good and not as a service spared for those who pay the most money. Cyber threats exploit weak links to get at more desirable or lucrative targets. Therefore, approaches that view cyber threats from the lens of collective defense can go a long way in improving overall resilience. Atlanta’s ransomware woes should serve as a wakeup call to all cities and government entities that cyber threats have not only come of age, the next time around the motive may not be monetary.