The city that reads, Baltimore, is only the latest U.S. city to fall prey to a crippling ransomware attack. This time, the attackers appear to have leveraged a new ransomware variant called RobbinHood, which crept under firewalls crippling key city systems. In all, the attackers demanded a ransom payable in 13 bitcoin ($103,000 at today’s exchange rate), showing how the advent of cryptocurrencies has given cyber criminals added cover, although payments to digital wallets, particularly in bitcoin are traceable to individual wallets, even at the micropayment level. Baltimore’s case, like Atlanta before it, demonstrates how countless cities, communities and public sector entities are squarely in the crosshairs of cyber threats and proving to be easy prey at that.
Cities and the public sector more generally may not be the most lucrative ransomware targets, where the average ransom demand is around $116,000 for publicly disclosed ransoms. Moreover, cities are at least asserting publicly that they will not pay. Nevertheless, they are falling one by one like so many dominoes in a rally to emerging ransomware threats, for which RobbinHood is only the latest strain to emerge in the market. Part of the vulnerability in a city is the vast surface area of attack, which is only amplified by “smart city” efforts where municipal leaders and mayors make technological investments in sensor arrays and other connected devices that enable better information flow across city systems and functions. This drive for improved city connectivity, along with the vast network of internet-connected devices (IoT), are leaving a proverbial cyber backdoor open.
Add to this vast threat surface area cyber risks that emerge between the keyboard and the chair, such as targeted phishing attacks, social engineering or the nexus of physical losses and cyber threats, and protecting city systems may prove to be an impossibility by today’s standards. This is especially true given how hard it will be for even the most well-funded cities to attract top cybersecurity talent, let alone drive improvements in cyber hygiene or compliance across disparate city functions. These functions are not only informationally siloed, they often rely on a wide network of third party vendors, contractors and others who may have different definitions of what constitutes good cyber hygiene.
In addition to these challenges, city operations at the software and hardware layers are often running on a patchwork of legacy systems. In some cases, particularly with industrial controls for water treatment, public utilities, among others, these systems are beyond their usable or patchable lives in terms of software updates, which are a key step in ferreting out known vulnerabilities. As the old risk management adage goes, the threat actor has to be right once, and the defensive side has to be right 100% of the time. Against this backdrop, it is hard to imagine how cities can catch up, let alone get ahead of fast-moving cyber threats. In addition to the benefit of patience and agency, cyber threats can always move on to other cities or public sector targets when more desirable ones harden their position or close known vulnerabilities.
The “to pay or not to pay” debate, which continues raging with ransomware responses, always pales in comparison to the economic calculus of hobbled government systems. In Atlanta’s case, ransomware crippled certain payment systems in the city, including police and first responder capabilities. In Baltimore’s case, the city’s property market all but ground to halt due to the RobbinHood ransomware attack, showing the disproportionate relationship between the comparatively low average ransom demand and the prospect of hobbling a multi-million-dollar real estate market. Cyber attackers know this unbalanced calculus well and they turn up the heat on a targeted city or community by applying the vice grip of a deadline for ransomware payments, lest systems or data are permanently compromised. In Baltimore, the attackers threatened to increase the demand by $10,000 for each day the city did not comply. The simplest, but most often the least applied cure for this compromise is to have up to date data and system backups and the ability to restore or replace compromised systems with current information. This too is a costly and complex process for many cities, but it is most often one of the only ways ransomware victims can stare down the threat with any real conviction.
In Baltimore’s case, like most severe ransomware attacks, fully restoring systems may take months according to city leaders. The other challenge, which is one of the most often forgotten aspects of virtual threats, is that they may render hardware and databases unusable, not just obfuscate, delete or corrupt data. This can lead to millions in unrecoverable losses, as many cyber insurance programs, which still do not enjoy sufficient take up rates in the public sector, often exclude physical property damage arising from cyber threats. Cyber insurance or financing solutions alone are not enough to improve city or community-level cyber resilience. Rather, the U.S. and other countries must consider more strategic pathways to shoring up cyber resilience on a national scale. The challenge with such a fast moving threat, like other systemic risks, is that it will follow the path of least resistance. So, it would stand to reason that if a large bank like JP Morgan hardens its cyber posture, the risk will move downstream preying on smaller, more vulnerable banks for whom cyber threats pose an existential threat. The irony, not unlike the vulnerabilities being exploited in cities, is that the failure of any one bank or city function, erodes confidence across the system.
Against this systemic and fast-moving threat, the U.S. should stand up a national equivalent to a cyber risk-sharing system, a veritable cyber FDIC. Through this structure, the capitalization of cyber threats can be adjusted based on the risk profile of the participating city or community in the risk sharing pool, while at the same time critical issues like threat intelligence sharing, the dissemination of best practices and a technology clearinghouse to stay ahead of the risk can be mutualized. The more cyber threats target cities and the public sector, the more we will realize that we are facing a tragedy of the digital commons. This downward spiral must be arrested and improved with the same urgency as our eroding physical infrastructure.