The city of Atlanta is still suffering from the effects of a March 22 ransomware cyberattack that encrypted data and disrupted city services. Attackers demanded a ransom of $50,000, which the city refused to pay.
Just how vulnerable are American cities to the kind of attack that hit Georgia’s capitol? Marketplace’s Jon Gordon talks about it with Chester Wisniewski, a principal research scientist at security firm Sophos in Canada (you can read Sophos’ research on ransomware here). The following is an edited transcript of their conversation.
Chester Wisniewski: If you set the price right, the cost of not paying the ransom, as the city of Atlanta has chosen to do, is much higher. When you consider all the critical services often provided by a city in water filtration, 911 systems and policing, often it’d be easy for a city to say, “Hey, $50,000? We can’t leave our citizens in the dark, we must get operational. We’ll just pay the ransom.”
Jon Gordon: As a group, would you say cities and other local governments are generally ill prepared, well prepared or something in the middle to deal with ransomware attacks?
Wisniewski: My experience in working with local government, just about anywhere in the world, not just in the U.S., is that they’re poorly prepared for these types of attacks. They’re usually spending all of their time and effort trying to provide city services on very limited budgets. And whenever that’s the case, it’s very hard to sit down and have a strategy about how you’re going to recover from a disaster, and in essence that’s what we’re looking at here. The only real variations of that that I see are cities that actually plan on having natural disasters frequently. Cities that are in earthquake zones or hurricane regions, that type of thing, often spend more of their budget on being prepared for a natural disaster. And it turns out when something like ransomware hits, the process you need to kick off is the exact same thing you would in a natural disaster, and how to recover your systems and operate with limited capacity just like you would in an emergency. Those cities have a tendency to be a little better prepared.
Gordon: There is a strain of security thinking now that says, “Look, you cannot prevent these kind of attacks, so you’re best preparing to mitigate the damage after attacks happen.” Is that the proper way for cities and other governments to be thinking about attacks?
Wisniewski: Ultimately, anybody that’s in computer security knows that the real business is about risk management. And just like a financial institution or anything else, you’re going to have some fraud and you’re going to have some abuse of the system. The question is how much of it can you prevent, and then how well prepared are you for the bad thing when it happens? I think organizations have largely focused too much on prevention, which is impossible to do perfectly, and not enough of their resources on being prepared for the bad thing when it happens. I do have to applaud Atlanta for not paying the ransom; we hate when criminals are able to make profits from these types of things. But it’s also clear in how long it’s taking them to recover that they didn’t really have a good disaster recovery plan in place.
Gordon: There are accounts now that some city business is being conducted on mobile phones and even paper — we shudder at the thought — but is it a good idea to actually have that kind of planning in place? Like, if our systems are all down, we’re going to conduct our business on a legal pad and our mobile phones.
Wisniewski: Absolutely, if possible. It’s something that’s part of a good disaster plan. Can people work from home? Can they get access to the information they need? Can they use alternate systems, or, as you say, going back to paper? In fact, I heard there was an attack last week on a 911 call center in the United States. They were able to fall back to not using their computers and going back to pen and paper and continue to provide emergency services as business as usual. That was really encouraging story to hear because it shows that they were well prepared, and when we have to, we can live without technology, as painful as it can be sometimes.
|Ransomware: Should businesses pay up?|
|Erasing your digital footprint is hard|
|I asked a security expert to reveal how Cambridge Analytica might target me based on my personality|