What’s it like to live in a city under cyber siege? It’s surprisingly calm. The taps run, trash is collected, 911 works and planes land and takeoff. That’s what is scary.
live in Atlanta where ransomware has locked out city officials, employees and constituents from many city services. The municipal court is down and while the water is running no new requests for service are being processed except for emergency repairs. Police and fire are working but police have to file their reports by hand. The airport (owned by the city) works but the free Wi-Fi has been shut down out of an abundance of caution. Finally, no new applications for city jobs are being accepted.
So, it’s basically a pain in the posterior but no public safety functions appear to have been endangered. It’s pretty clever when you think about it. Make it irritating but not threating enough to marshal a major law enforcement/national security response. Plus the hackers, probably a group known as SamSam, only want $51,000 to unlock access. Why not just pay and be done with it?
Here is where it gets scary. First, payoff seldom results in a good outcome. A recent survey by SentinelOne shows that almost half the victims, 45%, paid the hackers off but of those only 26% got their files unlocked. And, of those that paid the ransom, 73% got hacked and locked out again – talk about salt in the wound. The bad guys are inside your system; they could use you as an ATM.
Now, take it a step further. Let’s say the hackers realize they have gotten all the money out of you they can. Why not sell the access they created to a real bad actor like a nation state or terrorist group? Imagine the havoc and how quickly it would occur if the 911 system does not work, there is no water, the airport shuts down and the trash starts to pile up. Atlanta is the backdrop for the wildly popular TV program: “The Walking Dead”. Suddenly – except for the zombies – that dystopia is made real.
The vulnerability of (insert any municipality here, e.g. Atlanta) was called out by an audit of the city’s IT department months ago. Where have we heard this before? How about the WannaCry ransomware attack on UK’s NHS that shut down hospitals and clinics? A flaw in the Microsoft Windows operating system was not patched when flagged and the malware came right through it. Does that make the hair on the back of your head stand up?
Look, we’ve paid such poor attention to cyber security that state actors don’t even need to conduct a ransomware attack. They just need the leverage of us knowing that they have penetrated our systems and can come back at will to finish the job. Just the week before the Atlanta attack the US administration accused the Russians of having attacked our electric utilities and put their fingers on the on/off switch.
What are we to do? I’m hoping Atlanta will learn a lesson and clean up its IT hygiene and cyber security act but that will cost time and money and probably has a half-life measured in years. You can see it now: months go by, nothing happens, the threat appears less and less and competing priorities start to drain resources away until…
Sigh! At least there won’t be any zombies. Or, will there? The CDC is headquartered in Atlanta and they seem to feel different.