A cybercriminal’s visit to New Bedford City Hall last summer proved fruitless — a foiled crime that should be instructive for other governments in Massachusetts and New England. The ransomware attack — in which some unseen crook locked up computers and their data, demanding payment in exchange for a digital key — happened in July. Though not publicly announced at the time, the attacker wanted $5.3 million in order to release 158 government computers from his or her grip.
Mayor Jon Mitchell tried to negotiate, offering $400,000, a figure more in line with what other cities have given cybercriminals to release targeted computers. The money — Bitcoin, actually — would have come from a city insurer. But the attacker declined to negotiate. And so did the city, choosing instead to recover its data as best it could from other sources.
Mitchell laid out the scenario during a press conference a couple of weeks ago covered by the Standard-Times. At the time of the attack the city publicly attributed its troubles to a virus affecting about 4% of its computers, but it did not give details of the predicament. And, as a result of its ultimate decision not to pay the cybercriminals, the Whaling City is being hailed in the field of cybersecurity.
For as much as the Federal Bureau of Investigation and others caution governments and businesses from giving even more incentive to computer criminals by acceding to their demands, it’s usually less expensive just to give them money to unlock the computers. Too many do just that — which is why this crime is successful, and why it’s spreading.
Ransomware is a looming threat for governments at every level — businesses, too. The attacks, usually launched outside the U.S., inflicted $8 billion in damages to the global economy in 2018, according to an estimate reported this summer by the Boston Globe. And the cost is expected to grow. The newspaper cited a number of experts who say attacks, both failed and successful, are spreading.
As for potential targets, the best strategy is not only to button up security but plan for an attack. State leaders in Massachusetts recognize as much. Gov. Charlie Baker and the Massachusetts Technology Collaborative last year held a symposium focused on these issues and created the MassCyberCenter, putting a retired U.S. Navy officer with 30 years of experience in information warfare, Capt. Stephanie Helm, in charge. Her mission is to support cybersecurity companies working in the state while also helping to protect and prepare governments and businesses.
Hers is an important role, but the work is not hers alone. City halls and town offices are the ones who face the equivalent of a burglar who squats in a house, changes the locks, then forces you to pay money to get back inside. They’d be wise to follow the suggested steps of the federal Cybersecurity and Infrastructure Security Agency, which includes backing up data and storing it places unreachable by networked computers.
Leaders of every city and town should assume it will happen. A report earlier this year cited as many as 40 ransomware cases on local governments so far this year — and those are just the ones we know about. Targets range from large-scale operations such as the city of Atlanta, down to Lake City, Florida, population 12,116, according to the U.S. Census Bureau. Leaders in that north Florida burg chose to pay a ransom worth $460,000 in Bitcoin this summer to get their files, even if it didn’t ensure everything was restored. Other local governments have done the same.
It’s not an encouraging trend for taxpayers or those with information on file somewhere at city hall, which is pretty much all of us. Suffice it to say most mayors, city clerks and town administrators — and the people they serve — would rather be in New Bedford’s position.
Saying no has its costs, to be sure, in terms of repairing, restoring and fortifying computer systems. But doing so in the long run is the only way to shut down these persistent crimes.