According to a new report, during President Donald Trump’s inauguration, Romanian hackers used ransomware to seize control of two-thirds of the Beltway’s police security cameras – a stunning feat only slightly diminished by the fact that they went on to order pizza from an email account linked to the attack, then used hijacked police computers to run an easily traceable Amazon scam.
That combination – a successful, high-profile ransomware attack executed by thumb-fingered amateurs – shows the challenges now faced by local governments. It no longer takes a genius to hack municipal computer systems: Anyone can log onto the dark web and buy email lists and the malware needed to lock police officers, hospital workers, and government officials out of their computers. One ransomware program dubbed “Philadelphia,” available online for just $400, is specifically designed to help inexperienced hackers take victims’ data hostage.
Such attacks are devastating. Without the hackers’ digital key, it’s impossible to unlock hacked files, leaving cities unable to access not just cameras, but 911 systems, hospital records, communication tools, and even water and power systems. That’s why cities make enticing targets: You can’t put public services on hold, so hackers can charge a premium when extorting government entities. Hacked companies pay an average of $36,295 to retrieve their data, but public entities pay an average of $338,700, or almost 10 times as much, according to a Coveware study.
Refusing to pay is even more costly. In a recent cybersecurity webinar by BrightTALK, the experts who helped Atlanta recover from a devastating ransomware attack told me that getting the city back online cost well over $8 million. In Baltimore, meanwhile, a similar attack cost the city $18.2 million.
Hackers are already targeting Philadelphia. This summer, Philly’s court system was knocked out by a cyberattack, while Temple University Health System lost its scheduling system to ransomware. This fall, Souderton schools suffered a ransomware attack, and just weeks later, Luzerne County schools paid a $38,000 ransom to unlock their computers.
Such attacks are minor compared to those that hit Atlanta and Baltimore. But Philadelphians shouldn’t get complacent. Pennsylvania’s status as a swing state means that going into 2020 ,it will be even higher on cybercriminals’ list of juicy targets.
Ransomware is increasingly used to facilitate other kinds of cybercrime as well. Criminals now use these tactics to distract officials while raiding municipal bank accounts or diverting payroll checks, and by the time the ransom is paid and the data recovered, it’s too late to reverse the transactions.
Similar approaches could be used to attack elections. It’s all too easy to imagine the chaos that would follow a ransomware attack on voter registration databases, not least because such an attack could be used to hide efforts to steal or tamper with voter data. Such malfeasance might not even be noticed until after polling day, undermining confidence in our elections. That makes ransomware attacks a national problem and one local governments are ill-equipped to handle.
Municipal networks are soft targets because when it comes to spending tax dollars; cybersecurity almost always takes second place to more visible investments like hiring police officers and filling potholes. Even basic investments such as upgrading to the latest version of Windows are often neglected, making public-sector networks all too easy to break into.
The federal government is starting to take note. The Pentagon launched an important “zero-trust” pilot program to help network managers root out hackers, and Congress has earmarked $250 million for election cybersecurity, a start, but hardly enough, considering that Pennsylvania alone is spending $125 million to upgrade voting machines.
What’s needed is enough federal money to overhaul not just electoral cybersecurity, but all our municipal, state, and local computer systems. Better communication, better planning, and better response strategies are needed at both federal and local level to keep communities safe from ransomware and elections free from foreign interference.
If a pair of amateur pizza-lovers managed to hijack Trump’s inauguration, imagine what more competent hackers – perhaps backed by America’s foreign adversaries – could do in 2020. The hard truth is that if America doesn’t take public-sector cybersecurity seriously, and invest accordingly, then we’ll all wind up paying the price.
David Morris is managing partner of Unit 221B, a cybersecurity company based in New York. He lives in Mendham, N.J.