Ransomware Attack on Baltimore Highlights Need for Proactive Efforts to Enhance Cyber Resilience

May 20, 2019

Baltimore City Hall | David McFadden, the Washington Post

The city of Baltimore is recovering from a wide-ranging, sophisticated cyber attack. Last week, the RobbinHood virus restricted numerous agencies’ access to files, servers, and email. The Baltimore Sun reported disruptions across the government ranging from canceled hearings to delays in processing water bills and debt payments. The city lost its ability to complete  property transactions, bringing the local real estate industry to a screeching halt. 

Baltimore’s slow rebound from the attack highlights the importance of putting in place and practicing incident response plans before cyber attacks occur. A full week after the attack, officials could not predict when operations would be fully restored. The mayor indicated that it may be months before the city returns to full functionality. The city has created a workaround to enable real estate transactions; however, implementing workarounds for all the city services that were disrupted -- including water bills and police tickets -- is costly and time consuming.. 

A more proactive approach to cyber resilience could quicken the time it takes for cities to recover from attacks like th one that hit Baltiore. The new mayor observed that no matter how strong the technical upgrades the city installs, attackers “always can find a way.” Since  cyber attacks are more or less inevitable, organizations should identify which of their hardware and software assets need the most elaborate  safeguards.  Similarly, basic cyber hygiene practices -- such as cataloguing hardware assets, segmenting networks, and limiting access to a small number of personnel -- can go a long way towards identifying and responding to threats. 

Experts on RobbinHood report that this was a targeted, sophisticated attack. The attackers gained administrator-level access to city network. This allowed them to  transmit the virus to many agencies. The Baltimore attack  highlights the challenges that all municipalities and critical infrastructure operators face. Big cities including San Francisco, Atlanta, and Denver as well as smaller ones like Greenville, South Carolina and West Haven, Connecticut have all been struck recently by ransomware attacks.

Cyber hygiene alone will not stop this type of attack; significant investments are required.
Chief Information Officer Frank Johnson previously warned the Baltimore City Council of the need to solidify the city’s cyberdefenses. On the other hand, he relayed in a post-attack press conference that a review of the city’s cyber protection systems had generated multiple “clean bills of health.”  Baltimore has convened a Special Committee to come up with ways of  preventng future attacks. 

Our research suggests that preparations should include both technical fixes, such as regularly updating operating systems and installing patches, as well as social engineering efforts, such as educating employees about basic cyber safety, establishing a clear chain of command, and practicing incident response plans. Sources of assistance  include the US Computer Emergency Response Team’s (US-CERT) National Cyber Incident Response Plan, as well as the National Association of State Chief Information Officers (NASCIO) Cyber Disruption Planning Response Guide and materials assembled by the National Governors Association.