The Hollywood Presbyterian medical center in Los Angeles, California, was targeted in a cyber-attack in 2016 and paid out $17,000. Photograph: Mario Anzuoni/Reuters Some victims decide paying out is cheapest option
In the coming years, cybercriminals will just repeat their attempts across governments until they find one that is vulnerable, said Tyler Moore, a University of Tulsa cybersecurity professor. Attackers have found a playbook that is working.
Its a playbook that remains profitable.
Thats because some victims choose to pay, despite ethical concerns about capitulating to ransom demands and despite the fact that theres no guarantee of restored access. In some cases, paying bitcoins may be a cheaper and quicker resolution. One
report suggested that cyber-attackers have collected millions in ransom in recent years.
Even if major cities view
Baltimore as a wake-up call and adopt reforms, It wouldnt shock me to see smaller cities roll the dice, said Hannah Quay-de la Vallee, senior technologist with the Center for Democracy and Technology. She said she was also concerned about educational institutions that have major budget challenges and systems with crucial personal data, such as students medical information and allergies and individual special needs plans.
The frustrating reality for information security leaders is that the technical solutions are known and easy to implement, if there is funding: cities have to
update their systems with available security patches and maintain effective data backups. Without patches, hackers can break in and demand money, and if officials dont have the data stored elsewhere, they have to choose between paying ransom or rebuilding systems.
Those who are unwilling to pay the price to upgrade systems and people are going to pay the price one way or the other, said Alan R Shark, executive director of Public Technology Institute, which provides consulting services to governments.
Baltimore made the right decision refusing to pay, but the crisis could drag on for months as a result, said Avi Rubin, a Johns Hopkins computer science professor. They dont have a lot of the data They are going to face a real challenge building up all the systems organically from scratch.
In the Colorado attack, the malware hit the transportation departments business services, but ultimately did not spread to road and traffic operations. Thousands of workers were, however,
forced offline, which meant the state had to communicate with employees by leaving printed handouts on their desks and scheduling conference calls, said Blyth.
The state eventually brought in the national guard to help.
Colorado has since adopted a range of new practices to prevent future attacks, said Blyth, adding that officials have thought through worst-case scenarios: disruptions to healthcare, prisons, emergency communications, traffic safety, fire departments.
What if it was a broader impact affecting multiple of those services at once? she added.
Despite the challenges, Blyth remained confident that refusing the attackers demands was the right call. We would not even think about paying the ransom. We didnt want to contribute to what we knew was criminal behavior.
Follow Guardian Cities on Twitter, Facebook and Instagram to join the discussion, catch up on our best stories or sign up for our weekly newsletter