Winston Churchill once said, “Success is walking from failure to failure with no loss of enthusiasm.” By his definition, government has been extremely successful in stopping ransomware attacks.
Original post here: https://www.morganwright.us/ransomware-attack-brought-Atlanta-to-its-knees
Take the recent example of Atlanta. On March 22, the city was hit by the dreaded SamSam ransomware. City services have ground to a halt. Residents can’t pay for essential services like water. The city can’t collect revenue from parking fines. Police efficiency is dropping as reports are hand written.One council member lost 16 years of data. Others are sharing an ancient personal laptop between them. And still no end in sight.
Only in government can failure be spun as success. As in, “We immediately assigned an incident response team,” or “We were able to successfully isolate the threat and ensure that no harm was done to other servers or systems across the city’s network.” And the most overused phrase, “No personal data was compromised.”
Never mind that the house is on fire. We saved the shed.
Even the private sector is not immune. Stunning phrases like “We detected a limited intrusion of malware” that “infiltrated a small number of systems” get fed to the press. One U.S. hospital, after a devastating ransomware attack for which it was unprepared, spun it as a success; the chief information officer (CIO) claimed he was proud that, for the duration of the outage, “no patients were adversely affected.”
Of course, the hospital was unable to perform any surgeries. That’s one way to avoid adverse effects.
Forewarned is forearmed
Emergencies rarely make appointments. But in Atlanta’s case, warning shots were fired many times and ignored, even as early as nine months before the crippling attack. And yet, the attackers met little to no resistance.
A simple Google search shows the term “ransomware” appearing 14.8 million times. Is there anyone in government or the private sector who hasn’t heard of this? Ransomware attacks increased more than 90 percent from 2016 to 2017.
The financial impact of ransomware attacks in 2015 was estimated to be $325 million. In 2017, it grew more than 1400 percent to $5 billion. If only government could grow revenues like this, we could fight off these digital invaders.
Public safety targeted
Unlike other types of ransomware attacks that rely on deceit, manipulation and influence (phishing and spearphishing), SamSam exploits weaknesses in the actual system. It is the most virulent strain of malicious software (malware) called ransomware. Ransomware seeks out and locks up files using nearly unbreakable encryption. Only the attackers hold the secret key to unlocking the files, and they want $51,000 in bitcoin (ransom) for it.
Our most critical systems, especially computerized 911 dispatch systems, are being targeted.
There have been 184 attacks against public safety agencies in the last 24 months, according to SecuLore Solutions, which compiled publicly available incidents. One big reason is the very nature of 911 systems; they’re critical to public safety and the community. The attackers hope they’re more likely to pay, as well. But that’s not always the case.
Days ago, Baltimore, Md., was struck by a ransomware attack. While it did not take down the actual inbound call system for 911 emergencies, it crippled the computer-aided dispatch system used by emergency personnel. Baltimore’s vulnerability — a technician’s change to an internal firewall — was only four hours old when it was exploited.
We’re the victim
Ransomware isn’t half as destructive as the denial exhibited by government officials in the face of this electronic onslaught. The bill for ignorance and short-sightedness has come due, and it’s payable only in bitcoin.
Atlanta mayor Keisha Lance Bottoms played the victim card first. She informed Atlanta’s citizens that “We are dealing with a hostage situation.” A situation, yes, but completely of Atlanta’s own making. The mayor admitted cybersecurity had not been a high priority prior to the attack. But now, it’s top of mind. For real this time. We really, really mean it.
To further drive home the portrait of victimhood, the mayor stated “I just want to make the point that this is much bigger than a ransomware attack. This is really an attack on our government, which means it’s an attack on all of us.”
This is the type of response that infuriates taxpayers and citizens. Why, you might ask?
There’s never enough time and money to do it right. But when government screws up, there’s always time and taxpayer money to do it over, usually at a much higher cost. In the end, it’s the consumer and taxpayer footing the bill.
In my testimony before Congress on Healthcare.gov in November 2013, some members thought whatever was broken could be “fixed” going forward. Never mind that there was ample opportunity to fix problems before the entire site launched.
What might cost taxpayers $1 to fix before launch, generally costs $100 after.
Son of SamSam
These attacks will continue, and they will get worse. SecurityScorecard released an analysis of the security shortcomings of 552 local, state and federal organizations and found dangerous delays in replacing outdated software, patching existing software, and other basic defensive steps. When compared against other industries, government ranked 16th out of 18 industries in a ranking of cybersecurity. Health care ranked higher than government. No, that was not a typo.
Of all industries, only government can print money and make law. With those built-in advantages, it still can’t make headway against one of the most damaging threats to our online way of life.
The SamSam ransomware is a formidable weapon. It’s adapting and learning from each attack, as the attackers do. It’s three-dimensional chess, and government is still playing checkers.
The attackers are more sophisticated than before, and their tactics evolve faster than government’s ability to adapt. The scary part is that these criminal groups are functioning more and more like state actors. All the elements are there; reconnaissance, target selection, lateral movement in the network, patience, timing for maximum impact, adaptive weaponry.
Getting it right
Where is the accountability? “Only in the government could such a gaping hole be allowed to exist without fear of consequence.” That was my testimony in 2013 before Congress about Healthcare.gov. It also describes Atlanta and dozens of successful cyber-attacks against government at all levels.
One place to start is to quit using worn-out phrases about how no personal information was compromised in the ransomware attack. That’s not the purpose of ransomware: It’s to hold data “hostage” for “ransom.” Claims of false victory ring hollow and show lack of understanding about how ransomware works.
Another place is to hold real people accountable — at the federal, state and local levels. Even the CEO of Equifax, along with the CIO and chief information security officer (CISO), got fired. You can call it “retiring early,” but it clearly wasn’t their idea.
Atlanta’s Mayor Bottoms tried to put a positive spin on the city’s failure: “I am looking forward to us really being a national model of how cities can shore themselves up and be stronger because of it.”
If George Carlin were still alive today, I imagine his monologue about oxymorons concerning the latest ransomware attacks would include “computer security,” “government organization” and his perennial favorite, “jumbo shrimp.”
Just remember. If plan A fails, there are 25 more letters.
Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. Previously Morgan was a senior advisor in the U.S. State Department Antiterrorism Assistance Program and senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.