Cities Paying Ransom: What Does It Mean for Taxpayers?

On September 1, Ontario’s Municipal Offices experienced a cyberattack that left their computers inoperable when Malware entered its systems and rendered its servers useless. The municipality was faced with paying a ransom to the attackers or face the consequences of being locked out of its systems. Per the advice of a consultant, the city paid an undisclosed amount of ransom to its attackers.

Only a couple months earlier, the Town of Wasaga Beach in Ontario, faced the same issue and paid one bitcoin per server.  It spent 11 Bitcoins, valued at the time at $144,000, to regain control of 11 servers. The town negotiated with the attackers to reduce the price to $35,000.  After paying the ransom, Wasaga Beach assessed the damages to its city at $250,000 for loss of productivity and reputation.

This scenario has become commonplace today.  Cities, municipalities, and government agencies have all experienced ransom attacks. But ultimately taxpayers are the ones that pay the bill for these cyberattacks.  The city of Atlanta projected $2.6M for ransomware recovery in May of 2018.  Atlanta chose not to pay the ransom, and instead allocated the funds to incident response.

Have these cities actually tested backup systems and disaster recovery within the last 2-3 months?  As public entities, we would ideally have full transparency and an understanding of the capabilities in place to protect public infrastructure.

Why have certain cites lacked transparency about the decision to pay attackers? Could the reasons for poor public disclosure be a lack of expertise and IT security spending, fear of public criticism, or actual weaknesses in their IT systems?

[You might also like: Defending Against the Mirai Botnet]

Should there be disclosure laws for public sectors concerning data breaches and malware events?

If a city is constrained with IT budgets preventing their IT department from making advances in cybersecurity protection, do its citizens get to vote on how IT is handled?  What if outsourcing IT to a managed services expert reduced costs (and headcount/jobs) while providing greater security? Would municipalities be better off if they could focus on delivering services to their citizens without having to worry about IT security?

Considering there aren’t a ton of checks and balances (and possibly budget), is this going to become the norm for hackers to target?

Private sector companies have been forced to take cybersecurity more seriously and according to some projections, will spend over $1 trillion on global digital security through 2021. Bank of America and J.P. Morgan Chase each spend around $500 million a year on cybersecurity.  Meanwhile, federal cybersecurity spending continues to lag, with some estimates suggesting it will reach a meager $22 billion by 2022.

Is the answer to the problem to start looking at better disclosure in IT spending? Should the public sector IT be outsourced to IT experts and moved to the cloud? Will the taxpayers perpetually be on the hook for poor IT security protection in the public sector?

There are hosted solution providers today that provide secure solutions for cities. Some cloud providers already have turnkey government solutions available for sale. Some of these platforms include city management, fare and tolls, police and intelligence, prison management, court management, video management, and safe city management. What if the taxpayers found that it cost less money and did a better job of security?  Would the voters be able to push public transparency and cost reduction through? How many more events like this will it take to move government IT into better hands?