Last week at the United States Conference of Mayors, various city leaders from around the country agreed that members will “stand united” against paying any ransom should their respective city systems be targeted with ransomware.
According to the organization, which represents more than 1,400 mayors from cities around the country each with a population of at least 30,000 residents, there have been at least 170 city, county or state government systems that have been hit with ransomware since 2013. Already this year there have been 22 incidents reported – with Baltimore announcing that it was targeted for the second time in just over a year.
Several cities that have decided to take the stance of “paying off the barbarians” – a practice that goes back to antiquity when city states in Greece and later Roman cities would pay barbarian tribes not to sack the city. Among the largest publicized cases include Jackson County, GA, which paid a $400,000 ransom; West Haven, CT paid $2,000; Riviera Beach, FL paid $600,000; and Lake City, FL, which paid $460,000.
For those communities, paying the ransom has been seen as the more affordable option – but experts say it only encourages more hackers to target government computer networks, especially those that are in larger markets and which may be the most vulnerable due to aging network infrastructure.
This is why earlier this year Atlanta, which is among the largest cities in the country to be targeted, refused to pay a $50,000 ransom and ended up spending $9.5 million in recovery costs. Baltimore also refused to pay the $75,000 ransom earlier this spring, and its recovery costs were more than $18 million.
At the Conference of Mayors the various city leaders admitted that not paying can result in the loss of millions of dollars, and can take months or more to repair the damage, but it is a necessary step to disincentivize future attacks.
“Paying ransoms only gives incentive for more people to engage in this type of illegal behavior,” Baltimore Mayor Jack Young, who attended the conference, said via a statement. “I am proud to unify with the U.S. Conference of Mayors to stand up against these types of attacks and show people that they will not take control of our cities.”
This resolution is in-line with recommendations from federal authorities including the FBI and Department of Homeland Security, which both have advised local agencies not to pay the hackers.
To Pay Or Not to Pay
However, there are those that say not paying shouldn’t be the only option.
“The main consequence for not paying ransom to hackers is a huge increase in the risk of losing critical and sensitive data,” warned Professor Christian Espinosa, instructor of the online cybersecurity program at Maryville University of St. Louis.
“On the surface, not paying ransom to hackers seems like a great idea, similar to the U.S.’s policy on not negotiating with terrorists,” Espinosa told ClearanceJobs. “What happens though if an organization gets ransomware and has zero backups and no way to recover their data? Who ultimately pays the price for the lost data?”
The temptation to just pay has to be great, countered Jim Purtilo, associate professor in the computer science department at the University of Maryland.
“After all, while it is surely frustrating to cooperate with your digital mugger, we all see that many organizations get their data back to smoothly resume normal operations,” Purtilo told ClearanceJobs. “But that’s a problem too – the word ‘many.’ The volume may give cities confidence that they are paying an ‘honest thief’, yet it builds a market for this crime, too. How many more muggers will want in on the game when they see it pays?”
Espinosa said that very few organizations have the technical know-how for a blanket resolution to be the only option. He suggested that instead the focus shouldn’t be on simply not paying, but to convince cities that the crucial cyber infrastructure needs to be secure.
“If the desired outcome is less ransomware attacks, a better resolution is to mandate preventative controls are in place, such as patch management, security awareness training, tested and secure backup solutions, and incident response plans,” explained Espinosa. “The resolution to not pay ransom to hackers solves nothing and actually increases risk.”
The biggest takeaway could be to learn the right lessons from Baltimore’s story.
“The heavy disruption of services could be seen as free advertising for criminals in the ransomware market,” said Purtilo. “‘Pay up or this could be you!; And it probably will increase the pressure for future victims to pay up. What officials should instead learn from Baltimore is the importance of having their act together before crime happens in the first place.”
In other words the saying, ‘lack of planning on your part does not constitute an emergency on my part’ rings true.
“Baltimore was not some hapless victim here; its IT operations were poorly managed and in bad disrepair well before the ransomware,” added Purtilo. “Nobody had heeded warnings of prior incidents; nobody had exercised leadership to close vulnerabilities and fix issues that ultimately bloomed into the latest ransomware disaster. The takeaway message for officials in other cities should really be: clean it up now so you don’t have to clean it up later.”