Is Nothing Sacred? Recent Hackings on Our Governmental Entities

Somewhere, in another country or hidden in a basement down your street, a hacker is waiting in the dark searching for the vulnerabilities in our national infrastructure.  They are scanning systems for any threat vector which can serve as their entry into our world. This past week, we were treated to two recent hacking incidents against governmental entities that are the shape of things to come.

First, it was reported that the City of Atlanta was the victim of a ransomware attack.  On March 22, 2018, a remote ransomware attack encrypted the city’s data, effectively shutting down much of Atlanta’s critical infrastructure.  The hackers requested a mere $55,000, to be paid in Bitcoin, to un-encrypt the data and return control of that data back to the City. As of March 28, Atlanta was still trying to bring its systems back online without paying the ransom.  As a result of the attack, residents could not pay their water bill or parking tickets. Critical departments, like the police and prisons, were constrained to “old school” paper and pencils. In addition, court proceedings for individuals not in police custody were canceled until computer systems are operational again.  To say this is a huge issue is an understatement.

The second hacking incident happened in the City of Baltimore, where the 911 dispatch system was hacked which forced officials to temporarily shutdown automated dispatching and revert back to paper dispatching.  Baltimore, like virtually every public safety entity, uses a computer aided dispatch system. The Baltimore Police Commissioner said the police commanders deliberately “shut down a lot of our systems so we weren’t compromised to a higher level”. This incident occurred on either March 24 or 25 and, to date, there is no official statement as to what was compromised as a result of the breach, although officials have warned for residents to guard against identity theft and watch their bank accounts.

These two incidents are not an exception — but are becoming the norm.  Cyberattacks are continuing to increase. In fact, there was a 164% increase in cyberattacks in 2017. In the first six months of 2017, there were 918 data breaches which compromised 1.9 billion data records.  Cyber experts have been warning of the importance of cybersecurity for years and are now stating that cybersecurity is “likely the next great security threat for governments and companies around the world, and that most systems are simply not prepared”.  It is not just Atlanta or Baltimore, the Colorado Department of Transportation has been hit twice already in 2018.  Additionally, there were five (5) separate police departments in Maine that were victims of ransomware in 2015.

So, there is no surprise that cybercrime is on the rise.  However, in these instances, it is more than a private business whose information is compromised (and trust us that is bad enough). These attacks are against critical services that we need and rely upon.  Imagine, your friend/spouse/parent is having a medical emergency and system that will bring first responders to your loved one is not working or is controlled by the hackers so that they misdirecting emergency vehicles and personnel. This is a scary thought, but definitely not outside the realm of possibility.

Recently, in Missouri, an officer was shot and killed when he was directed to a house far away from where an actual 911 call occurred. Imagine that this was malicious, and not just a horrible accident. The worst case scenario is much worse than we often imagine.  In addition to the parade of horribles you can imagine from first responders being misdirected, you could also be putting them in physical danger. This is, of course, in addition to the sensitive data that will be compromised as a result of these hacks. So, what next?

Whether large or small, local municipalities and and public safety agencies need to start to address cybersecurity.  What does this mean? The first step means designating funds to create more secure systems and protect those systems.  It means migrating away from legacy systems that are long outdated and no longer supported, or only partially supported, by the software provider. It means having policies, procedures, and guidelines in place that these organizations can use and rely upon.  It also means creating a comprehensive breach response plan and emergency response plan that these entities draft and train on regularly.  First responders regularly create comprehensive plans for responding to large scale disasters. Much like the attacks on 9-11-01 raised awareness about terrorist threats and worst-case scenarios, we should be having one of those “wake up” moments right now regarding cyberattacks. The similarities are striking. That attack on our country brought forth American ingenuity.  We took a horror, learned from it and created better systems. Well, our nation is under attack again. And many of these attacks are from foreign actors (nation-state sponsored hacks).

It makes perfect sense that these attacks are on the rise. Other countries can gather intelligence and cause harm without firing a weapon or sending a “spy” to infiltrate our systems.  They can sit in the comfort of their own country and hack away (pun intended) at our infrastructure, our emergency response and our healthcare systems with great success. We need to start to approach cybersecurity for our government, both state, Federal and local in a more comprehensive manner.  We cannot simply wait for the attacks, we must actually do things to prevent them and minimize our vulnerabilities when we can’t stop them. The fact that Atlanta’s city systems have (currently) been down for over 5 days is ridiculous.  We need to develop plans, have offline backups and practice, practice, practice! We need to devote resources toward upgrading our systems and designating woman-power toward enacting these changes. We need to be comprehensive, thorough and deliberate.  In other words, we need to be proactive.

And when people question why we are devoting so many resources to these areas, the response is simple: Cybersecurity is always a good investment, and luck favors the prepared.

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.