Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

June 2019
After Baltimore was hit with its second assault in one year, it’s past time to examine the reasons.
By David Hechler
IN JUNE 2018, we wrote a short article about ransomware attacks in American cities. We mentioned the big one in Atlanta, of course, which we wrote about in depth a few months later. And there was also one in Baltimore.
     Yes, Baltimore: the same city that was hit again with another, much larger ransomware attack in May. That made two in one year. What’s going on?
     There’s actually data that helps answer this question.  And when you put it together with the observations of a lawyer who was deeply involved in helping Atlanta in the wake of its devastating attack in March 2018, what’s going on is pretty clear.
     We’ve known the answers for some time. And there’s nothing special about Atlanta or Baltimore. They seem to be examples of something that’s happening in some form all over the country.
     Cities have assets. They have lots of systems to protect, and typically they don’t spend a lot to do that. And when the services they provide their citizens suddenly halt, they’re under enormous pressure to quickly resolve the problem.
     Their leaders are also overmatched. This was no surprise to a group of researchers at the University of Maryland, Baltimore County, who conducted the first nationwide survey of local government cybersecurity officials in 2016. After the Atlanta and the first Baltimore attack, they published an article that spelled out what they’d found.
     It was this article, published in the online academic journal theconversation.com, that caught our eye. The survey results were at times jaw-dropping.
     A whopping 47 percent of the respondents said they experienced cyberattacks at least daily. “Based on prior research,” the authors wrote, “we are confident that rate is actually much higher.” Nearly 30 percent didn’t know how often they were being attacked, and 54 percent said they do not always record attacks.
     When the authors asked why local governments weren’t practicing better cybersecurity, 62 percent of the respondents said they lacked support from top appointed officials; 58 percent said the same about officials who were elected; and 62 percent pointed the finger at their department managers. The largest vote getter of all was “too many IT networks/systems,” which pulled a response of 66 percent.
     The data from the 2016 survey is a little old now. The researchers were confident last year that the picture hadn’t changed dramatically, but when we were writing about the Atlanta attack in March, on its one-year anniversary, we decided to run the numbers past Roy Hadley, Jr. to see what he had to say.   
     Hadley is a partner at Adams and Reese in Atlanta, and he was the first outside attorney the city called in for help after it discovered the attack. In our lengthy interview with him, Hadley described what a city—or a company—has to do when responding to a ransomware attack.
     There wasn’t space in that article to include his comments on the survey numbers we’d shared with him. But they made a lot of sense back then, and they’re certainly on point right now.
     After he’d listened to some of the numbers, Hadley said this: “Those statistics aren’t surprising to me. And they’re not surprising because for a lot of government, it’s a resource issue, right? You don’t have an unlimited checkbook. You’re relying on taxes and fees and fines to fund your government.
     “Let’s just say, hypothetically, you have an extra $1 million. Are you going to pave roads with that $1 million? Are you going to open the parks for the summer? Or are you going to buy some new servers and firewalls?” He chuckled. “What’s going to get you elected?”
     He paused for a moment to let that sink in. “All of the things that would help swing that survey to the percentages that you would like to see cost money,” he continued. And it’s hard to justify improvements that the public can’t see. “Unless and until something happens, where now the citizens can’t call 911 or now they can’t do something,” Hadley said. “Then, when you say, ‘Well, we’re going to spend $1 million on new servers,’ they’ll say, ‘Oh, OK. I get it now.’”
     And actually, Atlanta Mayor Keisha Lance Bottoms said something very similar herself shortly after the attack in March 2018. She’d only taken office two months earlier. And in an interview with The New York Times, she acknowledged cybersecurity had not been high on her priority list.
     “As elected officials, it’s often quite easy for us to focus on the things that people see, because at the end of the day, our residents are our customers,” Bottoms said. “But we really have to make sure we continue to focus on the things that people can’t see,” she added, acknowledging her change in priorities, “and digital infrastructure is very important.”