The City of Atlanta’s ransomware attack earlier this year shut down many digital services and is a massive cybersecurity wake-up call for all cities.
In March this year, the City of Atlanta suffered a large-scale SamSam ransomware cyberattack which impacted around 119 applications to various degrees, putting many of them temporarily offline. These included some internal systems and customer-facing ones. In some cases, citizens were unable to pay bills or access court information, and staff had to resort to manual processes.
Assessments suggest the damage will ultimately cost millions to repair (though the city did not pay the $51,000 ransom demand).
Some departments report irreparable damage – the police department, for instance, lost dashcam recordings which can’t be retrieved or replaced.
While the attack was undoubtedly significant, it could have been much worse. Daphne Rackley, Chief Information Officer (CIO), City of Atlanta, says that the impact was “not substantial throughout the entire infrastructure” and that some systems were taken offline through an “abundance of caution”, even if they didn’t appear to have been affected.
Mission-critical services, such as fire, police and ambulance services, trash collection and water supplies, etc. were also not affected, although in some cases related programmes were, and personal data was not accessed, the City says.
The attack is still a huge wake-up call for cities and comes at a time when there is increasing concern about cyber-attacks, as infrastructure becomes more connected.
“Like all organisations we have to be on hyper alert right now for cyber-attacks,” Atlanta’s Rackley commented: “They’re growing and they’re becoming more sophisticated.”
"Like all organisations we have to be on hyper alert right now for cyber-attacks. They’re growing and they’re becoming more sophisticated."
In 2015, Cesar Cerrudo, a professional hacker and CTO of IOActive Labs, published a whitepaper which warned that cities are “wide open” to cyber-attacks and that the more technology cities use, the more vulnerable they are.
Since then we have seen a number of worrying incidents, including the infiltration of Ukraine’s power grid, a ransomware attack on San Francisco’s Municipal Railway, the reported hacking of a water treatment plant at an undisclosed location (including the manipulation of systems that control the level of chemicals used to treat tap water), and more.
Researchers from cyber-security specialist Threatcare and IBM X-Force Red, an autonomous group within IBM Security, recently revealed they had found 17 vulnerabilities in sensor and control devices deployed in cities around the world, eight of which they described as critical in severity.
On the situation as it stands in Atlanta now, Rackley said: “We’re looking good and services are back on.” Some took over a month to get back online.
But, she added: “This is not a time to sit back on our laurels and say, ‘We’ve got it done’. It’s never done. It’s an ever-growing effort and piece work and we have to focus on constantly re-evaluating our strategies.”
A criminal investigation is still ongoing into the ransomware attack but Atlanta’s officials say they want to use the experience as an opportunity to become a “model city” for how municipalities can protect against and prepare for cyber-attacks, and its leaders are ready to share what they’ve learned so far from their front-line experience.
Some may see Atlanta’s positioning of the attack as an opportunity to improve and share as a deflection. However, it’s undeniable that the City’s insights are invaluable, given it has had no choice but to test the strategies out in a live “hostage situation”, as the City’s Mayor, Keisha Lance Bottoms, described the incident in an early press conference as the issue unfolded.
Ria Aiken, Director of Emergency Preparedness, City of Atlanta, said: “When many municipalities think about potential threats, it’s typically tied to natural disasters or things that they most recently experienced. The reality is that cybersecurity is our new natural disaster. If municipalities aren’t thinking about what that looks like for their own entity, we would encourage them to start to think differently about it now.”
"The reality is that cybersecurity is our new natural disaster."
One factor which Atlanta’s leaders believe helped to prevent the situation from escalating further is Bottoms’ quick action and leadership, which, Rackley said, allowed the team to “get out in front of the news”. This, she said, played a key role in “allowing us to recover, which I think has been a tremendous feat that we have been able to accomplish.”
Rackley added that Mayor Bottoms noted early that: "We need to do it the right way,” encouraging staff not to rush to turn services back on and risk additional attacks.
Strong leadership is also crucial in enabling staff to execute on cybersecurity measures going forward.
Aiken advises other cities to act now to thoroughly understand the manual processes and business continuity measures that they have in place. Atlanta had to do this during the ransomware attack and found in many cases that these processes needed to be strengthened.
For example, through practice runs and multi-departmental stakeholder meetings, Atlanta identified and plugged gaps in manual processes within the municipal courts system. “We recognised that does not just exclusively lie within the court system,” Aiken said. “It’s from the moment a ticket is being issued from our police officers all the way to the delivery, to the scheduling of a court date, to the processing and then closing that out within the system.”
Aiken urges other cities to carry out a thorough risk assessment of their systems, including both infrastructure and business practices.
Part of this risk assessment is about understanding IT systems as a whole, Rackley noted, explaining that it’s important not to just look at the critical core applications, but to also be aware of inter-dependencies.
“In our case, a major system may not have been impacted, but one of the minor systems that was feeding into it could have been,” she said. “You need to look at the technology stack from a comprehensive perspective.”
To recover from and investigate the attack, Atlanta has been working with the FBI, Department of Homeland Security, the Secret Service and private cybersecurity companies.
Atlanta’s leaders say one takeaway for other cities is to be aware that there are resources out there that are available to municipalities now.
Rackley commented: “You can engage these partners with table-top exercises. They can come and do vulnerability assessments within your organisation. There are a lot of things that can be done and have been a huge help for us prior to this incident, as well as during, and [these partners] will continue to be a big part of our team.”
Aiken says it’s now a priority for the City to adopt a “culture of cybersecurity” and expand its cybersecurity programme to “have all of that technology experience around the table so that we’re upfront and understand the different landscape that we’re trying to manage and ensuring that we’re as prepared as possible.”
She noted: “The threat landscape continues to evolve. And we know that what we think we’re planning for today may look different coming down the road.”
In the light of the real cyber-attacks we have seen, including the one in Atlanta, Cesar Cerrudo recently warned that “the worst is yet to come” and “soon, everyone living in a city may suffer the consequences of cyberattacks in some capacity.”
Cities must act now to heed the warnings, learn from past incidents such as the one in Atlanta, and take concrete steps to protect themselves and their citizens from cyber threats. Future attacks could be larger and much more destructive – the backlash almost certainly will be.