Three Cybersecurity Lessons From Atlanta

On March 22, Atlanta’s city government was hit with a ransomware attack, with hackers demanding six bitcoins in exchange for releasing the data. At the time of writing this, that’s a demand for roughly $41,880.

As a result of the attack, many systems in Atlanta are offline. Some of the city’s services have been forced to return to the “pen and paper” method of operation.

This episode highlights the growing dependence of state and local governments on information technology systems and emphasizes how their cybersecurity (or more accurately, insecurity) can impact the broader national security issues. Here are three quick takeaways from this episode, each likely worthy of much more in-depth development:

First—and this may be a tough pill to swallow for many in Atlanta: The security weaknesses that allowed this attack to proliferate were partially the fault of the city itself. The attackers’ SamSam ransomware relied on “exploiting vulnerabilities or guessing weak passwords.” In other words, poor or unenforced cyber hygiene best-practices and the failure to invest adequately in resiliency, created a vulnerable network that the hackers were able to exploit.

Cities and states that don’t have enough resources may not prioritize cybersecurity threats. Often this is because they don’t understand the scope of threats, leading them to funnel scarce spending into other areas. In other cases, these entities may grasp the threat cyberattacks pose, but funds for adequate security may simply be lacking.

Yet due to the sizeable amount of data that is stored at the local and state level—including the identifying information of private citizens—cities and states need to rethink their approach. If Atlanta demonstrates one thing, it shows that they need to move cybersecurity up the ladder of budget priorities.

Second, this episode is a prime example of a situation where what is good for the city is at odds with what is good for the federal and state governments.

Knowing it could lose a significant amount of data if the ransom is not paid, the city of Atlanta is facing a serious burden. Six bitcoins, while expensive, is almost certainly far less than the costs and man-hours that went in to the creation of the data that could be lost and will need to be recreated as a result of the freeze. If we were advising Atlanta as a client, our advice would be simple: “Pay the ransom.”

However, the federal government will almost certainly see things differently. On a larger scale, there is a systemic interest in not giving in to the hackers. If Atlanta chooses to pay the ransom, it will encourage the hackers to try the same type of attack with other cities knowing they could receive a sizeable payout. A policy of “not negotiating with hackers,” therefore, is probably the right one at a macro-level, as it is necessary to deter future attacks. This suggests that, at a minimum, the federal government should begin consulting with state and local governments to develop a strategy for responding to such problems. We suspect the discussions will not be comfortable ones for either party.

Third, this episode should serve as a cautionary note on the unfettered growth of cryptocurrency. Cryptocurrency can have malignant uses that seem to overwhelm—in both volume and effect—the benign purposes to which it can be put. The Atlanta attack is yet another example of a situation that would be nearly impossible to replicate in a world where no cryptocurrency existed. In the long run, the attack provides another data point in the ongoing effort to determine whether and how cryptocurrency should be regulated.