As cyber attacks on municipalities mount, is it time to start treating them like the manmade disasters they are?
The City of Baltimore said it may seek disaster relief from the Federal Emergency Management Administration (FEMA) to clean up ongoing damage from a ransomware attack on the city’s IT system by a stolen and repurposed NSA cybersecurity weapon.
The request would be a first of its kind. It raises the question of whether cyber disasters should be treated like tornadoes, hurricanes and other “natural” disasters: qualifying those affected to receive financial relief from the government to help recover from the damage.
As recent incidents like the WannaCry and NotPetya malware illustrate: cyber-attacks can cause billions of dollars and damages. For organizations affected by them, cleaning up can be a multi-million-dollar affair that also depresses business activity and – in the public sector – the delivery of services to citizens who depend on the government.
If not FEMA – something like it
Security experts generally agree that if not FEMA funds, then some financial aid should be available to help governments pull themselves out of the IT quagmire that can come after a massive cyber attack.
Though he’s not sure FEMA is the right department to help bail out Baltimore or other government agencies in the wake of a cyber attack, Beau Woods of the group I Am the Cavalry, does agree that the industry needs to consider financial aid in such situation, especially when citizens are being under-served or even potentially harmed by them.
“FEMA is typically used in natural disasters. This is entirely man-made due to over-dependence on undependable technology and the consequence of an adaptive adversary looking to do harm and monetize that,” Woods told Security Ledger.
“Maybe we need to start thinking about what we do to recover cities and what we do at a broader level to fix the situation and protect citizens–which is ultimately the role of government: to protect,” Woods said
He added that in the case of recent ransomware attacks, the situation is more annoying than dangerous. The lack of availability of data is the key issue rather than something more destructive–like a cyber attack on a municipal subway.
But as cyber actors get more sophisticated and IT becomes more and more a part of the fabric of every-day life, Woods predicts that government help likely will become a requirement, not just a request. “This can only get worse,” he said.
A little help…?!
In Baltimore, city offices and services have been offline for most of the month of May after a massive ransomware attack that reportedly came in through an employee’s e-mail–aid certainly seems welcome. The city estimates the cost of recovery at $18 million so far.
In a media advisory published online by Ars Technica on Wednesday, the city said that Baltimore City Council President is urging Maryland Governor Lawrence Hogan to seek a federal emergency and disaster declaration in the wake of a weeks-long IT shutdown that’s severely hampered the city’s ability to provide services and communicate with city residents.
The city did not respond to repeated calls for comment or to confirm the advisory–which came after an extensive New York Times report about the urgency of the situation in Baltimore. However, to be clear, a city and its officials can’t directly ask FEMA for assistance. It’s an official declaration process and all emergency and major disaster declarations are made solely at the discretion of the President of the United States, a FEMA spokesperson told Security Ledger.
In this case the situation is complicated further by the possibility that the cyber disaster Baltimore faces was created by a cyber weapon developed by the National Security Agency (NSA).
Though evidence is not conclusive, the city has put its blame on EternalBlue, an exploit leaked online as part of the NSA Equation Group hacking toolset in 2017 by the group Shadow Brokers. Exploits from the tools were later repurposed into two destructive pieces of malware: WannaCry and NotPetya.
Brian Vecci, CTO at data and insider-threat security firm Varonis, said the provenance of the cyber threat shouldn’t matter. It is the government’s job to help protect their agencies against these attacks and help them recover in the event one happens.
“The specific method of attack should be irrelevant,” he said. “The government should be looking for ways to help resolve the problem and identify its root cause so that other cities aren’t hit in the same way.”
A growing problem
Indeed, Baltimore’s plight seems to be the symptom of a larger problem, experts said. What happened there earlier this month could have happened in any city government in the United States–and the city certainly isn’t the first to be crippled by an attack, Woods said.
He noted that Atlanta’s IT systems were taken down by the SamSam malware a few years ago, and faced a similar situation to what Baltimore does now. Atlanta eventually spent $2.6 million to recover from that ransomware attack.
Local, municipal governments are being targeted for a reason, says Sergio Caltagirone, the Vice President of Threat Intelligence at the industrial control security firm Dragos. “Most cities are really heavily under resourced,” Caltagirone told Security Ledger. “It’s really easy to say, ‘Hey, guys, you should have done (this).’ I’ve been on both sides of this equation. I can tell you how hard it is if you’re dealing with a lot of things and not a lot of staff and support.”
Won’t you be our neighbor?
“It didn’t take Baltimore to tell us that government IT departments are behind the curve when it comes to detecting and preventing these kind of attacks–we’ve known this for a long time,” Vecci concurred. “Modern problems call for modern solutions, and many local governments are fighting this war using Stone Age weapons.”
Experts called on the federal government and the industry to band together when major cyber attacks happen that have an effect on the general public or put people at risk, such as those against government agencies or critical-infrastructure facilities.
“I think that’s where it needs to be very clear to people—cybersecurity is a team sport,” Caltagirone said. “The government steps in to defend us against war, natural disasters. In cyberspace we have this idea that everyone is alone. We don’t apply that rule anywhere else. It’s an unfair approach to the problem.”