The Ransomware Attack in Baltimore: A Failure of Organizational Resilience

Beginning in early May, a successful phishing scheme paralyzed part of the city of Baltimore’s computer networks through a ransomware attack. The attack took hold of multiple computer systems used to run the government, remotely encrypting all the systems’ files. The attackers demanded around $80,000 for the systems’ release. As Baltimore officials continue to deal with fallout from this cyber attack, with at least the water billing system still not up and running, the lack of organizational resilience both in and out of cyberspace is laid bare. The attack crippled city operations, with city emails and voicemails unable to be accessed for weeks, and the malware took down the systems through which city residents pay water bills, property taxes, and traffic citations, as well as the city’s ability to officially close real estate sales.

While many of those functions were back up and running by early July, lingering issues and the estimated $18 million cost of recovering from the attack are a testament to the reality that in 2019, cyber technology undergirds and connects some of the most fundamental aspects of everyday life. These systems are central to the basic function of government and because they serve the public, the network repairs and rebuilding must be done with organizational resilience in mind. Employing best practices and adhering to international standards, such as standards on information security and business continuity, can help organizations and governments weather cyber attacks and other disruptions.

The first step in improving organizational resilience is to perform a benchmarking audit to understand an organization’s strengths and weaknesses, taking stock of issues like governance risk and the supply chain.

To improve organizational resilience, organizations need to adopt a stance of preventative control, mindful action, performance optimization and adaptive innovation to embed competence and capability throughout the organization. From the initial benchmark and understanding of areas in need of improvement, organizations should examine which areas are defensive (stopping bad things from happening) in nature and those that are progressive (enabling good things to happen).

In Baltimore, the failure to put up basic cyber defenses played a large part in the attack. A critical vulnerability in Microsoft software, famously exploited in 2017’s WannaCry ransomware attacks, was still present in the city of Baltimore’s computer systems at the time of the attack. Microsoft introduced a patch for the vulnerability in 2017, yet the city never updated its systems to defend against this well-known threat. Even massively important organizations like the Baltimore City Government are not adequately preparing for cyber threats, and the consequences of this oversight are now being felt by individuals and businesses throughout the Baltimore area.

Importantly, Baltimore is not an outlier when it comes to lax cybersecurity. Just last year the city government of Atlanta was hit by a ransomware attack, and a recent article in the Washington Post highlights how poor funding for IT departments in city budgets around the United States makes many local governments vulnerable to cyber attacks. The New York Times recently noted that even in cities that are insured, and therefore able to pay a ransom, those payments don’t mean all services are restored immediately.

Baltimore also missed opportunities for progressive organizational resilience. Reports from Baltimore officials speculate that the ransomware attack was initiated through phishing efforts. While phishing attacks are difficult to deter, regular training of city employees on good cybersecurity hygiene could have possibly foiled this attack before it started. Training and education are among the methods of progressive organizational resilience that organizations can add to their efforts.

The lack of plans on what to do in case the computer networks went down also stymied Baltimore officials. In an attempt to get city systems back up and running, city employees created free Gmail accounts. These workarounds were initially shut down by Google because they triggered Google’s automated security system when numerous accounts were being created from the same IP address, and because of the type of use for these accounts, should be under Gmail’s paid G-Suite service. A lack of contingency plans also left anyone trying to sell a property within Baltimore in a lurch. While not infected with malware, the system that creates and processes lien certificates used in processing deeds had to be shut down. That meant the city had to implement a manual procedure that required sellers to sign an affidavit that they will pay any outstanding taxes or other liens on the property within 10 days of being invoiced by the city.

The cost and long-term effects of this cyber attack and lack of organizational resilience in Baltimore will be felt for years to come. Hopefully, as the city recovers and examines its systems and processes, officials will decide to implement the principles of organizational resilience and abide by best practices to ensure business continuity. Because computer networks are so central to the delivery of services, it is paramount that governments safeguard their collective cybersecurity and stay updated on evolving cyber threats and to remain vigilant about cyber defenses.