Linda Poon is an assistant editor at CityLab covering science and urban technology, including smart cities and climate change. She previously covered global health and development for NPR’s Goats and Soda blog.
Cybersecurity expert Cesar Cerrudo predicted ransomware attacks like the one that paralyzed Atlanta’s city government. City leaders everywhere should understand this threat, he says—and how it could have been a lot worse.
For more than a week, one of America’s largest cities has been caught in a “hostage situation.” That’s how Atlanta Mayor Keisha Bottoms described the crippling cyberattack from an infamous hacker group known as SamSam, which started last Thursday and has essentially forced an aspiring smart city to revert to pen and paper.
The cyberattack involved, among other things, hackers encrypting city files, locking access to online services, and blocking the city from processing court cases and warrants. (Emergency systems were unaffected.) To set it all free, the hackers demanded a ransom: $51,000 in Bitcoin.
With help from the locally based security firm Dell SecureWorks, Atlanta has since recovered some of its services, including its 311 website, which resumed accepting online service requests on Friday. The deadline for the city to pay up may soon expire—SamSam typically gives its victims about a week. Yet as of this writing, the city remains mum on whether it has given in to the hackers’ demands.
To some, this may sound familiar—like a less thrilling version of a Die Hard plot line. It was certainly nothing new for Cesar Cerrudo, but that’s because he predicted this type of attack three years ago. In a 2015 white paper for the security firm IOActive Labs, the professional hacker outlined one of the many dangers of being ill-prepared against cyber threats:
For instance, cybercriminals could find a good business opportunity: Charging cities a ransom to regain control of compromised systems and infrastructure. Their message could be: “Do you want the smart grid back? Then pay us $100 million in Bitcoins.”
Granted, few security experts find Atlanta’s predicament extraordinary. Just last month, Leeds, Alabama, paid hackers $12,000 (also in Bitcoin) to regain control of its computer systems. And in the last year, ransomware attacks have targeted cities in North Carolina, Tennessee, New Jersey—and the list goes on. Atlanta’s attack was particularly widespread, potentially affecting nearly 6 million people.
Cerrudo, chief technology officer of IOActive Lab and founder of the nonprofit Securing Smart Cities, has been on a crusade for years to warn cities that they shouldn’t pursue smart-city technology if they aren’t fully prepared to address the security vulnerabilities. He even went as far as to “hack” traffic systems (in a controlled lab setting) to expose their gaps.
When asked about his reaction to this latest attack, Cerrudo said he wasn’t surprised: “I was annoyed and angry, because something like that could have been prevented a long time ago.” Cerrudo spoke with CityLab about why cities need to get serious about cybersecurity, and what’s at stake if they don’t. This interview has been edited for length and clarity.
The details are still largely unknown, but reports say SamSam targets organizations with weak security, typically exploiting unpatched vulnerabilities in technology. As far as you can tell, how was Atlanta ill-prepared for this hack?
[At least one report] says that the attackers exploited some vulnerabilities that were fixed last year, after tools developed by NSA were leaked. If accurate, what this information says is that Atlanta’s systems are not up to date on security fixes. This is not uncommon, because sometimes it’s very difficult for large organizations to keep all the systems up to date.
Yet it’s a common practice. Cities in general approach cybersecurity like private companies do. But at the government level, you have fewer resources and also fewer skilled people, which makes things more difficult. You also have to deal with politics, and security is something invisible, particularly if people perceive that there aren’t that many attacks.
But if you don’t keep up to date with security fixes, you can get caught with, in this case, a destructive malware ransomware.
Reports have called SamSam “opportunistic,” in that the group is just really after money. As far as government hacking goes, how bad is Atlanta’s situation?
It could have been a lot worse. Last year Dallas’s alarm system was hacked, and tornado sirens were fired at night for one or two hours until the authorities could turn them off. That resulted in panic and 4,000 calls to 911. In 2016, San Francisco’s railway system was also hit by ransomware, so they had to let the people ride for free until they could recover the system. Last November, a ransomware attack on Sacramento’s regional transit system deleted 30 million files, and there are more attacks on utilities—power grids and water plant, for example— and airports, too. So the consequences are very different and can be broad, sometimes creating a cascade effect.
In the case of Atlanta, it doesn’t seem like critical systems were affected. The cyber criminals just wanted to do the least effort to get the maximum profit; they just wanted an easy way to make money. So I think it was, you know, luck. If a serious attacker proposed to bring down a city, they could do it.
Should the city have just paid the ransom?
Well, when you’re affected by a ransomware attack, there are only two ways to fix it: You pay or you have a recent backup from where you can recover all the information.
Now, having backup copies of important information is a common practice that is done at private and public organizations. The problem is that they could be done weekly, daily, or every five hours. And between each backup, there could be a lot of new valuable information. If the ransomware infected the system between backups, then it could have locked them. So it depends. If Atlanta doesn’t have backups of critical information, they probably will end up paying—unless they don’t care about losing it.
What are the lessons to be learned from this incident?
The first lesson is that we should start educating the people, the politicians, and other key decision makers that cyber security is important, and why it is important. If people don’t understand this, then no one will invest in cyber security and almost nothing will change. And you have to actively invest in security; it’s not something you do once and it’s safe. There is no time to waste, because after the attack last week, another one can happen today or tomorrow. It’s nothing that’s going to go away. It will only get worse, not better.
And in some ways, that’s because cities are racing to become “smart”?
When a city plans to acquire new technology, they do a lot of functionality testing. They will test if the technology is strong, if it can scale, but they do almost no security testing. So they acquire one technology and deploy without making sure that it’s secure enough so that it won’t be hacked. And that’s a big problem, because that means that every day you do that with different technologies you are creating more possibilities for an attack.
This is what you described in your 2015 paper as “attack surfaces,” in which sensors can be manipulated to fake earthquakes and shootings to cause panic, or entire blocks can go dark if hackers attack smart streetlights, and even open data can be mined to time certain attacks.
Right. We keep using more and more technology, and as our dependence on it grows, so do the attack surfaces—if you are deploying insecure technology.
So what are the roles that different levels of government can play here?
There should be federal regulations requiring technology providers to follow basic security practices [if they are selling to governments]. They have to say, invest in cyber security and have default protection against cyber attacks. Otherwise vendors can lie. I’ve seen cities ask vendors if their product uses encryption and authentication technology, and the vendor will say yes. Maybe it’s lying, but even if it’s not, the protection is very easy to hack.
At the city level, you should have a security program in place for evaluating new technology. You make sure that the proper security protections are in place, and that they can be updated easily. Then you also have to have plans to react to attacks, with very specific procedures for every department—the same way cities have emergency plans for things like earthquakes. But that’s usually not the case. Cities also need to have a specific team to coordinate security measures across organizations, especially with the widespread adoption of new technology.
You’ve essentially been calling for this for years. Does it seem like this particular incident will spark other cities to take cybersecurity more seriously?
For Atlanta, they had a hard lesson and will probably start investing in better security. I’m not sure about other cities, maybe they will take notice. In general, what happens is that you don’t pay attention until you have water up to your neck.
The thing about huge cyber attacks on cities is that they may not be happening regularly, but it’s not because they are difficult or impossible. It’s just a matter of skills, effort, and time to do it. The possibilities are there. The vulnerable technology is out there. So it’s just a matter of time that someone decides to do it.