Ransomware can hold cities hostage. Will cyber insurance help?

|
Kacper Pempel/Reuters/File
A man holds a laptop computer as cyber code is projected on him. In the past year, more than 70 state and local governments have been subjected to ransomware attacks.
  • Quick Read
  • Deep Read ( 4 Min. )

When officials in Baltimore discovered hackers had seized control of municipal computer systems, the city was eager to get back to business. But when the mayor received a ransom demand from the hackers responsible, he refused to pay.

Cyber insurance can, in theory, help municipalities that have fallen victim to so-called ransomware attacks return to operations quickly. But for many city officials, the idea of using insurance to negotiate with hackers presents an ethical challenge because it rewards cybertheft.

Why We Wrote This

Preparing for disaster is a part of city management. But when it comes to preparing for ransomware cyberattacks, officials must weigh whether preparation emboldens or deters hackers.

More than 70 state and local governments have been subjected to ransomware attacks in 2019, according to research by Barracuda Networks. Increasingly, municipalities are investing in cyber insurance to offset the costs incurred during a cyber incident, even if they take a principled stance against paying ransoms.

Fleming Shi, chief technology officer at Barracuda, suggests cities think of cyber insurance, and cybersecurity in general, as a regular component of emergency management.

“Just like we test the city’s capabilities to respond to fire,” says Mr. Shi, “we have to have our citizens stand up and say, ‘How is my data protected?’”

As the director of the Baltimore mayor’s office of emergency management, David McMillan prepares for the worst. He plans for and coordinates the response to power outages, storms, and other hazardous situations. 

In early May, Mr. McMillan faced a new emergency – a ransomware attack on the city’s computers. The malicious software shut off email communications, stopped online bill payments, and locked the city’s files. City employees wandered City Hall, uncertain what to do sans computers.

“The most important role for emergency management during a cyber incident is to ensure continuity of operations,” says Mr. McMillan, in an email. But a growing number of cities, including Baltimore, are beginning to sketch boundaries around what lengths they will go to to return to business as usual.

Why We Wrote This

Preparing for disaster is a part of city management. But when it comes to preparing for ransomware cyberattacks, officials must weigh whether preparation emboldens or deters hackers.

This is one type of disaster where money can, in a sense, resolve the problem. As the name suggests, ransomware attackers typically offer to restore full server access – for a price. Cyber insurance can, in theory, help municipalities that have fallen victim to such attacks get back to business quickly. But for many city officials, the idea of using insurance to negotiate with hackers presents an ethical challenge because it rewards cybertheft.

Hackers are undoubtedly aware that cities have access to such insurance policies, says Fleming Shi, chief technology officer at Barracuda Networks, a California-based cybersecurity company. They may feel emboldened to ask for larger sums. “They’re going to see that as a nice fat check,” he says.

More than 70 state and local governments have been subjected to ransomware attacks in 2019, according to research by Barracuda. In December, city governments in Pensacola, Florida, and New Orleans both found their computer systems held hostage. Without insurance, municipalities face the risk of bearing a costly attack all alone. But with insurance, municipalities become capable of potentially a bigger payout for the assailants.  

In June, such insurance checks helped two cities in Florida regain access to their systems at a fraction of the ransom request. When Lake City was charged a ransom of about $460,000, the city itself was only on the hook for a $10,000 deductible; cyber insurance picked up the difference. Riviera Beach used insurance to pay off a roughly $600,000 ransom, after paying a $25,000 deductible.

In both cases, ransomers walked away with a windfall. But the motive behind targeting municipalities with ransomware is not always solely financial.

Voter information or other private, personal information held by municipalities can be stolen in a ransomware attack, Mr. Shi says. In addition to locking the system, attackers can gain access to a system’s files – a problem that paying a ransom does not solve.

Sudhin Thanawala/AP
County Sheriff Janis Mangum stands in a control room at the county jail in Jefferson, Georgia, Sept. 12, 2019. A ransomware attack in March took down the office's computer system, forcing deputies to handwrite incident reports and arrest bookings.

When Baltimore Mayor Bernard “Jack” Young received a ransom demand of about $76,000 in Bitcoin, he refused to pay. That decision meant that the city instead absorbed more than $5 million in systems repair and data recovery.

Over the summer, Mr. Young helped rally his mayoral colleagues behind a pledge to stand “united against paying ransoms in the event of an IT security breach.” The resolution, which he co-sponsored with Las Vegas Mayor Carolyn Goodman, was unanimously adopted by more than 1,400 mayors represented by the U.S. Conference of Mayors.

The resolution to not pay ransoms did not prevent Baltimore from investigating and eventually purchasing cyber insurance. In October, Baltimore’s Board of Estimates voted unanimously to purchase two policies, totaling $800,000 for one year of coverage.

The policies’ total coverage of $20 million could be used to offset costs incurred by business interruption, and to pay for investigation and response teams.

The trend over the past five years has been toward having a cyber insurance policy as a best practice, says Josh Zelonis, a principal analyst at the Massachusetts-based market research company Forrester. But Mr. Zelonis called paying a ransom with insurance “a very touchy area.” 

John Fokker, head of cyber investigations for McAfee Advanced Threat Research, also sees overall benefits in cyber insurance.

“No matter how secure your organization is you will always be left with that last piece of risk that you cannot cover with regular IT systems,” says Mr. Fokker, a co-founder of the international No More Ransom Project. “The insurance can cover that part and it will cover any additional costs, which you have to make after an attack takes place.”

Mr. Fokker, who formerly worked in law enforcement and helped author the section on ransomware in the 2020 Threats Predictions Report for McAfee Labs, put it clearly: “Cyber insurance doesn’t protect you against ransomware.”  

As Baltimore’s new cybersecurity committee, created in the wake of the May attack, held its first hearing in November, emergency management director Mr. McMillan fielded council members’ questions about what is being done to prepare and plan for future attacks.

“Lots of other major American cities were reaching out to me,” Mr. McMillan told the committee members. The other cities wanted to know how they can improve and prepare for a cyber incident.

Mr. Shi urges municipal leaders and residents to think about cybersecurity as a regular component of emergency management.

“Just like we test the city’s capabilities to respond to fire,” says Mr. Shi, “we have to have our citizens stand up and say, ‘How is my data protected?’”

Editor's note: This article has been updated to correct John Fokker's affiliation with McAfee. He is head of cyber investigations for McAfee Advanced Threat Research.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Ransomware can hold cities hostage. Will cyber insurance help?
Read this article in
https://www.csmonitor.com/Technology/2019/1218/Ransomware-can-hold-cities-hostage.-Will-cyber-insurance-help
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe