“Not if but when”: US mayors share lessons learned about coping with ransomware attacks
The technological revolution allows cities to deliver citizen services more effectively. But sticking with the status quo and not modernizing IT systems can expose cities to cybercrimes including ransomware. A number of U.S. cities have been the targets of recent high-profile ransomware attacks such as Atlanta and Baltimore, with recovery costs running to hundreds of millions of dollars.
At the 2019 CityLab Summit in Washington, D.C., the AWS Institute convened a breakfast roundtable with mayors, CIOs, and cybersecurity leaders from Akron, OH; Albany, NY; Atlanta, GA; Little Rock, AK; and South Bend, IN. The leaders discussed their experiences, including the fact that modernizing infrastructure is essential to avoid vulnerability. Here are five lessons they shared about coping with ransomware and other cyber attacks.
1. IT security is only as strong as the weakest link
Cities develop IT infrastructure for different departments, such as fire, police, and taxation, at different times with differing levels of security protection. Malicious actors will target the weakest link in the chain in order to infiltrate the whole system. Cities need to treat their IT infrastructure and data protection practices as an integrated system and not just focus on a few key operations.
2. Act at the first sign of an emergency
Administrators at one city hit by a ransomware attack realized later that they should have activated their emergency operations center at the first sign of the problem, rather than spending time investigating the extent and nature of the problem. Activating the emergency operations center brought in important recovery resources including military and state-level support. Also, vendors can be key partners in helping to expedite recovery.
3. Cutting corners has a high cost
The public demands more and more services from cities with ever-shrinking budgets. The temptation to cut corners on cyber security is high. But, as long as malicious actors can find a way to profit from cities, it’s a not a matter of if, but when an attack will occur. Cutting corners on cybersecurity creates more problems than it solves because of the high costs of recovery. Risk increases with the use of legacy systems due to the inability to secure them and a lack of updates. While cities try to make do with out-of-date systems, global cyber criminals have state-of-the-art technology. Vendors also have a responsibility to make sure that they work with cities to find the most secure and resilient solutions, and not necessarily the lowest-cost options.
4. “We didn’t know what we didn’t know”
Cities focus on meeting basic citizen needs such as lights, roads, and trash collection. Until a city experiences a ransomware attack, it is hard to know all of the areas of vulnerability. Is data secure? Where are the back-ups? Can we run an online system offline? A systems-wide approach to data security is not just the job of the CIO and IT, all department managers must be invested in the integrity of the data in their own departments. Effective protection requires practice. Experts recommend frequent advance drills and simulations so that when a real emergency hits, cities can respond quickly and appropriately.
5. Balance between disclosure and confidentiality
When a city is experiencing a cyber-attack, citizens demand information about the incident and how it will affect them. Without transparency and disclosure, misinformation can provoke panic. On the other hand, global bad actors are also paying attention. A city that publicizes its vulnerability runs the risk of becoming an even greater target. City officials agree that the public disclosure question is a fine balance but they also agree that communication is key to public trust.
Read what Teresa Carlson, AWS worldwide public sector vice president, has to say about how cloud migration helps protect against ransomware attacks. Read more about AWS for state and local government.
 See Public Policy Forum, The Risks of the Digital Status Quo, October 2019.