In the early morning of May 3, the City of Dallas, Texas, was hit by a ransomware attack, for which the Royal ransomware gang later took credit. The city’s police, fire rescue, water service payment, and development systems, among others, were significantly hampered by the incident, forcing many departments to revert to handwritten and radio-related communications.
In a report dated May 31, released on June 9, the city said that more than 90% of the work to restore the systems was completed. However, departments that reverted to manual work were still working on updating the records in their systems.
Throughout the attack and still-ongoing remediation, the city has released little information to the public, saying, “This is an ongoing criminal investigation. The city cannot comment on specific details which risk impeding the investigation or exposing vulnerabilities that can be exploited by an attacker.”
On June 1, Catherine Cuellar, communications, outreach and marketing director for Dallas, emailed directions to the mayor and city council to share no details about how the city handled the attack. She advised them to restrict their constituent responses to three statements “Thank you for your inquiry,'” “Rest assured we are working with third-party experts and law enforcement, and our investigation is ongoing,” and “We will share updates as appropriate.”
When contacted by CSO on June 14 for more information on the attack, Cuellar responded via email, saying, “The City of Dallas remains committed to transparency and keeping our community informed with relevant updates related to this ransomware incident. We take seriously our responsibility to share consistent, fact-based information with the public. At this time, this matter remains under investigation. We will continue to share updates as appropriate on DallasCityNews.net as new information becomes available.”
Dallas’s reluctance to share details surrounding the incident highlights what cybersecurity experts say is a delicate balance that local governments face when communicating to taxpayers about the details of ransomware attacks. On one hand, impacted citizens should know basic pertinent facts about the services disrupted by ransomware events. On the other hand, divulging too much information could play into an attacker’s hands and possibly reveal sensitive information that could embolden the threat actors or expose the government to further liability.
Municipalities respond to ransomware attacks differently from businesses
Some residents in Dallas complained about the lack of information regarding the ransomware attack. One retiree, Roger Stierman, who was unable to pay his water bill online or use online library services, was quoted in the Dallas Morning News as saying, “The biggest issue is all the uncertainty. There’s this black cloud, and we just don’t know what’s going on with the city.”
Michael Hamilton, former CISO of the City of Seattle and now co-founder and CISO of Critical Insight, tells CSO, “While services are disrupted, you got to give people, if not a reason for something, at least the ETA, as well as you can estimate it, for when services will be returned. So, withholding information that further curtails the ability of the public to pay bills and stuff like that really does impact all the citizenry.”
The need to communicate to the public during a ransomware attack is even more imperative following a ransomware attack for local governments than for businesses, Allan Liska, threat intelligence analyst at Recorded Future, tells CSO. “I think that municipalities and governments, in general, have an obligation to be more open than private organizations,” he says. “Because a ransomware attack on a city, town, or school affects more than just that entity. It affects everybody who lives there or goes to the school, etc.”
Liska thinks cities are unusually tight-lipped when it comes to ransomware attacks. “Most towns and cities, states, schools, school systems have taken the opposite tack [from being transparent],” he says. “If you’ve ever tried submitting a FOIA [Freedom of Information Act] request to get information about ransomware attacks, you will be told no. Even the fact that there was a ransomware attack could be considered giving information to the bad guys, which is dumb because they already know they hit you.”
Munish Walther-Puri, senior director of critical infrastructure at Exiger and former Cyber Critical Services and Infrastructure (CCSI) liaison officer at New York City Cyber Command, tells CSO that most municipalities face pressures different from what businesses face. “For a private sector company, their counsel and legal advisors are advising, ‘Don’t say anything, or if we need to disclose it on an SEC filing, then we will,” he says. “But for a city, the services are unavailable, and citizens have a mechanism to recognize and report that.”
When services are unavailable city-wide, and while personnel are still trying to figure out what’s going on, it’s essential to put out at least some form of communication. “There are some models, and I’ve seen these rarely in municipalities and cities, where they will regularly update and say, we don’t have an update, we’re still working on it,” Walther-Puri says. “Sometimes just stating that can be an effective form of communication because it tells people two things. One, it’s validation that something is going on, and two, that you are going to communicate with them even if it’s not more communication or deep, more quality communication. There’s a frequency to it, and they can expect that there will be some kind of update. The tendency is to want to communicate when it’s done and when there’s high confidence. This kind of crisis communication is tricky when you have citizen services at stake.”
Keeping ransomware details under wraps
As is true in the case of Dallas, many municipalities are reluctant to communicate in the aftermath of a ransomware attack due to advice from lawyers, insurance companies, and law enforcement or out of fear that saying too much will give the attackers either an upper hand in negotiations or, worse, hand them new information that could invite more malfeasance.
“Very often, the first point of contact is with a law firm, which in this context is known as a breach coach. The law firm handles the appointment of the incident response team, including the forensic investigators,” Brett Callow, threat analyst at Emsisoft, tells CSO. “That way, their reports are protected by attorney-client privilege and difficult to access should taxpayers or customers wish to take legal proceedings.”
Law enforcement often intercedes to keep details out of the public eye. “These incidents are active, ongoing investigations that usually involve law enforcement,” Callow says. So [municipalities] might be limited regarding what information they can give out for those reasons. Plus, they don’t want to give out bad information and then look silly by having to backpedal something.”
Hamilton points out the role of insurance companies in keeping cities quiet about ransomware attacks. “In your cyber insurance policy, on line one, it says, ‘Call us first,'” he says. So, in the case of Dallas, the insurance company could have been “in there trying to manage this from the perspective of a profit-making business that doesn’t want to go pay a gigantic ransom demand and balance that against what’s it going to cost to put everything back together if they don’t pay that ransom.”
Hamilton also notes that public disclosure laws come into play with municipal ransomware attacks. “Many sunshine laws have recently been amended to exempt information that would disclose vulnerabilities or the controls used in infrastructure,” he says. Those laws often dovetail with municipal public information officers’ only rudimentary understanding of the technical aspects of the infrastructure, resulting in their reluctance to share only the most anodyne information.
In the case of Dallas, “I think there may have been a little caution there because they’re not really familiar with the things they’re talking about unless it’s a very carefully crafted message and everybody’s on the same page,” Hamilton says. “When there’s a lot of confusion, that’s probably a little more difficult to pull off.”
Keeping information away from the attackers
Municipalities must worry about how much information they put out because ransomware gangs enjoy reading press reports of their attacks and might glean useful information. “Think about conventional criminals occasionally returning to the crime scene and more savvy criminals watching the law enforcement response, to learn,” Walther-Puri says. “How long did it take them? Who did they bring in? What did they call them? How are they phrasing it? Did they figure out it was Royal? How soon did they figure out it was Royal?”
Malicious actors could use any statements municipalities as leverage in ransom negotiations, Walther-Puri cautions. “They might not have known that they impacted some of these services. Now they can come back around in their current negotiations and say, ‘Hey, we know that this service is out.’ They’ll go on social media, find tweets from frustrated citizens who aren’t getting served, and they will use that as pressure.”
However, the fear of giving too much information to the attacker should not be an excuse to back away from informing the citizenry. “You still need to communicate enough and can’t think about the attacker. They’re evil bastards,” Liska says.
No reporting structure in place
The consensus among the experts is that ransomware attacks on municipalities will continue indefinitely. “Ransomware is too profitable to think this is simply going to go away,” Callow says.
Moreover, municipal ransomware attacks appear to be on the rise. “I do think that one of the challenges that we have here is we know that ransomware attacks against state and local governments are increasing,” Liska says. “But because there’s no centralized reporting structure, we have no idea what that looks like overall or how bad the problem is. We need to figure out broadly how we can put a better reporting structure in place so that we have a better concept of how bad this situation is and what we need to do to fix it,” he says.
But Walther-Puri thinks it could be tricky to get cities to agree to report their ransomware attacks to a central location. “There are some challenges to municipalities and government entities sharing information with another government organization and basically providing an NDA equivalent,” he says.
The Multi-State ISAC has some repositories, but they entail a government entity signing off on anyone seeing their data. “You can appreciate there’s a lot of sensitivity in what happened,” Walther-Puri says.
In the meantime, cities can share support for their peers when a ransomware attack occurs. “When I worked for the city, and we looked at other municipalities, and we looked at anyone who impacted, we would look with empathy and humility,” Walther-Puri says. “We had no hubris. With municipalities, there is a sense of learning from each other and being supportive of one another.”
Copyright © 2023 IDG Communications, Inc.