By Diane Reynolds, Bradford Meisel, and Rick Gideon, Jr.
America’s city and local governments are under attack from ransomware, which disables entire computer system networks until the victim pays a ransom in cryptocurrency, and the results have been catastrophic. On Dec. 13, New Orleans suffered a ransomware attack that forced all city servers to shut down and Mayor LaToya Cantrell was forced to declare a State of Emergency. This was just the latest in a long string of devastating ransomware attacks targeting local governments in cities as well as smaller municipalities and school districts across the United States.
In May of 2019, Baltimore suffered a ransomware attack that cost the city approximately $18 million in remediation costs and left the city unable to close real estate purchases or process water bill payments for over two weeks. In March of 2018, the Atlanta suffered a ransomware attack that could reportedly cost taxpayers up to $17 million. On Nov. 23, 2019, the Livingston School District suffered a ransomware attack that disabled the district’s computer systems and delayed classes.
Although the FBI and the United States Conference of Mayors have warned against paying ransom demands, in part because paying such demands will encourage hackers to strike again, many municipal governments have paid hackers’ ransoms in order to avoid lengthy system outages, even though regaining access to the data does not necessarily close the door the hackers used to access it in the first place.
For example, Jackson County, Georgia paid $400,000 in ransom and Riviera Beach, Florida paid over $600,000 in ransom after suffering ransomware attacks in March and June of 2019, respectively. Similarly, Hackensack Meridian Health, New Jersey’s largest healthcare system, which operates 17 hospitals statewide, paid hackers an undisclosed amount after suffering a ransomware attack in December of 2019 that disabled computer networks for two days and delayed non-emergency procedures.
Since ransomware attacks can be the work of hostile state actors — such as North Korea and Iran, or foreign organized crime syndicates — municipal government cybersecurity can have critical global and national security implications.
While large cities may be the most appealing targets to hostile state actors seeking to create fear or chaos in the United States or retaliate for United States military action abroad, smaller municipalities may also be targeted by such foreign actors seeking to extort ransom that could be used to enhance weapons programs in anticipation of armed conflict.
In order to counteract the ransomware epidemic, municipal governments must make cybersecurity a priority and develop effective cybersecurity incident prevention and response practices that can minimize the effectiveness of ransomware attacks. It is evident, given our experience, that the most effective method of developing such cybersecurity incident prevention and response practices is for municipal governments to establish an interdisciplinary team of experts including specialized information technology and security professionals with diverse experience to oversee enterprise-wide cybersecurity.
While large cities should hire a team of full-time professional experts under the supervision of in-house city attorneys to fill this vital role, smaller municipalities with more limited resources would be well advised to retain outside law firms with cybersecurity and data privacy expertise to assemble and oversee such teams of outside experts.
An interdisciplinary cybersecurity team can assist municipal governments by conducting cybersecurity assessments in order to identify technical vulnerabilities and evaluate existing policies, practices, and procedures related to cybersecurity, including employee monitoring and technology use restrictions, which can often prevent employees from causing cybersecurity incidents by inadvertently downloading malware, including ransomware, from questionable websites. Based on the findings of such assessments, an interdisciplinary cybersecurity team can assist municipalities in creating and effectively implementing new policies and procedures that would reduce or eliminate existing cybersecurity risks, upgrading or replacing software, hardware, or other technology with identified vulnerabilities.
Although it may be impossible to prevent ransomware from continuing to strike America’s municipal governments, municipalities can best protect themselves, their residents, and national and global security by prioritizing cybersecurity and establishing an interdisciplinary cybersecurity team to oversee their efforts to prevent potentially devastating cyberattacks.
Diane Reynolds and Bradford Meisel are corporate, cybersecurity, and data privacy attorneys with McElroy, Deutsch, Mulvaney & Carpenter, which has offices in New Jersey and eight other states. Rick Gideon, Jr. is chief strategy officer at Ecommerce L.L.C.
The Star-Ledger/NJ.com encourages submissions of opinion. Bookmark NJ.com/Opinion. Follow us on Twitter @NJ_Opinion and on Facebook at NJ.com Opinion. Get the latest news updates right in your inbox. Subscribe to NJ.com’s newsletters.