As many have already heard, the City of Atlanta was "Hacked" last week as they became on of the latest victims to Ransomware. I've spent the better part of the weekend reviewing all the public information on the matter and I'm appalled. I'm amazed how a City as large as Atlanta can not only be infected, that's the easy one, but their response to the attack and the information the city is giving the public is borderline criminal.
I don't need to rehash all the details of the hack, you can Google "Atlanta Hacked" and get 300 different news sources from USA Today to Local Atlanta News reports. My problem is the statements and reactions the City itself are releasing that seem to be those of uninformed or under informed people that are watching from the outside.
What I can't understand is how City leaders are clueless as to the severity of the infection. They don't seem to have a plan for mitigating the breach and what's worse, have NO plan on moving forward to ensure that this doesn't happen again!
Let me reiterate, I have no insider information on this hack, but that's the main issue. I've seen reports directly from City leaders where they have said - "We don't know what systems have been impacted", or "We don't know if personal Data has been infected or stolen".
First off, Let's talk about the response. It's clear to me that the City of Atlanta does not have an Incident Response plan that deals with a Cyber Attack. How do I know? Let's look at the first new conference from the Mayor's Office to report the Attack to the public - Her words (according to fortune.com)
Mayor Keisha Lance Bottoms, announcing the attack in a press conference Thursday afternoon, said officials “don’t know the extent of the attack,” but that anyone who has done business with the city—both consumers and businesses—is potentially at risk."
Watch this asinine video press conference here
She then went on to tell everyone to "check their bank account balances".
Two days after the initial report, The Mayor, CIO and COO all made public statements, none of them seemed to have a clue on what happened, when and how and what the City was going to do next to clean and restore the systems.
Then, as reported by multiple new agencies, employees were alerted to the attack with sheets of paper telling them they could not use their computers until each was cleared by AIM (The City's IT Department). WHAT THE F..?
Now, my favorite part of the store is the CIO's statement. Mind you, this person is in Charge of the Information of the City. I'm paraphrasing here - "This is NOT a new issue. We have been taking active measures to mitigate any risk in the past. Those issues, those methods we've taken in the past have mitigated the expansiveness of this particular instance. In particular our "Cloud first" strategy that we put in place, trying to migrate some of our major apps and systems to the cloud is a reflection of our intent to take is seriously in terms of trying to mitigate any malware or ransomware attacks in the future."
She went on to say that they have no timeline in place to get systems back online (even though they have a plan according to her) but are relying on the experts of Microsoft and Cisco ISR to get systems back online. Yeah, Microsoft and Cisco have done so much this far to protect your systems so why not let them clean them up.
A "Cloud First" strategy? That's like saying we are protecting our physical health by watching workout videos. How the hell does a "Cloud First" strategy protect data? It doesn't. Now she may have misspoken, I mean listen to the press conference, they all seem clueless, but if so, why would you let these people speak for the City? She screwed up when she mentioned that the Cloud was "most secure" than their internal systems. If that's the case, then you are hoping that by going with large Cloud infrastructures, they are more secure. Sometimes this is the case but if your internal resources cannot secure 8000 employees, how can you expect them to secure your systems from the world?
Again, this is borderline criminal. The City is supposed to be a steward of your information, in most cases you have no other option but to give it to them (as they provide utilities, Safety Services, etc.) but these people seem to have no clue what information they have, no idea where it resides, no plan for protecting it and no idea how to clean up the mess.
Their incident response plan should have detailed exactly what systems were impacted, what PII (Personally Identifiable Information) was impacted, what steps - exactly the are taking to clean it up and what they are doing to make sure it doesn't happen again. Not pushing it to Microsoft or Cisco, or the FBI or Homeland, but here is what happened, here is what we are doing to clean it up and here is what we will do to make sure it doesn't happen in the future. In 48 hours, none of these questions were answered effectively.
I won't go in to their Disaster Recovery and Business Continuity plan - that's too easy and we can all see that plan wasn't effective. I would appreciate the local media asking them about these plans - since it seems they don't have one, or if they do - it failed miserable. So why? Why does a City Government in a City the size of Atlanta seem to be so unprepared to handle this Attack? I need those answers and unless I hop an plane and am someone granted press credentials, I don't believe I'll get those answers.
I'll keep watching as more information comes out about this attack and how the city of Atlanta responds, of course and update accordingly. Maybe I'm wrong. Maybe the City is playing the "we are idiots" game to trick the hackers - which in itself would be amazing.
Folks, it's time to hold your City Leaders accountable. The Cities of Leeds, AL, Atlanta, GA, Englewood, CO, Newark, NJ and countless others hit by ransomware and none seem to be equipped to handle the attacks. Last I checked, I wasn't able to deny the City I live in information based on my lack of trust, and since it is required to be a resident, it should be required that these agencies protect that data. We must require them to have an appropriate Incident Response Plan, Cyber Roadmap, Penetration Testing, etc. and protect our information to the fullest extent. I know this information is needed to provide the services we need and want - but it is their DUTY to protect us from any attack, not just physical.