With some municipalities paying a ransom to get their information back during a recent flurry of crippling computer attacks, Deputy Town Manager Jay Boodheshwar said that Palm Beach has multiple layers of cybersecurity protections in place.
In the past few weeks, the neighboring city of Riviera Beach and the North Florida town of Lake City paid a ransom to retrieve the information from their paralyzed computer systems. Riviera Beach paid $600,000; while Lake City paid $500,000. In both cases, the hackers demanded the ransom be paid in bitcoin, a cybercurrency that is hard to trace.
Key Biscayne is the third – and most recent – Florida town to be hit by a ransomware attack during the month of June. The incident happened on June 23 and all network systems were up and running within three days.
Mr. Boodheshwar said the cities that paid the ransoms may not have a strong and extensive back up system.
“If you pay a ransom, there is no guarantee you’re going to get the key code or that the key code will work,” he said. “Sometimes you never get the key at all or sometimes it doesn’t work, or it only opens partial files. Sometimes they will give you some information back and then ask for more money. I can understand the desperation to retrieve files that weren’t backed up; but, you’re basically negotiating with criminals.”
In September 2016, the Town of Palm Beach had two ransomware attacks within a two-week span.
“We lost a little bit of information,” Mr. Boodheshwar said. “We worked with the FBI when we had our situation and the FBI strongly advised against paying the ransom. We’ve improved our backup so that if there is some type of intrusion, we simply restore to the previous day. We may lose a couple of hours, but that’s the difference.”
Since those cyber attacks, the town has installed software that creates multiple barriers into the network, Mr. Boodheshwar said. In addition, the town trains staff on how to spot malicious, phishing emails. They look like legitimate emails, but they are from computer hackers looking to hijack the system.
“We also hire a white hat attacker,” he said. “He’s an attacker, but he’s a good guy and he finds the holes in our system. He will write up a report and we close up those holes.”
There have been dozens of cities, large and small, hit by ransomware attacks across the United States in the past few years. Among them: Atlanta, Baltimore, and Cleveland.
Professor Patrick Traynor, co-director of the Florida Institute for Cybersecurity Research at the University of Florida, says that extensive backups are essential to municipalities.
“Municipal officials should treat cyber threats like ransomware the same way they would consider a direct strike from a tornado,” Prof. Traynor said. “As such, the most critical things that for municipalities to do right now is to ensure that they are creating comprehensive backups and have a disaster recovery plan. It’s critical that administrators go beyond checking a box and saying, “we are ready.” Instead, they need to regularly attempt to restore from backups, to know which systems are actually backed up (and which aren’t), and to know who is responsible for what steps when disasters (be they fire, an earthquake, or ransomware) indeed strike.”
Regarding cities paying a ransom to get their information back, Prof. Traynor said, “There is no Better Business Bureau for ransomware victims, and therefore no guarantee that paying the attackers will indeed decrypt your files. There is also no guarantee that the attacker will not attack again after the first incident is resolved. The only sustainable plan is to put protections in place so that you do not need to pay the attacker if they are successful in their efforts.”
Harvey L. Poppel is chairman of the Civic Association’s Long Range Planning Committee. In his opinion, the most important thing is having an outside party test the strength of the cybersecurity.
“Every organization must have an outside party periodically check out the fidelity of the system and it can’t be pre-arranged,” Mr. Poppel said. “I can’t highlight enough the importance of an unannounced cybersecurity system.”