The thought keeps Harold Schomaker up at night: getting hacked.
Schomaker, Largo’s information technology director and chief information officer, says the government for his bedroom community of about 85,000 people follows best practices for cybersecurity.
But recent news that the Florida cities of Riviera Beach and Lake City were so paralyzed by ransomware attacks that they paid a combined $1 million plus to their attackers can’t help but unsettle him.
“It’s my biggest fear,” Schomaker said, adding that his city gets non-stop cyber threats. “Most of the time, you don’t even know it’s happened until after it has happened.”
The recent cyber attacks on Riviera Beach and Lake City knocked out email, phone service and data on the cities’ systems.
News of those attacks came only weeks after the announcement of a ransomware attack on Baltimore. While that port city refused to pay a ransom to its attackers, officials say it will cost more than $18 million as it rebuilds Baltimore’s systems. according to news reports.
Assaults on government agencies using ransomware, a type of malware designed to extort money or other payoff by blocking systems or making changes to a victim’s computer, are not new. But experts say such attacks have increased in frequency in recent years.
At least 170 U.S. state and local governments have publicly acknowledged ransomware intrusions since 2013, according to a report by Recorded Future, a cyber security firm near Boston. And that’s likely only a fraction of the total attacks, that report noted.
That means government organizations — from tiny Belleair Bluffs to larger municipalities like the city of St. Petersburg — are well aware of the threats hackers pose.
“Ransomware is a growing trend right now because (hackers) saw potential,” said Miloslava Plachkinova, interim director of the University of Tampa’s cybersecurity program. She said cyber criminals “saw organizations and governments were not doing enough to protect themselves.”
It can be hard to stop an attack, Plachkinova said. But best practices like routine backups, segmented networks and training employees to be wary of clicking unfamiliar links can deter attacks and mitigate problems if they succeed.
Allan Liska, an intelligence analyst with Recorded Future, said ransomware attackers tend to be opportunists, looking for weak systems.
He said that tends to be smaller or mid-size towns that “don’t necessarily have the money to put the protections in place to keep the bad guys out.”
Liska said he’s had many conversations with IT employees or others “on the front line in these towns.” He said many have put in appeals for years to get protections in place but funding requests have been ignored or delayed.
The city of Tampa is “very confident” in its “active” cyber security program, said communications director Ashley Bauman. She declined to discuss details.
Across the bay, St. Petersburg faces perpetual threats but has security protocols to limit risk, said Brian Campbell, the city’s chief information security officer. He said the city hasn’t faced any system-wide ransomware breaches, although he said there was a breach on a single person’s laptop three to four years ago.
Chris Arbutine, mayor of the tiny Belleair Bluffs (pop: 2,000), didn’t specify cyber security measures taken, referring questions to the city’s IT company, which did not respond. Arbutine said many of his city’s services — such as police and fire — are outsourced, so an attack on his city wouldn’t hurt some of the vital functions.
In Riviera Beach, which has 35,000 residents, the hackers apparently got into the city’s system when an employee clicked an email link that uploaded malware.
The South Florida city agreed to pay $600,000 in ransom.
Lake City — a small community roughly 60 miles west of Jacksonville — said Tuesday that it paid roughly $460,000 in bitcoin to hackers. Paying the ransom was the most cost-effective solution for the city, said city manager Joe Helfenberger.
“We had data from the beginning of when the city was operating until now,” Helfenberger said, adding that much of it would be lost.
There’s debate about whether ransomware victims should pay their attackers. An FBI guidance document for chief information officers says that the U.S. government “does not encourage paying a ransom to criminal actors,” saying that doing so could “inadvertently encourage this criminal business model” and noting that paying does not guarantee that the organization will regain access to their data or not be targeted again.
But the FBI and others also say victims should consider how feasible it is to restart systems without paying the ransom.
“Paying the ransom may be the only possible way to get a functioning system back,” said Nathan Fisk, assistant professor of cyber security education at the University of South Florida. He said the ransom may be considerably less than the damage from an attack.
Lake City had insurance but it did not cover recreation of data, so it opted to pay a $10,000 deductible and let insurance cover the rest. Riviera Beach also used insurance to cover most of the ransom.
The bottom line, experts say: beef up systems now and pay attention to best practices.
“This is not something unexpected. This is not new,” said Kurt Baumgartner, principal security researcher with cyber security firm Kaspersky. “This is something that people need to pay attention to.”