Cyber Warfare and Local Governments
Over the last few years, cyber warfare and attacks have become more prevalent across the US and globally. They have ranged from local governments to national power plants and have caused millions of dollars worth of damage. Our intention is to look into how these attacks are carried out, what is their purpose, and how those affected by them should deal with it.
The attacks, traditionally, have occured from three methods, brute force, phishing, or a Trojan Horse. A brute force attack is as simple as it sounds. The hackers create a code that checks the programs users for having “weak” passwords (birthdays, first/last name). Once they get a password, they change it and steal/block valuable information for their own. The other way they typically have crashed systems is phishing. Phishing is the creation of a fake link made by the hacker that is meant to emulate the login screen for the government website where you will input your own username and password and give it to the hacker. Here is a more detailed (and comedic) explanation of the process.
The Trojan horse method is one that we probably have all faced. A pop-up link will come up saying that you have won a prize or that you have a virus and to claim the prize or get rid of the prize, you have to enter your personal information. They can pretend to be trustworthy organizations (even using government logos) to make the horse seem more realistic.
Once the hackers have gotten into the system, they take files/information that they will hold ransom to the government until they receive their wish. In most cases, the reason for these ransomware attacks has been to receive a quick payment. In the case of the Baltimore hacking, the hackers asked for 13 bitcoin (~$76,000). They also can take information from the government and sell it, but in recovery efforts it is difficult to tell what has been copied and what has not. They are exposing those who do not properly update and refine their infrastructure (2.9 and 36 of ACM Code of Ethics).
There are three cases of hackers shutting down government systems and offering to restore the systems in exchange for a large payment. The first occurrence was in Atlanta, Georgia, in March 2018. The second was in Greenville, North Carolina, in April 2019. The most infamous case, the attack on Baltimore’s government, happened in May 2019. The Greenville and Baltimore attacks were both done using a ransomware called Robbinhood, which locks up the system and displays a message asking for payment in bitcoin. With this form of payment, it is not possible to track where the payment goes or who is being paid. A different, but similar kind of ransomware was used for the Atlanta attack. The risk for the hackers has proven to be less than other high notoriety crimes. In the case of the Baltimore/Greenville hacking, the hackers were never found. In Atlanta, the two hackers were identified, but have yet to be caught by Federal Authorities and have made over $6 million dollars from hacking Atlanta and other small governments. In all three cases, the ransom was not paid.
For smaller governments, the aftermath of these attacks can be crippling. Choosing to pay the attackers will cost a government money, but choosing to not pay them can be devastating to the financial state. The Baltimore City Government chose to not pay the RobbinHood attackers their desired 13 bitcoin. Instead they focused their efforts and resources on recouping their losses and rebuilding their infrastructure. They had employees go in and reenter all of their files from roughly the past year and had to hire an outside company to come in and completely revamp their IT infrastructure to be more secure. They also bought insurance on their new system (which they did not have before the attack). The total restoration effort cost roughly ~$18 million and shut down the government for nearly a month. It created a massive buildup of unpaid bills that needed to be sorted out. Much was lost during this period. Documents, taxes, money, time. The hacker even took to twitter to question the decision made by the Mayor of Baltimore.
There have been incidents on a more global scale. The Ukranian government was hacked in 2017, proving that this could be a source of technological warfare in the future. The attack in Ukraine was not for monetary gain either (The attackers requested $300 worth of bitcoin), it was purely to cause destruction.
Ransom situations raise many ethical questions, and Baltimore’s residents are still in disagreement over whether or not the ransom should have been paid. At first thought, it might seem smart to pay the much smaller ransom to avoid the huge costs associated with completely revamping the infrastructure of the security system. This could also save a lot of time, and will prevent people from losing information or having information stolen. However, the mayor stands by his original decision to not pay the ransom and has even given an explanation to the public. One big point is that data shows that there is a less than 50% chance of actually getting data back after paying the ransom. Even if the ransom is paid, the hackers and the ransomware could still be in the system. One might suggest paying the ransom and tracking the payment, but due to the method of the requested payment, tracking is not possible.
Considering all possibilities, the best-case scenario would probably be where the government pays the ransom and the servers are completely restored, but that would require complete trust in the hackers. The worst-case scenario would be where the government pays the ransom and the servers do not get restored. Instead, the hackers take the money and run, leaving the government to deal with the mess that is still there. The most likely (and most ethical according to the ACM) scenario, which lines up with the Baltimore attack, would be where the government does not pay the ransom and is forced to spend a lot of time, money, and effort to restore the servers and get the city working the way it should be again. This is almost just as bad as the worst-case scenario. It is about $80,000 cheaper, which is not a lot of money compared to the $18 million spent on repairs and revamps.
When thinking about how to deal with similar situations in the future, the government should consider what can be done to mitigate the chances of a worst-case or close-to-worst-case scenario occurring again. The easiest solution would be to upgrade the security of the systems to prevent future attacks altogether. This would prevent loss of money, info, documents, and would allow the whole city to feel safer. If the government has been hacked and tasked with making a decision between paying or not paying the ransom, the ethically-wise thing to do would be to not pay the ransom because the hackers may not restore the system even after receiving the ransom. The Baltimore government dealt with the situation as well as they could have by having their employees go through their computers and restore all files that can be found while also hiring a team to upgrade the infrastructure of the security system, making it harder to breach. There have been no successful attacks on the updated security system. They followed the ACM Code of Ethics by choosing to not deal with these rule breakers, but they paid the price for it. The Robbinhood attack may have been a necessary wake up call, especially with technology developing as quickly as it is.
In the future, governments need to be more aware of a ransomware attack as a possibility. They must constantly be checking and updating their IT infrastructure. In the case of the Atlanta attack, they had an outside firm check their infrastructure 2 months before the attack occurred and found nearly 2000 leaks in their system. They did not properly understand the risks that theri systems provided (2.5 ACM Code of Ethics). The governments must constantly be warning their employees to protect their passwords and not to click on strange links and give their information. They must choose their passwords carefully. Duo authentication is not enough (as shown in the Nathan Fielder video). They need to be careful when they are going on government services. These attacks can happen to any government, for any reason.
References
[1] Zetter, Kim. “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon.” Wired, Conde Nast, 3 June 2017, www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.
[2] “2019 Baltimore Ransomware Attack.” Wikipedia, Wikimedia Foundation, 26 Dec. 2019, en.wikipedia.org/wiki/2019_Baltimore_ransomware_attack.
[3]Stewart, Emily. “Hackers Have Been Holding the City of Baltimore’s Computers Hostage for 2 Weeks.” Vox, Vox, 21 May 2019, www.vox.com/recode/2019/5/21/18634505/baltimore-ransom-robbinhood-mayor-jack-young-hackers.
[4]“2018 Atlanta Cyberattack.” Wikipedia, Wikimedia Foundation, 18 Jan. 2020, en.wikipedia.org/wiki/2018_Atlanta_cyberattack.
[5]Sussman, B. (2019, June 12). Baltimore, $18 Million Later: ‘This Is Why We Didn’t Pay the Ransom’. Retrieved April 27, 2020, from https://www.secureworldexpo.com/industry-news/baltimore-ransomware-attack-2019
By Charlie Darby and Nick Hayden
