Suspected Iranian hackers struck Atlanta last March with SamSam malware, locking up critical city services and demanding a $51,000 ransom for the key.
The cyberattack had weekslong impacts and has cost the city at least $7.2 million to date, Atlanta Mayor Keisha Lance Bottoms told a House subcommittee yesterday at a hearing on state and local cybersecurity challenges.
"We were incapacitated," she said, adding the city was fortunate that critical services like water supply and 911 emergency calls weren’t interrupted. "Many cities, especially small cities, simply lack the resources to develop the safety net that’s needed to protect against these attacks."
Last November, the Department of Justice indicted two Iranian citizens accused of orchestrating the Atlanta ransomware attack and others like it across various U.S. hospital and school networks. Taken together, officials said the damage from the malicious campaign amounted to more than $30 million (Energywire, Nov. 29, 2018).
As tensions rise between the United States and Iran, House lawmakers yesterday questioned how state and local governments can equip themselves to square off against highly sophisticated hacking threats.
"This is a topic that I believe deserves far more attention than it gets," said Rep. Cedric Richmond (D-La.), chairman of the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Innovation. "These attacks are becoming more frequent and more advanced. … This is not a state or local problem, but a national one."
The issue is acute for municipal governments, which typically spend far less of their budgets on cyberdefenses than private companies.
Witnesses at the hearing pointed out that rural towns struggle to attract cybersecurity talent to defend their systems against a rising tide of online adversaries, from China to Iran.
"How many cities, and how many companies went into business thinking they had to defend against foreign intelligence services?" asked Frank Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University. "It’s not a level playing field."
Earlier this month, Sens. Rob Portman (R-Ohio) and Gary Peters (D-Mich.) introduced legislation aimed at boosting Department of Homeland Security coordination with state and local governments by authorizing federal officials to provide cybersecurity tools and conduct joint exercises with their local counterparts.
S. 1846 passed out of the Homeland Security and Governmental Affairs Committee last week and awaits a floor vote.
"Hackers with malicious intent can and do attack state and local cyber infrastructure consistently," Portman said in a statement. "Sometimes, state and local governments need some additional help or access to expertise to mitigate these threats."
House lawmakers yesterday puzzled over how to deliver that extra help and how to measure whether additional cybersecurity spending was really delivering results.
Rep. John Katko (R-N.Y.), ranking member of the subcommittee, said he plans to introduce legislation directing DHS’s Cybersecurity and Infrastructure Security Agency to develop new cybersecurity resources for state and local governments, as well as offering grants for identifying municipalities’ most vital computer systems to protect.
"Our state and local governments are prime targets for cyberattacks," Katko said, citing research from Recorded Future that showed nearly two dozen major cyberattacks on U.S. cities so far this year. "It’s clear that action is needed, and needed now."
Atlanta Mayor Bottoms said additional cybersecurity funding would be "extremely helpful" but warned local governments don’t always plan and prioritize for crippling cyber events.
"When we experienced our cyberattack, it was very clear to us that we simply were not prepared," she said. "It was not where we had made the necessary investments.
"People don’t see cybersecurity, they see sidewalks, they see potholes," Bottoms said, "and we were allocating our resources accordingly."