It’s been more than 18 months since Atlanta suffered a crippling ransomware attack that shut down dozens of municipal functions for weeks and forced an overdue and expensive overhaul of citywide IT infrastructure. But Atlanta Chief Information Officer Gary Brantley said Thursday that even though the city has improved its security footing, he’s wary of officials losing sight of the lessons learned from the cyberattack that cost taxpayers an estimated $17 million.
“People forget quickly,” Brantley said at CyberScoop’s CyberTalks event in Washington. “You would be surprised how quickly after this happens that people get complacent. We have to tell people this can happen again.”
Brantley, who joined the Atlanta city government in September 2018 after being hired away from a suburban school district, recounted walking into an organization still reeling from an IT crisis caused by what he called “probably the biggest cyberattack on a city ever.”
“When you get these calls and you’re called to help leads these kinds of disaster situations, you walk into complete chaos,” he said. “We had to get back to an operational basis. I didn’t need to see much.”
In Brantley’s telling, that course correction has not been as much about the actual technology as it has about upending the culture. He said he started by determining whether Atlanta Information Management, the IT bureau he now leads, was up to the challenge of fixing the ransomware damage and establishing stronger cybersecurity protocols. That prompted the hiring of a new chief technology officer, Tye Hayes, and new chief information security officer, William Wade III.
But bringing on Hayes and Wade, both of whom came out of the private sector, wasn’t a cinch, Brantley said.
“It’s going to force you to spend money,” he said. “I have to sell the idea of working for a city to some really talented individuals.”
Brantley also said he and his new leadership team are conducting an “app rationalization” process, reviewing the hundreds of applications — many of which were corrupted during the 2018 ransomware incident — to determine if they are truly necessary for the city’s business operations, and if they fit into the security strategy he’s trying to build in the ransomware attack’s aftermath.
“We’re talking about what we’re going to tolerate, mitigate, what we’re going to innovate on,” he said.
Still, Brantley said the worry that the memories of a chaotic ransomware attack will dissipate has required him to remind everyone in Atlanta’s 8,000-employee government that cybersecurity requires “muscle memory.”
“I started with people, because I didn’t have a lot of time for a culture change,” he said. “We had to go back through the entire city and explain to these things that are inevitable.”