Baltimore Chief Information Office Frank Johnson is out of a job, five months after the city’s municipal government was hit with an extensive ransomware attack, his response to which became the focus of much criticism from elected officials.
Johnson, who was hired to lead the Baltimore City Information Technology agency in September 2017, had been on unpaid leave since last month, fueling speculation that a permanent separation was brewing. His last official day with the city was Oct. 1. A spokesman for Mayor Bernard C. “Jack” Young said Johnson’s departure was a “personnel matter,” but would not cite a specific reason.
Johnson’s deputy, Todd Carter, has been serving as acting CIO since he was placed on leave.
Baltimore’s computer systems became the victim of a ransomware strain known as RobbinHood on May 7, which encrypted several critical functions affecting municipal business. The damage extended to city employees’ email and voice-message systems; online payment services for water bills, property taxes and traffic citations; and real-estate transactions, which briefly froze Baltimore’s housing market until a “manual workaround” using paper forms could be developed. The city’s leaders were presented with a demand for 13 bitcoins — about $76,000 at the time — in exchange for a decryption key, along with a threat that affected data would be destroyed in a matter of days if the ransom was not paid.
Though officials refused to pay and most the IT functions have since been restored, the recovery process has been expensive for the city, and embarrassing for Johnson and the agency he led. A few weeks after the attack, a risk assessment warning that the city’s out-of-date network infrastructure made it a “natural target” for cyberattacks surfaced. Johnson was also faulted for not being more communicative with agencies whose systems were impacted by the ransomware incident, and apologized to the Baltimore City Council in early June.
Later in June, Johnson conceded to the City Council that his agency did not have a formalized plan to deal with an incident like the ransomware attack, and that drawing one up could take at least nine months. An even uglier revelation came in late September, when Baltimore Auditor Josh Pasch disclosed that data that was to be used in a performance audit of BCIT was lost because some of its workers had saved the data on their local computers, which were corrupted by the ransomware, a practice that stunned Council members already frustrated with the IT agency. By then, Johnson had been placed on unpaid leave.
Johnson’s most vocal critic on the City Council, Eric Costello, told StateScoop that the CIO’s departure is a positive development for the city.
“Mr. Johnson spent his time focusing on the wrong priorities during his tenure as CIO, which included among other things, not completing a disaster recovery plan during his first 18 months,” Costello, a former federal IT auditor, wrote in an email Monday. “Now that Mr. Johnson is separated from the City, we are better positioned to continue our recovery efforts and proactively plan to reduce the likelihood of another breach of this magnitude.”
Baltimore’s budget office expects the full cost of the attack will eclipse $18 million between emergency IT costs and lost revenue from the payment and taxation systems that were knocked out. The city transferred $6 million out of a fund for parks and public services to help cover an estimated $10 million in sudden IT expenditures.
Johnson, a former Intel executive, had also been Baltimore’s highest-paid municipal employee, earning $250,000 annually. Carter, a former IT executive for the energy utility Exelon, will continue to serve as acting CIO, Young’s office said.