Baltimore CIO, criticized for ransomware response, on leave
Baltimore Chief Information Officer Frank Johnson, who has faced scrutiny from the city’s elected officials over a ransomware attack earlier this year that crippled municipal IT systems and his department’s response to it, is on leave from his duties. Johnson’s deputy, Todd Carter, has been named acting CIO, according to the office of Mayor Bernard C. “Jack” Young.
Johnson’s leave was first reported by the Baltimore Brew.
Johnson, a longtime Intel executive, was hired to lead Baltimore’s IT efforts in September 2017 by Young’s predecessor, Catherine Pugh. But his time with the city has been marked by multiple high-profile ransomware events. A March 2018 incident briefly disrupted Baltimore’s 911 dispatchers, and a bigger attack on May 7 of this year knocked out many of the city’s digital services and is expected to eventually cost $18 million in recovery spending and lost revenue.
While the public-facing systems impacted by the May attack have been restored, Johnson has come under withering criticism from members of the Baltimore City Council, particularly after the discovery of a 2017 internal risk assessment that called Baltimore’s municipal IT a “natural target” for a cyberattack. Among the faults were two servers, responsible for running more than 100 applications, that were still operating on versions of Microsoft Windows long past the end of their support life cycles.
In the May attack, a virus called RobbinHood encrypted city employees’ emails and disabled digital phone systems, online bill payments and real-estate transactions, which required officials to develop an analog workaround to keep the local housing market operational. A few weeks later, Johnson admitted to the council that his department lacked a formalized disaster response plan to deal with threats like ransomware, and that drawing up one would take at least nine months.
In an email to StateScoop, Councilmember Eric Costello, who was recently named the chairman of a new cybersecurity committee, called Johnson’s failure to create a disaster response plan before the attack “completely unacceptable.”
“The City of Baltimore’s continued IT recovery efforts and future planning requires real leadership, which in my estimation, Mr. Johnson didn’t exhibit,” Costello, a former IT auditor for the U.S. Government Accountability Office, said. “His complete lack of communication and responsiveness in the days and weeks after the incident was equally as frustrating.”
Johnson did not respond to StateScoop’s calls Wednesday morning.
Carter, a former energy-sector IT executive, started as Johnson’s deputy on May 6, one day before the attack. In his most recent job, as a vice president at the electric utility Exelon, he was responsible for re-engineering the company’s IT architecture and managing its application portfolio, according to his LinkedIn page.
A spokesman for Young did not say how long Johnson’s leave will last, but added that mayor does not have any announcements planned about the future of Baltimore’s technology leadership.