City

Cleveland officials plead ignorance on airport ransomware incident, local media unimpressed

A cyberattack that affected information screens for passengers and airport employees' emails has largely been mitigated, but officials are now facing scrutiny for how they briefed the public.

By Benjamin Freed

April 30, 2019

Getty Images

Officials in Cleveland said Monday that a cyberattack that disrupted a handful of systems at the city’s airport last week was the result of ransomware. But the city is still having difficulty explaining the nature of the attack to the public.

Authorities said Monday that the screens inside the Hopkins International Airport showing flight and baggage-claim information, as well as the airport’s email server, were running again for the first time in eight days. The systems went down April 21 in an incident that was quickly attributed a malware infection. Yet city officials declined to say over the next week whether the hack included a ransom demand, as many other local governments — including major travel facilities, like the Port of San Diego — have received over the past few years.

The affected systems have been restored, and the Cleveland City Council approved two emergency ordinances Monday night allowing the city government and airport authority to buy new cyberthreat protection tools and hire new IT personnel. But despite the ransomware incident’s relatively small impact, Cleveland officials are now facing scrutiny that they did not share enough information with the public.

Robert Kennedy, Cleveland’s director of port control, said at a press conference Monday that the FBI confirmed to the city just that morning that the malware responsible for the airport cyberattack was, indeed, a form of ransomware. When local reporters accused Kennedy and other city officials of dodging questions about a ransom, Kennedy insisted he and his colleagues had not seen a demand for payment to recover their affected files, but that if they had, they would not have paid.

“Our files were encrypted. If there was a ransom at that point, we did not know nor would we investigate or explore the possibility of paying a ransom,” Kennedy said. “We’ve come to learn part of the malware would’ve been a request for ransom, however it’s not something we’re going to pursue.”

Cleveland Chief Information Officer Donald Phillips reiterated Kennedy’s claim that the cyberattack was not recognized as ransomware. Instead, he said, that determination was made by federal agents, whom Phillips said the city contacted soon after the airport malfunctions were detected.

“We initially found it was malware, turned over preliminary forensic evidence to the FBI,” Phillips said. “This morning they confirmed it was ransomware. We never got a demand for money from any entity.”

Bryan Smith, an assistant special agent in charge of the FBI’s Cleveland field office, confirmed at the press conference that the bureau detected the Cleveland airport was struck by a form of ransomware it has dealt with before.

“We are very familiar with this type of malware that affected the systems,” Smith said, though he declined to identify the type of ransomware or amount demanded.

While the Cleveland cyberattack knocked out the airport’s flight-information displays and internal email system, both Smith and city officials said it did not affect flight operations or passenger and cargo security screening. And as part of the early response, Kennedy said Phillip’s IT team issued temporary email accounts to the airport’s leadership through the city government’s server.

But the Monday press conference turned testy at moments as reporters continued to pepper Kennedy and Phillips about why the airport hack was not identified as ransomware sooner.

“We stated from the beginning it was malware” — a generic term for any software designed to damage a computer system — “and let the FBI take the lead from a scientific battle,” Phillips said. “We were fighting the battle trying to get systems up and running.”

Valerie McCall, Cleveland’s communications director, said the city had been transparent in its response to the cyberattack, saying it had issued near daily updates about the situation at the airport.

“There was never an intention to mislead the media,” she said. “I don’t know about you, but we’re not experts in this and that’s why we engaged the FBI.”

McCall also said there was a delay in getting the airport’s informational screens up and running again because they are run by a New Zealand-based vendor that was closed one day last week for a national holiday commemorating the Gallipoli Campaign of World War I.

“We lost a lot of the turnaround time,” she said.

Still, Cleveland is not the first city where officials have been chided for not being more public about the response to a cyberattack. The administration of Atlanta Mayor Keisha Lance Bottoms said little in the first few weeks following the crippling ransomware attack there last year. And in Albany, New York, last month, the city government limited its official statements for several days following a ransomware attack to a single tweet from Mayor Kathy Sheehan.