When Gary Brantley walked into his job as Atlanta’s new chief information officer last October, he took the helm of an IT agency still digging out from one of the highest-profile cyberattacks against a U.S. target.
It had been about six months since the ransomware virus SamSam unleashed itself on Atlanta’s municipal computer systems and networks, wreaking havoc on nearly every part of the city’s government. Brantley left behind a CIO position at the DeKalb County Public Schools to take over the city’s IT at the request of Mayor Keisha Lance Bottoms. The mayor, then eight months into her term, said at the time she hired Brantley not just to supervise municipal IT, but also to prove her administration’s “ability to run an efficient government.”
Brantley was handed a crisis. The SamSam virus infested nearly all of Atlanta’s city agencies when it was detected last March, knocking out court scheduling, online-bill payments and airport Wi-Fi, but it also exposed deeper problems inside AIM, including a disorderly approach toward security and a lack of collaboration with outside organizations that might have helped stanch the bleeding. While many of the public-facing systems were restored within a few weeks or months, Brantley arrived tasked with the burden of not just finishing the mop-up job, but overhauling the organization that allowed the ransomware attack to happen in the first place.
“These were some major critical applications that had a lot of sensitive data,” Brantley says. “You had financial systems, court systems. You had [customer-relationship management] systems, the service-desk systems that needed to be brought back up. Most importantly, you had the data tied to those systems that needed to be brought back, in some cases repopulated.”
To continue the recovery process — and to make his agency stronger — Brantley says he’s instructed staff to focus on fundamental practices like better password management and greater restrictions on access to sensitive systems.
“The message was that we were going to get back to operational basics,” he says. “We’re going to focus on doing the little things well.”
The biggest target
Atlanta’s guard was down on March 22, 2018, when the SamSam virus infected the city’s networks and encrypted at least one-third of its applications. Municipal employees who attempted to log on to affected systems were greeted with an anonymous demand for a six-bitcoin payment — equal to about $51,000 at the time — in exchange for a key that would remove the virus and allow city workers back into their files.
The infection spread far beyond court schedules and public Wi-Fi. Elected officials and city employees reported losing years’ worth of correspondence. Footage from dashboard-mounted cameras in police cars was destroyed. Many legal files were similarly lost for several months, but were eventually recovered.
Bottoms, who had just been inaugurated two months before the incident, admitted in the ensuing weeks that she had not given much thought to cybersecurity. But it quickly became her young administration’s top priority, as the city started shelling out emergency contracts to IT vendors and crisis communications specialists. By last August, the city was prepared to spend up to $17 million to remedy the attack’s effects.
Atlanta was one of more than 200 victims of the SamSam virus — it just happened to be the biggest. First unleashed in January 2016 on a small business in Mercer County, New Jersey, it was later used to attack other companies, hospitals and eventually governments.
Federal prosecutors indicted two Iranian citizens Nov. 28, accusing them of developing SamSam and using it to ransack vulnerable computer networks and collect more than $6 million in ransom payments. Many victims paid, including the city of Newark, New Jersey, which forked over $30,000.
But the charges offer little resolution alongside the unlikelihood of the United States retrieving two suspects from a country with which it has no formal diplomatic relations. Instead, SamSam victims are left to reflect on where they erred and how they can improve.
Migration and collaboration
A city auditor’s report published in January 2018, two months before the ransomware attack, makes Atlanta look like a natural target. The report excoriated the city’s cybersecurity practices and faulted AIM for a relaxed approach that was driven by “ad hoc or undocumented” processes. Inspectors found nearly 100 government servers running a version of Windows that Microsoft stopped supporting in 2015 and as many as 2,000 other “severe vulnerabilities” that turned up in monthly scans.
Those shortcomings might’ve eased the SamSam virus’ way onto the city’s network. Unlike other ransomware strains, which are typically activated by links clicked on by unsuspecting recipients of phishing emails, SamSam relies on brute-force attacks looking for weak or default passwords.
Brantley says the attack has placed security at the front of every decision AIM makes and also accelerated the replacement of many legacy systems.
“The first order of business was to get the environment back up to where it needed to be,” he says. “But the next phase has been to establish a cybersecurity framework and put a renewed focus on awareness, not only for [city] employees but for the people who are doing the [IT] work on a day-to-day basis.”
Brantley credits the ransomware attack with accelerating the city’s migration of many of its critical applications to a hybrid cloud service, which he says has improved the city’s security. He also says the incident has encouraged him to develop the city’s relationships with the state and federal governments.
Though the FBI and Department of Homeland Security both assisted Atlanta’s response to the ransomware attack, Brantley says those partnerships had not been nurtured enough.
“I don’t think there was a true focus on it,” he says. “We really took the time to focus on re-establishing those relationships. That’s actually a goldmine. But also what’s really important is that our relationships locally with the state, cross-collaboration with bordering counties and local business has increased dramatically.”
Brantley says that web of collaboration carried the city through Super Bowl LIII last month, when city, state and federal cybersecurity officials staffed a network of at least nine operations centers during the run-up to the big game.
While the Super Bowl went smoothly, Brantley admits the ransomware attack’s impact looms over the city’s ongoing IT decisions.
“I think at the front of things, security — which it should’ve in the past — has now become a focal point,” he says. “Going forward, we have a security strategy at the front of everything we do, even if it’s just conceptually. We’re still going to innovate, but we’ve started to focus on having a secure operational environment and having that be the foundation before we get into disruptive types of technology.”
Catering an emergency
If there is a playbook for bouncing back from a ransomware incident, it might resemble the one the Colorado Office of Information Technology developed last year when that state’s transportation agency had its own run-in with the SamSam virus.
The Colorado Department of Transportation reported Feb. 21, 2018 that about 2,000 of its computers had been encrypted by SamSam. Dozens of IT workers spent long hours trying to contain the infection, but a week in, the virus was still spreading and human logistics were breaking down.
“We had 60 people on-site,” says Colorado CISO Deborah Blyth. “It was up to me or the CTO or director of infrastructure to figure out how to feed these people, and they were sick of pizza. And it was pulling me away from activities I needed to be engaged in.”
So Blyth did something novel: She asked the Colorado Office of Emergency Management to issue a disaster declaration treating the ransomware attack like a wildfire or flood, opening up a host of additional resources such as the Colorado National Guard’s cybersecurity unit, and freeing her from pizza-delivery duties.
“When we engaged Office of Emergency Management, they have a logistics team and they were coordinating catering,” she says.
The emergency declaration also created a more orderly process for containing and eradicating the malware, which allowed CDOT to be back at 80-percent functionality a month after the attack.
Colorado was the first state to issue a statewide emergency because of a cyberattack, but Blyth expects it won’t be the last.
“I think it will become more normal,” she says. “It’s so important to make the information security community aware that in times of cyber-crisis that there’s a whole crisis team that exists, and comforting to emergency management that they don’t have to be cyber experts, but their methodology still applies.”
State and local governments need to develop collaborative plans for responding to ransomware and other cyberattacks, says Bradford Willke, a DHS cybersecurity official.
“One of the measures of success is that it comes down to having an action plan ahead of time,” says Willke, whose division assists state and local governments with cybersecurity needs. “Atlanta’s one episode. The planning side is not just the IT side of the shop. It is working with the enterprise side, the business side of local governments to determine how you want to coordinate on issues like ransomware, to evaluate high-value assets, priority restoration and even if they’re going to accept coordination with external partners.”
Willke’s agency, the Cybersecurity and Infrastructure Security Agency, offers local governments assistance through the Multi-State Information Sharing and Analysis Center, run by the nonprofit Center for Internet Security, as well as its own Computer Emergency Readiness Team, or US-CERT. But Willke says that many local governments hit by ransomware can be sheepish to call in for federal assistance because of bureaucratic and legal hurdles, which means those attacks are underreported.
“It’s still happening,” he says. “I think maybe the difference in year over year is just the presence of resources we have.”
A new cast
Back in Atlanta, Brantley says he’s focused on building a governance structure that embraces more collaboration like the kind that was on display for the Super Bowl.
“From a culture perspective, we’re looking at breaking down a lot of silos,” he says.
Atlanta Information Management’s leadership has also been entirely recast. In his first few months, Brantley hired Tye Hayes, a former deputy CIO for the city’s education department, as his chief technology officer, and William Wade III, a longtime private-sector information security executive, as Atlanta’s new CISO. A new citywide IT management plan is expected next month.
While expensive to fix, the 2018 ransomware attack may also be the start of a longterm overhaul for Atlanta’s information security policies, Brantley says.
“I’m not new to transformation,” he says. “I lived here and I didn’t like it. [The mayor] wants us to emerge at the end of the front of the cybersecurity world as it relates to government. We’ll always continue to fight and push forward.”