Municipal workers in New Orleans discovered on Dec. 13 that their computer systems had been rendered inoperable by a virus demanding payment, making the city yet another victim of the global ransomware scourge that’s pestered state and local governments for the last several years. Recovery from the attack, which has since been attributed to the Ryuk strain of malware, has already cost New Orleans $7.2 million, and officials expect that figure to climb much higher by the time their devices and networks are fully restored.
The incident confirmed a warning Mayor LaToya Cantrell had given to the New Orleans City Council last June when she was arguing that cybersecurity funding deserved to be included in the city’s budget for critical infrastructure. Some members were hesitant and said that protecting IT assets was not an infrastructure component.
“I said, ‘like hell it isn’t’,” Cantrell recalled Thursday during a meeting of the U.S. Conference of Mayors in Washington.
Cantrell said she got the funding, but when ransomware locked up the city’s computers last month, knocking websites offline and preventing social-services agencies from accessing electronic records, she was vindicated: “I was like, now what?” she said.
Like many of her peers who’ve steered city governments through cyberattacks, Cantrell warned her fellow mayors that ransomware is “not a matter of if, but when.” And while New Orleans’ websites are running again and the city’s departments are functioning, she said it will take another six to eight months before the city returns to normalcy. Many digital services remain inaccessible, with operations like sanitation, building inspections and parking enforcement reverting to manual record-keeping.
“It has crippled our government,” she said.
Later, Cantrell told StateScoop that many departments will need large portions of their IT inventories replaced. The city kept offline backups of its files, but as it re-images more than 4,000 computers and servers, some will have to be swapped out with devices compatible with upgraded operating systems. About 40 percent of the New Orleans Police Department’s equipment, for instance, will be replaced in the coming months, she said. The city is also in the process of increasing the $3 million cyber insurance policy it took out in November 2018 to $10 million.
The mayor said New Orleans’ ransomware experience confirmed her admonishments to the city council that cybersecurity is part of the city’s infrastructure. Cantrell also said that during the recovery, the city government’s been tracking its activities and expenses using the same paperwork it uses following a hurricane.
“Cybersecurity has been pushed to the forefront,” she said. “Because we made cyber a priority, we immediately went into recovery mode. We’re not shutting government down.”