On March 22 Atlanta, Georgia was under siege. But as its citizens set about their morning, no fighter jets screamed overhead and no armoured vehicles poured through the streets. The only indication anything was amiss was a tweet from the city government, informing Atlanta’s 470,000 citizens of "outages on various customer facing applications". This seemingly innocuous statement did little to capture the severity of the city’s predicament.
As municipal employees logged into their computers, some noticed peculiarities on their desktops: icons replaced with black boxes, and file extensions reading ‘imsorry’ and ‘weapologize’. Utilising a form of ransomware known as ‘SamSam’, an unidentified group of hackers had gained access to the city network, encrypted various files and demanded around US$51,000 for the keys to lifting the encryption.
As municipal employees logged into their computers, some noticed peculiarities on their desktops: icons replaced with black boxes, and file extensions reading ‘imsorry’ and ‘weapologize’.
These encryptions plunged swathes of the 8,000-employee municipal government into a technological dark age, leaving employees recording their hours on punch cards, police handwriting reports, and citizens unable to pay bills online. Almost two months on, the air of disruption lingers with municipal courts relying on entirely non-digital systems, the water department website indefinitely offline, countless files irrevocably lost and the city's 2019 budget process delayed.
Atlanta has spent at least US$2.7 million responding to what The New York Times labelled“one of the most sustained and consequential cyberattacks ever mounted against a major American city”. However, the United States is no stranger to ransomware attacks in which hackers lock a system’s files and demand payment for their release. In 2018, hackers using ‘SamSam’ or similar software attacked an Indiana hospital, Baltimore’s 911-dispatch system, and the Colorado Department of Transport. In 2017, the ‘WannaCry’ and ‘Petya’ mass attacks earned ransomware global notoriety.
In Australia, only a handful of companies fell victim to WannaCry or Petya. However, Telstra’s 2018 Security Report found almost 20 per cent of surveyed Australian businesses – mostly organisations of 500+ employees – were subject to at least monthly ransomware attacks. The federal government estimates such attacks cost the national economy in excess of AU$1 billion annually.
While the private sector bears the brunt of these attacks, what is the risk of such profit-seeking targeted attacks on governments in Australia? Two factors can perhaps provide insight: vulnerabilities and hackers’ incentives.
Regarding incentives, the Atlanta city government did not pay a ransom. This means the hackers drew considerable law enforcement and media attention, but no financial reward. In Australia, the federal government recommends ransomware victims do not pay, although almost 50 per cent of private sector victims reportedly did so in 2017.
Regarding vulnerabilities, an audit at least six months before the Atlanta attack warned of preventable ‘critical vulnerabilities’ in government IT systems, which the city failed to expeditiously rectify.
Since the federal Cyber Security Strategy launched in 2016, five states have released complementary strategies, updated their IT policies, or appointed officers overseeing all-of-government digital security.
In Australia, state governments seem to be more alert. Since the federal Cyber Security Strategy launched in 2016, five states have released complementary strategies, updated their IT policies, or appointed officers overseeing all-of-government digital security. In addition to the recently announced national Cyber Security Cooperative Research Centre (CRC), ‘Joint Cyber Security Centres’ have also opened (or imminently will) in Australia’s five largest capitals. However, critics have questioned the adequacy of investment in such initiatives, and a March audit found the NSW state government ill-prepared.
So, how likely is an Atlanta-style attack here? Ultimately, assuring immunity to cyber-attack is impossible. No matter how many disincentives are created or vulnerabilities patched, there’s only one way for the state governments to know whether they are truly ready for a ransomware attack – and that’s if they learn that they weren’t.