Holding Cities Ransom
Sporadic we'd take just ten minutes to get you smarter conclusion of Tech Business Politics under this show the FCC is message for facebook and possible space crash in Silicon Valley but first holding Holding cities ransom so last Friday the city government of New Orleans shutdown not at five. PM would normal Friday but hours earlier after the detection of a cyber attack in its municipal computer network but the city referred to as an abundance of caution resulted in all of its computer. Networks Internal and External Journal being taken off line city offices the physical ones were closed. And even the official New Orleans homepage unavailable now New Orleans officials say there is no evidence evidence that actual information was compromised but not all of it. Systems are back online. Yet and the overall episode reflects the vulnerabilities of city governments to cyber intrusions at a time time when more and more of their services including vital sometimes life saving information are being provided. Virtually one thing missing here from the New Orleans attack was a so called request for ransom. which is when a hacker demands money to put everything back to normal but ransomware attacks against US cities and towns are more common than you might think and often very difficult to navigate by the numbers here Barracuda Networks reported in September that fifty? US cities and towns had seen ransomware attack so far in two thousand nineteen and a more recent report from a company called MC soft puts the number north of one hundred and that latter report expands the figure to nine hundred fifty if you also include educational healthcare CARE systems now when it comes with how to deal with these attacks. There are no easy answers on the one hand. You don't want to encourage future intrusions by paying off the hackers but on the other hand the ransoms are often cheaper than not paying them and then having to fix the damage a lesson that many corporations have learned and begun to heed. The bottom line here is that what happened in New Orleans. Could well be coming to a city or town near you and it seems that the best possible solution in these cases at least for now is to pull the plug if fifteen seconds will go deeper with axios cities editor Kim heart but first this axios gives you the news and analysis. You need to get smarter faster. On the most important topics in our unique smart brevity grabbed format we cover topics from politics to science in media to tech subscribed to get smarter faster at sign-up Dot axios Dot Com and now back to the program podcast. We're joined now by axios. Cities Editor Kim heart do cities and other local government entities usually actually know when their systems systems are being attacked Not really in fact. The International City and County Management Association found that about thirty percent of local governments. Don't know how often their systems are attacked act and the ones that do know say that sixty percent or being attacked on a daily if not an hourly basis so they know they're being attacked they may not even know how often often though you look at the situation New Orleans and obviously we don't still know huge amount about the actual intrusion except say must have been more significant than probably you know some kid you know getting into the system because they decide to basically take everything off line from your perspective. was that prudent. In other words the New Orleans do the right thing kind of this abundance of caution strategy. Yeah I think probably so I mean I think the guidance coming out of federal and state governments is to if you see any sort of suspicious activity take everything down disconnect from the network and try to troubleshoot. It sounds like this. Troubleshooting is taking longer than they expected even as of an update on Nola dot com late last night. I'm an early this morning. A lot of systems are still down. Police are recording incidents manually. They had to put up a temporary website so that people could still do other city business and most of it is coming down to pen Henin paper and the city council meeting on Thursday is likely to be impacted as well so that suggests that they are expecting it to take upwards of a week to figure out what actually went down and how to fix it but I think in a city like New Orleans that's used to have had their fair share of disasters and emergencies to deal with. I think they are use. Used to going with the abundance of caution route in trying to be as careful as possible until a sniff out every corner is principally that these attacks both serious and not as serious areas are on the rise. Yes absolutely I think that cities and local and county governments are increasingly targets. I think hackers assume rightly or not that these city governments are lower staffed than corporations probably don't have as much. It and technically skilled workers who have a lot of cybersecurity training and knowledge on her up on all the latest trends and technological patches to help protect cities and systems from this kind of intrusion and so they're becoming easy targets corporations operations are definitely the top target because they have money and are often more willing to pay the ransomware attacks but they also have more talent and more skilled skilled workers to draw on to help guard their systems from these kinds of intrusions. So I think that one of the biggest problems that sitting in local governments are facing right now is that they just have a harder time recruiting recruiting and retaining the talent that they really need to help keep their systems secure in the most robust way you mentioned ransomware and let me ask about that. There's no indication there was a ransom request in this particular case in New Orleans Orleans but they often are an attack municipal systems and there seems to be a split philosophy. Here part of it is the whole. We don't negotiate with terrorists philosophy right. We can't pay ransom because if it gets out and becomes made public which it probably will because the payment from a public entity that's just going to encourage others to attack our system. The other argument is it often. It's cheaper to pay off the ransom. Rather than having to rebuild your entire system are either one of those philosophies seeming to win out right. Now you know it's really hard to say which one is winning out. I do think that there is evidence to show that the argument that if you pay a ransomware attacker than that just encourages that AH actively to continue experts out there have said well it's not really encouraging a market because the market's already there it's clear that the market is there in the increasing number of ransomware attacks however however for some cities the best response might be to pay the ransom than us the millions of dollars that would have been spent on recovering the systems after that to strengthen the cyber defenses before the the next attack so that they're more prepared going forward but a lot of cities Atlanta and Baltimore have been hit Baltimore chose not to pay the ransom and it might cost twenty million dollars to restore systems which is significantly more than what the ransom was in the first place I was like seventy five thousand dollars. Someone's really I think that there but but it really just depends on. I think what the city council decided to do. And what their particular resident base you know really feel strongly about since they you know their elected officials and they're trying to the citizens like what the federal role if any obviously we're talking here about local governments municipal government so we're talking about a lack of money and lack of technological resource is there federal role here and if so what is it i. I know there's apparently this call zero trust pilot program what can and should the federal government be doing. I think what the federal government is doing more of is trying to be be more of a resource for these governments. That just don't have the same amount of resources that the federal government does that mean for. The federal government also has a hard time compared to corporations of attracting the same amount of technical talent. But when you're talking about the intelligence community and essay and whatnot. They do have a huge amount of expertise to draw from and so the federal government is moving into the direction of zero. Trust as you mentioned and what that is it operates on the assumption that anything outside corporate network is a security risk a so anything anything that comes outside or even inside. That might be a little bit. Amiss is considered suspicious and at risk so administrators are using new precautions like end to end encryption multifactoral authentication identity access management and analytics to control access. No none of that probably sounds new to anyone who works in a corporation but it is still fairly new at the city level. And so but I think we're going to see more of is the federal government trying to not necessarily mandate specific activities like this but strongly encouraging it and providing more more and more training and resources so it sounds cities need to beef up but also keep a bunch of pen and paper handy if that doesn't Work Kim heart editor of cities. Thank you so much for joining us. Thank my final two right after this there is more news than ever before but these days it's harder than ever find it and to know what to trust axios. AM takes effort out of getting smart by synthesizing thing the ten stories. That will drive the day and telling you I. They matter subscribe at sign up dot axios DOT COM and now back to the podcast the final two and first of his facebook which may not have to wait long for new and very significant government regulation as first reported by The Wall Street Journal. The Federal Federal Trade Commission is considering immediate. Move to block the company from integrating the back end infrastructure of its three messaging platforms. which are facebook messenger her? What's APP and Instagram? Why this matters is that facebook's original decision to merge the three was viewed by some as a preemptive move against D C under the old mantra that it's harder to unwind merger once gets completed and facebook is desperately afraid of being forced to divorce? It's big blue APP from either of its sister. APPS so is racing facing to make them technologically inseparable now the FCC isn't yet commenting publicly but we're to move forward. It would have to do it this way. I ask for an injunction against against facebook in federal court and in court demonstrate to the judge that harm to consumers is likely if facebook proceeds with integration plans. The tricky part here will be improving harmed consumers given the facebooks products are free plan. Finally a company called Vector launch on Friday filed for chapter eleven bankruptcy protection which some view as the I possible crack in a recent boom small satellite launch companies vectored raised over ninety million dollars in venture capital funding since being formed in two thousand sixteen including leading by arguably the most venerated venture. Firm of all time sequoia capital but this past summer sequoia quietly decided to stop investing for the source saying that it felt vector was spending too much money and not meeting enough of its own projections. That decision may have led to two vectors lenders opting against providing new lines of credit thus leading to around around one hundred and fifty layoffs and the bankruptcy filing in short make your numbers for Lsu risk crashing. And we're done. Thanks for listening to my producers. Tim Show is Naomi Shaven. Have a great Barbie and Barney Backlash Day. And we'll be back tomorrow with another pro rata podcast.