Baltimore not alone in vulnerability to ransomware

The ongoing ransomware attack that has left Baltimore unable to use much of its computer network underscores the risks municipalities face if they don’t build up their online security infrastructure.

Baltimore’s computer servers were hit with the ransomware attack on May 7, forcing Maryland’s largest city to shut down most of its servers and create workarounds as online computer systems remain locked down. This disruption affected wide range of services and halted applications such as email, voicemail and utility billing.

Cryptocurrency mining rigs operate in a cargo container at the Golden Fleece cryptocurrency mining company in Kutaisi in the nation of Georgia, on Monday, Jan. 22, 2018.
Cryptocurrency mining rigs operate in a cargo container at the Golden Fleece cryptocurrency mining company in Kutaisi, Georgia, on Monday, Jan. 22, 2018. Golden Fleece uses a cargo container with Chinese-built computers inside a dilapidated Soviet-era tractor factory to extract cryptocurrencies using low-cost electricity generated by water flowing from the nearby Caucasus Mountains. Photographer: Daro Sulakauri/Bloomberg
Daro Sulakauri/Bloomberg

The ransomware attack remotely encrypts the city's servers and computers. The attackers reportedly want Baltimore to pay 13 bitcoins — an amount of the cryptocurrency valued at more than $112,000 Thursday, according to Coinbase, though it was about $75,000 at the time of the attack.

“There must be more education with regard to cybersecurity issues and consequential negative impact of poor cybersecurity infrastructure — not just for the municipality, but also the taxpaying constituents and/or the public utility rate payers,” said Jonathan Savage, president of The Cybersecurity Company LLC. “The issue of quality and effective municipal cybersecurity measures can no longer be ignored.”

Savage, who formerly worked at A.G. Edwards & Sons as senior managing director and head of public finance investment banking, said localities will need to focus more on cybersecurity threats as the public becomes more aware of potential risks posed to them from their personal information being on file. He said that while cybersecurity measures don’t currently appear to have an immediate negative impact on municipal bond pricing, this will likely change as the issue gets more into the forefront with credit rating agencies also taking on more of a role.

“I believe the day will be soon when the impact will be significant, especially for municipal utilities that do not have updated authority to deal with cybersecurity issues,” Savage said. “I am certain that a municipality’s credit rating will soon be impacted by the municipality’s efforts to improve, and eventually stay up-to-date with, cybersecurity issues.”

Baltimore’s latest ransomware attack is more severe than a brief March 2018 cyber disruption resulted in a shutdown of 911 computer-aided dispatch services that were operated manually for 17 hours, Moody's Investors Service analyst Nisa Rajan said in a report last week. The city has managed to still stay current with its outstanding bills and debt service payments, according to Rajan.

The city set up a manual workaround to process property transactions blocked by the ransomware attack, and said it handled 462 applications for property deeds during the first week. The city was unable to issue accurate lien certificates or collect on bills for municipal charges before a transaction closed.

“While the cyberattack and cost of repairing the city’s electronic infrastructure are unlikely to have a material effect on Baltimore’s health financial position, given its solid reserves and liquidity, the event is credit negative because Baltimore’s lack of investment in cybersecurity — when it had already fallen victim to a similar attack — will likely result in significant out-of-pocket expenses, especially as management looks to purchase cybersecurity insurance,” Rajan wrote.

Baltimore’s general obligation bonds are rated Aa2 by Moody’s and AA by S&P Global Ratings with stable outlooks. A report Tuesday from Breckinridge Capital Advisors said Baltimore’s inability to process property sales as a result of the cyberattack impacts the city’s credit since its GO bonds are backed by value of local real estate with property taxes comprising just under half of its general fund revenues.

“Baltimore’s experience underscores the fact that cyberattacks are a growing municipal credit risk,” Breckinridge vice president Alriona Costigan and Chief Technology Officer Jesse Starks wrote. “Even the most ironclad technological and physical defenses can be breached, so preparedness for cyberattacks is important to assess as a credit issue.”

The press office for Baltimore Mayor James E. Bentley III did not immediately respond for comment on where the city stands with combating the ransomware. Baltimore remains unable to send or receive email, according to a banner notice on its website Thursday.

At least 24 ransomware attacks on municipalities have been reported so far in 2019, according to Moody’s. A high-profile cyberattack that struck Atlanta in March 2018 cost the city an estimated $17 million, or about 2.6% of its budget, Breckinridge said in its report. A recent study by the Massachusetts legislature also revealed 26 million attempts to gain access to state systems in a one-hour period between 1 a.m. and 2 a.m. on Sept. 13, 2018.

Baltimore disclosed the ransomware attack in the offering document for its May 7 general obligation bond pricing.

Joseph Krist, a partner with Court Street Group, said not enough municipalities are as concerned with cybersecurity threats as they should be since many of them can be susceptible to random attacks that aren’t targeted. Krist said that while cyberattacks can be just as financially damaging to local governments as flooding, the issue likely won’t be prioritized by municipal issuers or rating agencies until the investment community demands more disclosure.

“It’s on the investors to push, push, push and push," said Krist of what it will take for more cybersecurity disclosure in bond sales. "If there is going to be change it will come from the investors."

For reprint and licensing requests for this article, click here.
Cyber security Cyber attacks Malware Maryland
MORE FROM BOND BUYER