US Mayors Group Adopts Resolution Not To Pay Any More Ransoms To Hackers (zdnet.com) 72
The US Conference of Mayors unanimously adopted a resolution this week to not pay any more ransom demands to hackers following ransomware infections. From a report: "Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit," the adopted resolution reads. "The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm," it said. "NOW, THEREFORE, BE IT RESOLVED, that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach." The resolution adopted this week at the 87th annual meeting of the US Conference of Mayors doesn't have any legal binding, but can be used as an official position to justify administrative actions, for both federal authorities and taxpayers alike. The Conference of Mayors includes over 1,400 mayors from across the US, representing cities with a population of over 30,000. The organization said that "at least 170 county, city, or state government systems have experienced a ransomware attack since 2013," and "22 of those attacks have occurred in 2019 alone."
And the backups? (Score:5, Insightful)
Have they also resolved to pay for a backup system?
Re: (Score:3)
lol.
Anyway, it's not that they need to pay for a backup system, it's that they need to pay for decent staff to identify what they need and maintain it.
Re:And the backups? (Score:5, Insightful)
Its one thing to have a backup system... you need a RESTORE system as well.
And at that, a restore system provides not just the basic capability to restore and avoid losing data, but also the capability to do a "mass restore and immunize" within a short enough timeframe to prevent justifying paying a ransom.
If the restore process requires a certain amount of downtime, then the losses due to downtime may make it more effective to actually pay the ransom rather than to even utilize that restore process.
So, uhm, this is not all just about backups but also about IT security and system management practices (besides the restore plan)
Re: (Score:2)
A pedantic read of the comment, but I'll allow it.
My intent with "backup system" was the whole shebang; backup, restoration and all the various functionalities therein, but I appreciate how few folks seem to look beyond throwing the data on to some medium and calling it "done" with no regards to the follow through.
Backup systems are a waste of money (Score:2)
There are apparently 1,400 mayors there. And 22 paid randsom of say $100K. Now 22 / 1400*$100K = $1500 per city. A back up system is far more more expensive than that.
Any MBA with a calculator can figure that out.
You do not buy a $10,000 security system in order to prevent a 1:1000 risk of a $100,000 loss.
Now, if the mayors actually refuse to pay ransoms, the damage will be much worse. For a while. Until it eventually stops.
This is why MBAs need to run companies and not engineers.
Re: (Score:3)
You do not buy a $10,000 security system in order to prevent a 1:1000 risk of a $100,000 loss.
[snip]
This is why MBAs need to run companies and not engineers.
Found the MBA...primarily based on an answer who's definitive answer does not reflect the lack of perspective it betrays.
A good backup system is not purchased for the express purpose of mitigating the losses from a ransomware attack. That's what Cryptoprevent, MBAM AntiRansom, and a few other products are for.
A good backup system mitigates the fallout from one too many hard disk failures.
A good backup system mitigates the fallout from a RAID controller gone awry.
A good backup system mitigates the fallout fr
Re: (Score:2)
Agree. What is needed is a well planned and tested disaster recovery plan. Backup are just part of it. And it should be the responsibility of the CIO to have all this in place. If the entity (agency, city, state) gets hacked the CIO gets fired.
Re: (Score:3)
What is also need is a change in thinking about security with the people running IT for cities. They are under the impression that security means buying the right product. Sorry guys, there is no silver bullet. Security is an arms race that never ends.
Re: (Score:2)
What's the point in firing the CIO? Everyone gets hacked eventually. Anyone can fall for a con if they get to you on the wrong day. Firing the CIO is just scapegoating for the higher-ups failing to care about backup and disaster recovery.
At work, we were hit twice by Cryptowall variants. Both times the scope of damage was minor, due partly to luck and partly to preparation and quick thinking. We were able to restore from backups and nobody had to get fired. If it were worse and the entire environment
Re: (Score:3)
Indeed. Even just a monthly archive would be adequate for most small cities, and a weekly archive would result in less data loss than the time it takes to decrypt things even after paying the ransom.
A weekly backup, each department on a different day, especially with most departments completely closed every night for twelve hours, really shouldn't be impossible.
Alas, I'll say it again; none of this matters. Backups just make this attack easier to recover. There are countless other attacks.
There has only
Re: (Score:3)
Re: (Score:2)
Just how in the hell can you say that the actions of the perpetrators are "... not actually all that evil". I bet if I were to tie up all of our information regarding your life so you could never get to it, you would sing a different song. Even if those cities were negligent, that still does not give someone the right to abuse and take advantage of them like that...sheesh.
Re: (Score:2)
in the scope of 'evil' it' snot really that evil. It just isn't.
Not that evil in no way means or implies good. Just on a scale of evil form 1 to 100, it's about a 15.
Re: Of course not. (Score:2)
Were I a hacker, I'd consider this a challenge to hack them and see if they mean it...
I think they just painted a big target on their collective backs.
Re: (Score:2)
Were I a member of a Federal policing authority, I would seek to prosecute those government employees who paid ransom for aiding and abetting criminal activity and for funding future criminal activity, if the funds where directed to offshore criminals, also charge the government employees with treason.
Adopt Resolution to Have Backups (Score:3)
Just having proper backups is just as good as refusing to pay ransom, since as long as you have proper backups you don't have to pay them.
Re: (Score:3)
Why would your backup system execute code? If you have immutable backups, you can scan upon restore.
Cartel (Score:1)
They are basically forming a cartel to protect their collective interests. Like OPEC, which got together to decide how much oil each one could sell, in order to keep the price of oil high for everyone.
The problem is that cartels like this rarely work. Every oil producer had an incentive to sell extra oil behind the others' backs. (It's a classic prisoners' dilemma or Nash equilibrium.) Similarly every mayor, if they actually have a breach, will still have an incentive to pay the hackers, even if it is bad f
Re: (Score:1)
No they aren't, and its nothing like that, and OIL prices aren't high.
You're basically deluded about everything
Re: (Score:1)
They are basically forming a cartel to protect their collective interests.....
Usergroup, club, nation, herd, flock, pack, cartel, gang, company, posse, pride, swarm, syndicate, association, team, clique, horde, shoal, community, group, conference, lynch mob, search party, school. People, and in fact all animals, come together and cooperate in groups. Those that fail to do so end up as weaker losers and are out-evolved. Cartels,in the form of companies coming together illegally often fail because they are against the law, but imperfect as they are, even those that only work part
I like the sentiment, but... (Score:4, Interesting)
"Not only have we encrypted all the data you need to do your work, we've siphoned off all the data you have on your citizens to our own servers. Pay the ransom or we'll (release|sell) it."
Maybe instead, they can resolve to fix up their IT security.
Its A Bold Strategy Cotton, (Score:2)
Lets See If It Pays Off For Em
They will just pay third party/insurance to pay the ransom.
If they said something about improving security and establishing guidelines for backups (and of course restores)
I'd probably think they were more serious.
When the data is available and everything is working correctly, it's easy to say stuff like that.
Backups (Score:3)
The answer is they don't have a resolution for backups. Instead, they have a resolution calling on the US government to create a data center they can all use that will be secure, reliable, not too expensive, and solve all their problems.
Re: (Score:2)
So if the city governments are hoping the federal government will fix their problem, they are wrong.
Re: Backups (Score:2)
The fundamental issue is that their municipal network is accessible from the public internet - why is that?
I worked in public K-12 education, they had a great student information database that REQUIRED the entire server be located in a district's DMZ.
Re: (Score:2)
Re: (Score:2)
The answer is they don't have a resolution for backups. Instead, they have
But that's what government DOES -- outsourcing the problem. Being meta-managers, *we* actually _DID_ something about it: gave it to someone else.
So we've already solved it and are now looking at more IMPORTANT things - if it breaks or goes all wrong, we'll it's all THEIR fault and problem. We're busy.
Re: (Score:2, Interesting)
Painting the Target (Score:2)
Well, since we know that a "resolution" doesn't actually do jack shit to deter or prevent a ransomware attack, bold statements will do nothing more than paint a target on their backs.
I predict it will only take another dozen attacks before they realize it takes more than some bullshit public declaration to secure digital assets.
Then they might start thinking about hiring competent staff and investing in those old fashioned concepts. You know, like backups.
Re: (Score:1)
Then they might start thinking about hiring competent staff...
And the first thing that competent staff would do is ban Microsoft software (including its operating systems) from the network in favor of Linux. That alone, doing nothing else, would reduce these incidences by at LEAST 75% (yes, I made up that number to make a point).
Re: (Score:2)
Then they might start thinking about hiring competent staff...
And the first thing that competent staff would do is ban Microsoft software (including its operating systems) from the network in favor of Linux. That alone, doing nothing else, would reduce these incidences by at LEAST 75% (yes, I made up that number to make a point).
Ironically enough, if we ever actually saw the Year of the Linux Desktop, we would also see the Rise of Linux Malware.
Market share is all it takes to create highly profitable targets.
Re: (Score:2)
Ironically enough, if we ever actually saw the Year of the Linux Desktop, we would also see the Rise of Linux Malware.
That's a common misconception. Linux has had malware almost since Linux has existed. Getting it to spread, though, has been damn near impossible. Linux thoroughly dominates in nearly all areas except the desktop, yet successful Linux exploits have been very few and far between. They have almost always been caused by weak passwords, with only a small handful of notable software flaws.
What makes highly profitable targets is when those targets are running Windows. Its security has had more and larger hole
Re: Painting the Target (Score:2)
sounds great, let me know when all their proprietary software needed to run their municipality are ported to Linux....
Maybe they could just take their internal servers off the public internet?
Re: (Score:2)
let me know when all their proprietary software needed to run their municipality are ported to Linux....
If a large portion of government municipalities resolved to remove Windows from their networks, companies used by those municipalities would port their software to Linux in short order. Meanwhile, Windows could at least be quarantined within virtual machines running on a Linux/AMD host (don't use Intel chips for this).
A couple reasons why this won't work (Score:2)
Re: (Score:2)
1. Are you posting from 2005? security is near the top, if not at the top, almost every companines IT plan.
2) That makes no sense.
are they going to pay (Score:2)
for an actual data storage and redundancy plan?
That's nice (Score:2)
US Mayors seem pretty dumb. (Score:1)
Baltimore opted to spend $18,000,000+ of taxpayer money to recover their systems instead of paying a $100,000 ransom. Why not pay the ransom and then spend 17 million on improving security and backing things up?
De-incentivizing these attacks isn't going to work because the potential profit is so high relative to the cost. Government employees aren't smarter than anyone else, getting them to open malicious attachments is probably trivially easy.