Atlanta city mayor Keisha Lance Bottoms calls for federal funding for cybersecurity following costly Atlanta SamSam campaign

Cities across the US are on edge over their lack of cyber readiness after the news that a second town in Florida was crippled by ransomware.

Officials in Lake City, Florida – a place of some 12,000 inhabitants – announced on Tuesday that it would be handing over $460,000 to cybercriminals in order to regain control of email and online bill payment systems.

“I would’ve never dreamed this could’ve happened, especially in a small town like this,” Lake City mayor Stephen Witt told Action News Jax.

A city employee is said to have opened an email containing ransomware which spread through municipal computers on June 10.

“Our insurance will cover all of it except for $10,000,” Witt said – adding how taxpayers would to make up the bulk of the city’s increased future insurance premiums.

Victims of ransomware are generally discouraged from paying the cybercriminals that hold their systems hostage, but actions taken by Lake City reflect the increasing preference of local government to give in to hackers demands.

Another small town in Florida, Riviera Beach, came to the unanimous decision last week to pay a $600,00 ransom in order to stop the disruption to systems including email services, online payments, and water utility systems, beginning on May 29.

“That taxpayers had to pay nearly $600,000 in ransom to cybercriminals is unacceptable,” said Republican senator of Florida Marco Rubio.

“These attacks will only become more common unless we take action.”

Preventative action is recommended cross industry when it comes to dealing with cyber-attacks on systems, whether critical or otherwise.

Some say, however, that preparation for an eventual cyber assault is just not on the radar of local and state governments.

“People don’t see cybersecurity,” said Keisha Lance Bottoms, mayor of the City of Atlanta, the state capital to have suffered one of the biggest ransomware attacks in US history last March.

“They see sidewalks, they see potholes, and we [the City of Atlanta] were allocating our resources accordingly.

“We were also putting patches on gaping holes.”

Bottoms was speaking to a recent US congressional subcommittee hearing on the cybersecurity challenges faced by state and local governments.

According to evidence provided at the hearing, states currently spend only 1-2% of their budgets on cybersecurity, employing less than 15 cybersecurity professionals in their workforce.

“When we experienced our cyber-attack, it was very clear that we were not prepared,” Bottoms told the Subcommittee on Cybersecurity, Infrastructure, Protection and Innovation on Tuesday.

“We were very fortunate in that it was not our 911 system, but it could very well have been.”

On March 22, 2018, less than three months into her job as mayor, Bottoms was forced to deal with a city rendered “incapacitated” after municipal servers became infected with SamSam ransomware.

More than a third of necessary programs were taken offline, with many services reverting to pen and paper, as officials worked with the FBI and a private cybersecurity company to get America’s tenth largest economy back up and running.

The cost to the city has so far been $7.2 million and counting, Bottoms said – no ransom was paid to unlock the systems.

“We knew that we needed to build a stronger, safer system, we’ve allocated our resources accordingly, and now there is an expectation from the public that we budget our cybersecurity work in the same way that we budget for other priorities within the city,” Bottoms said.

She added that it was now easier to communicate cyber investment to the public due to the media attention that the ransomware attack that Atlanta, along with other cities, have had to counter.

“Historically, cities and states have spent a much smaller percentage of their budget on cyber than federal agents,” she said.

“In my nearly two-year campaign as mayor, not one constituent asked me about my investment in cybersecurity.”

Bottoms was asked what cities should be doing to beef up their cyber defenses.

“You have to plan and prioritize accordingly,” she said.

While working with private entities has become pivotal in securing city infrastructure, Bottoms noted how public service would forever be competing against them to attract and retain infosec talent.

“Funding is always necessary and extremely helpful for us to offset and be able to compete accordingly,” she added.

“We’ve increased our budget in our DIT (Department of Information Technology) department, but it’s still not enough.”

Bottoms suggested that grants be provided by the federal government in order to give cities the opportunity to purchases cyber insurance, as many of them currently do not have a system in place to effectively respond to attacks on their digital infrastructure.

Others on the congressional panel, which consisted of cyber gurus Thomas Duffy, Ahmad Sultan, and Frank J. Cillufo, called for greater collaboration between all levels of government.

Cillufo, director of Auburn University’s McCrary Institute for Critical Infrastructure Protection and Cyber Systems, said that only 4% of grants from the Department of Homeland Security (DHS) had been awarded to cybersecurity.

The Daily Swig has reached out to the DHS for comment.

Research by Recorded Future states that only 169 ransomware incidents have impacted state and local governments since 2013, leading the threat intelligence firm to believe that threats of this nature are not on the rise.

RELATED GandCrab closure will lead to ‘power vacuum’ in ransomware market