US Conference of Mayors adopts a resolution to never pay off ransomware attackers

Originally published at: https://boingboing.net/2019/07/12/hang-separately.html

2 Likes

I wonder if this resolution is quite as resolute about letting your insurer decide to take the less expensive way out…

If so it loses a lot of practical impact.

4 Likes

This resolution assumes that cities are being targeted… The reality is that a net is being cast as wide as possible. The cities are getting hit because they are easy targets that aren’t spending huge amounts of money on disaster recovery systems. It’s the same issue when hospitals are hit.

5 Likes

It’s like how nobody ‘negotiates with terrorists’ unless of course it’s in secret so that face can be saved (and also imminently the lives of hostages and crap like that)

4 Likes

Why don’t they instead resolve to pay, right now, somewhat-less-than-millions for the necessary upgrades and hardening to existing systems before they are infiltrated by Eastern European hackers?

16 Likes

or, at a bare minimum, off site and airgapped backups?

5 Likes

Oprah%2C%20you%20make%20a%20backup

11 Likes

271511
Remember, kids: two is one, and one is none.

10 Likes

Yep would have been much cheaper and everything back online faster if Baltimore would have just paid them. And they knew they had a backup issue for YEARS.

2 Likes

If they adopt another, obviously much-needed resolution to hire competent sysadmins who understand the concepts of backup and security then they might be able to fulfill this resolution.

4 Likes

How about this: don’t completely abandon paper-based and analog systems. Keep a contingency plan in place.

2 Likes

The sysadmins aren’t necessarily incompetent so much as under-staffed and under-funded. Their concerns are also easy for city administrators to ignore until something goes terribly wrong.

11 Likes

Replace “city administrators” with “senior management” and you have an accurate picture of the depressing state of things for corporate sysadmins.

That said, in some of these ransomware cases (especially in towns and smaller cities) it sounds like incompetence was at play, too.

5 Likes

C’mon, man. Resolving to never negotiate with terrorists gives you that warm glow of slightly macho moral certainty, just like in the movies. Does giving more money to the nerd cost center for their nerd toys and annoying ‘updates’ and ‘security policies’ give you that warm glow of slightly macho moral certainty?

You sound like one of those people who thinks that the right answer and the answer that feels right might be different things; a concept absurd to reason and dangerous to faith.

3 Likes

FYI Baltimore’s systems are still not back up. I’m going to have a hell of a water bill to reckon with, assuming there’s ever a way to pay water bills in Baltimore again.

3 Likes

Classic prisoner’s dilemma. Each city is better off if all other cities abide by the resolution no matter the cost, because that might discourage hackers from trying in the first place. But each city also has strong motive to pay the ransom to save themselves even higher costs.

2 Likes

Yeah in other words they resolved to pretend they aren’t the easy targets that they are.

I think it would have meant more if they had committed to adequately funding security analysis and improvements to their city’s systems.

Yes, it will cost a lot. In many cases I’d expect they’d literally have to double or triple their IT budgets to repair their current systems, add defenses, and add adequate security operations. And triple the typical budget is a hell of a lot cheaper than what Baltimore’s expenses have been.

2 Likes

South Bend, IN better lock-it-up. This could definitely become an issue in the next presidential election.
https://southbendin.gov/official/mayor-pete-buttigieg/

This topic was automatically closed after 5 days. New replies are no longer allowed.