
Good afternoon. Come on, let's try that again. Good afternoon. Um my name is Alton Henley. I'm the Dean of Business at Montgomery College, but before that I was a Hi. And before one of my colleagues, but before that I was an information systems professor teaching cybersecurity, data analytics, and software development. Every red team report that's been written for city government is sitting in a filing cabinet right now, unread, unimplemented, and marked for follow-up at a meeting that keeps getting rescheduled. I'm going to spend 15 to 20 minutes telling you why and what to do about it. I spend most of my week translating between people who write security device advice and the people who have to act
upon it, and they don't read each other's email, and that's the whole problem. So, we're going to talk about 14 real American cities all hit, two recovered well, the other 12 did not, and we're going to look at why. And why am I talking about cities? Most people don't understand this. There's 19,000 cities in the United States. 16,000 of them have 5,000 residents or less. 12,000 of them have two have 2,000 residents or less. They are a very rich and juicy target for hackers, but they're generally not big enough to have a substantial IT staff, and certainly not a substantial cybersecurity staff. We're going to take a look at that. Lake City, Florida, population 12,000,
June 2019. An employee clicked on an email attachment and within hours ransomware encrypted the city's email. The email was down, the data was down, the residents couldn't pay their bills online, and the system stayed down for 2 weeks. The ransom was $460,000. And the city paid it. The cyber insurance covered all of it but 10 grand. And the I The city manager got to look like a hero cuz he got off for only $10,000. But here's the part that matters. Before Lake City, Riviera Beach, Florida, same state, 35,000 people, paid $600,000 after the same exact type of attack. 2 months before that, Jackson County, Georgia, paid 400,000. The attackers didn't stumble onto Lake City. Lake City was on a list. The list was
beca- was made because the cities ahead of it paid. And they kept looking for cities that matched the same footprint. Does that make sense? One more because the small town reflexes were too small to be a target. Cockrell Hill Texas. In 2016, population 4,200 people. There was a $4,000 ransom. They refused to pay. But they had no backups. They lost every police record dating back to 2009 permanently. Work that they were already working on was lost. There was some uh cases that got challenged. They didn't have the case records to refer back to. And people got set free. 12,000 people, 4,200 people, the size of the town is not the threat model. The architecture is.
So, this is the 14-city pattern. We talked about four cities, four sizes, one pattern, and we're going to add 10 more. If you look down the list, we have everything from Cockrell Hill at 4,200 and Stuart at 17,000 all the way down to Atlanta with 500,000 and Baltimore with 600,000 people. All of them got hit. Uh 2019, Jackson County paid $400,000, Lake City paid 460, Riviera Beach paid 600,000. 3 months, attackers calibrating upward as the cities kept paying. Now, in 2022, they professionalized. Wheat Ridge with a population of 31,000 faced a not quite known, but suspected to be a a a a ransom in excess of a million dollars from AlphaV Blackcat. Ransomware as a service. The malware is the
platform. Affiliates pay for access. A city of 31,000 was negotiating with what is functionally a tech startup. The threshold we crossed in 2023, Oakland declared a local state of emergency over its ransomware attack. Same instrument that we use for hurricanes and earthquakes was caused was called because of a ransomware attack. This is where digital infrastructure now sits. Now, what makes these cities so juicy? It isn't random. Local governments check every box an attacker looks for. They have tiny teams with a massive surface. Cockrell Hill had no dedicated security staff. Lake City had a handful of IT people for 12,000 residents. Riviera Beach had 400 endpoints and nobody protecting them. The IT director is also the help desk.
Some of these cities, they're sharing one IT person between adjoining cities. The network admin and the CISO all of wrapped up in one, except nobody gave them the title or the authority. They have services you can't turn off, and this is the leverage. If you're talking about a company, push come to shove, the company can go out of business. They can sell themselves to somebody else. A city the water, the sewage, the bills for all of their population, they don't have a choice. They have to continue serving. The permitting office, the council members are getting called from their voters. Revere Riviera Beach is council voted unanimously to pay 600,000 because all of their 911 calls were being dealt
with on paper. Uh and the political pressure overrides policy. And the budgets are public record. There's something called the CAFR. The every single one of these cities by a matter of law has on their website what their budget is. So, when a city tells you they can't pay and you can go on their website and you can see you have a 400,000 emergency budget. You have a 400,000 discretionary spending budget. They know what you're capable of paying, which is again something that doesn't necessarily happen to a normal corporation. These numbers aren't random and the payers create target lists. The uh same data analytics that we use to figure out um who's our best customer, who's our best competitor,
they're using to figure out what is the next city on the list. In fact, you could ask chat GPT based on these four characteristics, what other cities in our Ohio are similar to this city that I just attacked? And as long as you don't use the word hacking in that prompt, it'll give you the answer. Only one of the 14 cities in this deck had a CISO. The IT director can't enforce a vendor contract, reallocate budget, or mandate MFA across departments. That's structural. And now we're going to look at what the attacker does with it. We've all heard of the cyber kill chain or at least I'm assuming we all have. Um these aren't complicated attacks.
They're only doing three steps. They're using uh fishing um and unpatched public systems to get into the network. Because the networks are flat, they're able to extend across the entire city like that. The the police, the fire, the water, all of it's connected. There are no firewalls sitting in between any of them. And the first thing they encrypt, if they encrypt anything, is the backups. Now, it may be that they you don't even have backups. So, if you don't have backups and they've encrypted all of your systems, they're done. They're not trying to exfiltrate anything. They're trying to get you to give them the money and that is the end of it. Now, it seems
incredibly simple and you might be like, how is it that these cities are falling prey to this? And reason is, just like I said, um NBC knows that it's a target. Sony knows that it's a target. Apple darn well sure knows that it's a target. Um Damascus, Maryland doesn't understand that they have something that hackers want. Does that make sense? Okay. Now, this is where the math gets weird. Um 333 times is what the difference is between what was demanded and what the damage was in Atlanta. Now, don't get me wrong. I generally don't think that you should pay the ransom if you don't have to. But, when you're talking about those types of damages happening to your
budget and what has to happen to that money, it has to be pulled out of other programs, then it makes it a very compelling story why cities do pay. In Baltimore, it was 237 times uh between the amount demanded and what it took them to recover. Now, both of these cities weren't prepared. Plainsville was more or less prepared. It only cost them 1.7 times the budget. And in Imperial Count Colorado, it only cost them 1.33 times, but that's because they had a plan and they were prepared. All right? So, like I said, generally speaking, don't pay. If you actually have a recovery option, don't pay. Otherwise, ask Cockrell Hill how 7 years of police records vanished for a refused
$4,000 ransom, and then figure out what you would do in their place. Um One of the IT directors said, "This is the worst disaster I've ever encountered. It's an end-of-life event from the IT department from the IT perspective." Um which I'm sure we can all understand. Now, if you flip it and you look at it from the other side, uh 17.17% is what it would cost uh for MFA for the entire city. 20 for $2,700, they could have prevented an attack that cost them 1.6 million. Now, everybody's willing to pay after it happened. The trick is getting them to pay before uh the system has been taken down. But, these numbers look the same pretty much
across the board. Um When we take a look at the Uh so, we've talked about 14 cities, one playbook hitting them all, a size range that runs 150 times from 4,000 to 600,000 people. Phishing, flat network, destroy the data. That's what they're doing. They're getting in and out as quickly as possible. Just like 15 years ago, it seemed like everything was SQL injection, these days, they're going for phishing. Um both options are expensive. Do you pay or do you not pay? The decision belongs in a tabletop. The city should have done a tabletop exercise 6 months before it happened, probably have done it multiple times, so they understood how they were going to react when the zero hour came, but they
didn't. And so, they're in the middle of a crisis trying to um figure out what they're going to do. And I What was it? Was it Mike Tyson that said, everybody thinks they know what they're going to do till they get punched in the face. Um now protection costs 0.17% of the recovery, like I said. Now, the problem is the delegation is the the vulnerability. The problem isn't People want to say that it's IT, it's not IT. It's This is a special organ- This is a special organizational structure that makes it not IT's problem. Of the 14 cities in this deck, only one, Sugar Land, responded to its attack by changing the org chart. Even country
cities that were paying $600,000 changed nothing about the way that they did business other than the fact that they might have bought some more tools. Sugar Land actually hired a CISO. Um, they hired somebody reputable. They said that this person has the final call on what software is attached to what, what network endpoints are attached to what, how the network is structured. It has to go through him. And if he says that it doesn't happen, then it doesn't happen. None of the other cities were willing to do this. The mandate to do these things lives with the city manager and the council. That is the special problem that we have uh with uh lo- small municipalities. In
13 of the 14 cases here, those people responded by buying tools. The delegation is the vulnerability. Everything we've covered is downstream of that one governance pattern. The technical fixes are easy. Getting them implemented is the hard part. And that is the part that this room could actually move the needle on. And before we get into the last three slides, um, 20 Oh, jeez, I'm old. 27 years ago, I worked for MCI WorldCom. And at this time, uh there was uh certain social media tools that were becoming in vogue, and everybody wanted certain things. And the And the company made a company-wide policy that they were not to be allowed. I was on the IT staff at that time and I
got called into the VP of marketing's office because he wanted to be able to use Facebook on his machine so he could send messages to his mother. This is the type of stuff that happens at cities and whereas in a large company today, I could have just reported that to somebody and I wouldn't have had to do it. If you're talking about some small town in East Ohio, it's probably something that could get you fired if you don't pay attention to it. So, you have to listen to what the city council says. Does that make sense? So, what can you do? There's the zero cost foundation. There's four controls that you could use that cost zero dollars. Each requires a
city manager to sign a memo and it's not installing a tool. Uh one, kill the dead accounts. It would kill you to understand how many companies or how many cities keep an old person's accounts around. Oh, we want to keep receiving his email. Oh, we want to make sure that we have all of his files. And we all know that there's ways that you can do that. There's ways in Office 365, there's ways in Google that you can you can change those things keeping them active without keeping the account active, but they don't do that leaving another vector open. Uh number two is they could join MS-ISAC. Now, there's an organization that is dedicated to helping with cybersecurity
issues with small and local governments. They are the experts in this. They are the absolute uh bomb that you would need to go to when it comes to instant response. The problem is you shouldn't be calling them for the first time at 6:35 in the morning when you have a breach. You need to talk to them now so that you're prepared when you have a problem later. Uh number three, ban personal browsers. There should be an a organization-wide policy that you cannot save your credentials in your browser in your personal machine. Now, we all know just saying that you can't do it doesn't mean that certain people aren't going to do it, but it will at least cut down on
the problem and it will reduce some of the vectors that we've seen in this deck. And print the playbook. And this is um this seems simple, but you need a printed one-page IR plan and it needs to be printed because the laptops will be encrypted. You need to know who you need to call in the first 60 minutes that something has occurred. Does that make sense?
Now, if you If a city has a budget for three controls and most do, these are the three that appear in every single defense file in this deck. Um Riviera Beach defense plan, the total program costs 83,000 a year. The MFA line alone, like I said before, was $2,700 a year. The attack costs 1.6 million. MFA is 0.17% of the damage that it could have prevented. So, three controls, MFA everywhere, isolated immutable backups, way too many places don't have them, and even some of the places that do have them don't test them. You need a end-to-end test, take it all down, restore completely from backup, and see if you are operational. A city nearby that I will not name
uh did this recently and found out that it took them 6 hours to bring everything back up. And they're in control of traffic lights, water, power, whole bunch of stuff. So, the fact that they couldn't bring it back is a real problem. They were able to bring it back, but for 6 hours they were down. Um if I'm not mistaken, they notified the local hospital before they did it though. Um EDR plus fishing awareness, endpoint visibility plus dropping the click rate. These are the things that move things along. Um the insurance the insurers are dropping coverage for cities that don't include these things. Lake City's insurer that paid the $460,000 in 2019, the 2024 quote for the same city looks
very different now. And if they say they can't afford it, the answer is you can't afford the insurance cancellation either. Now, I talked about um the multi-state information sharing and analysis center. They provide immediate response, uh detection and early warning. They let you know uh these are the kind of attacks that are going around. Uh they share threat intelligence, and they provide forensic and remediation support. And collaborative intelligence. These guys are your very best friends if you're part of a local um government. However, again, you need to be talking to them for the first time before you need them. Um and finally, uh I wanted just close on the idea that the difference isn't the budget. Us. Sarasota, in 2016, they
got hit, they didn't pay. Um they restored from backups overnight. They had uh immutable backups that they did on the daily basis, and they were able they had tested them, so they knew that they worked. Um so these isolated backups, the IT staff was trained to unplug fast, and they had had practice doing both. Sugarland, Texas, they got hit. The city manager's response wasn't to buy a tool, it was to create the sys the CISO position and hire someone into it. The only city in this deck that responded to an attack by changing how they govern, which is really important. So, two out of 50 14, the difference isn't budget, team size, or tooling. The difference is that
someone walked in the city manager's office and made a case on slide 10 that this is your job, not the IT director's, and the manager believed them. That someone could be in this room. So, take the assessment that's dying in your drawer right now and walk into a city manager's office in a language they understand. In fact, for those of you that um either have businesses on your own or do a little bit on the side, pick the smallest town in driving distance and offer to spend one Saturday a quarter making them harder to breach. There are thousands of these towns and there are not thousands of you. Thank you. >> [applause]
>> Is there any questions, comments, amusing anecdotes?
No, no, you're absolutely right. I was just trying to focus on the ones especially for cities that um most people most people here might not know about.
Okay. And you found them to be helpful? Yes.
Okay. Well, thank you for sharing. Okay. Okay. I'm at zero minutes. Thanks again. >> [applause]