'Soft targets': Beleaguered Baltimore still reeling from a cyberattack. And that's just its latest woe.

Jorge L. Ortiz

Baltimore is not alone in its woes. It does have an extra dose of them, though.

Maryland’s largest city is still grappling with the aftermath of a May 7 ransomware attack that froze thousands of government computers, disabled e-mail functionality and crippled city services.

That’s a major hardship for a beleaguered city that’s adjusting to new leadership after the recent ouster of its previous mayor, and only the latest setback to confront Baltimore, whose population has dwindled to 600,000.

Bernard “Jack” Young, who took over as mayor on May 2, said it may take months to bring all systems back up. He has declined to pay the hackers’ ransom demand of approximately $75,000 worth of bitcoin.

Perhaps the biggest consolation for Baltimoreans these days might be having company among municipalities victimized by cyberattacks.

Lee McKnight, an associate professor at Syracuse University’s School of Information Studies who’s an expert on cybersecurity, said these kinds of intrusions are becoming more common and only figure to increase because local governments are “soft targets.”

“Unfortunately, it happens again and again to municipal systems that don’t have all the latest software, the latest protections or the highest-paid IT staffs either,” McKnight said. “If it can happen to Atlanta, Baltimore shouldn’t be embarrassed.’’

Atlanta, which bid to become the second headquarters for online retailer Amazon last year, had more than a third of its systems paralyzed by a March 2018 ransomware attack. Recovery has taken more than a year and costs have been pegged at $17 million.

Baltimore Mayor Bernard "Jack" Young speaks to the crowd after been sworn, during the 51st Mayoral Swearing-In Ceremony at War Memorial Building in Baltimore, MD., Thursday, May 9, 2019. Former Baltimore's mayor Catherine Pugh resigned under pressure, amid a flurry of investigations into whether she arranged bulk sales of her self-published children's books to disguise hundreds of thousands of dollars in kickbacks. (AP Photo/Jose Luis Magana) ORG XMIT: MDJL114

According to the technology company Recorded Future, there have been more than 170 ransomware attacks on U.S. state and local governments since November 2013.

FBI statistics do not separate by public or private entity, so it’s hard to get an official count on the frequency of these incidents. The bureau’s Internet Crime Complaint Center (IC3) tallied 1,493 victims of ransomware in 2018, a figure that does not include direct reports to field offices or agents.

In November, the FBI indicted two Iranian men in a computer hacking and extortion scheme that targeted cities like Atlanta and Newark, New Jersey, in addition to the Port of San Diego, the Colorado Department of Transportation and six health care-related organizations. The estimated losses added up to more than $30 million.

Still, Baltimore’s latest malware breach – its second one in 14 months – comes on the heels of a particularly rough stretch for a town having a hard time living up to its “Charm City’’ nickname.

Earlier this month, Mayor Catherine Pugh resigned under pressure after a book-selling scandal prompted federal and state investigations of her.

Last year, the city was rocked by one of the biggest police-corruption cases in its history, when eight members of an elite task force were convicted of racketeering for stealing hundreds of thousands of dollars in cash, jewelry and drugs.

More: 2 men based in China indicted on hacking charges in massive Anthem data breach

More: $356,000 to protect your computer? Feds promise 'all-out attack' on scams targeting the elderly

Community trust in the police department had already eroded following the 2015 incident involving Freddie Gray, a 25-year-old black man who suffered a severe spinal injury while in police custody and later died, setting off riots.

The department is now on its fourth commissioner since the beginning of 2018, a lack of continuity that presents yet another obstacle in the efforts to curb an unrelenting problem with violent crime.

Baltimore has had at least 300 homicides four years in a row, and in 2017 it had the nation’s highest homicide rate among major cities, according to FBI statistics released in September. Baltimore’s 56 homicides per 100,000 people easily outpaced Detroit’s 40 per 100,000 and was double the rate of third-place Memphis, Tennessee.

And now, routine transactions like paying a water bill or a traffic ticket have become an ordeal, although the city this week implemented a manual workaround to complete real estate deals that had been on hold.

And on top of everything else, the city's baseball team – a source of pride for decades – is in last place as the Orioles struggle to overcome a dismal record for the third year in a row.

Brandon Scott, who replaced Young as president of the City Council the day before the ransomware hit, wants to shift the narrative of Baltimore as an embattled city that was already broadly projected by the long-running TV show “The Wire.”

“When you think about those unfortunate incidents, you’re talking about individuals who had power and abused it,’’ Scott said, referring to Pugh and the convicted cops. “But for all the bad things that happened and that the media talks about in Baltimore, there are also great things going on in our city. Those are the things we need to highlight.’’

May 4, 2017 -- Baltimore, MD -- Baltimore's Inner Harbor on a cloudy day, as seen from Federal Hill Park. -- Photo by Jasper Colt, USA TODAY Staff ORG XMIT: JC [Via MerlinFTP Drop]

However, Scott also said that in his previous role as councilman he tried to convince the Pugh administration to make cybersecurity a higher priority, to no avail.

That comes as no surprise to Janne Lindqvist, assistant professor of electrical and computer engineering at Rutgers University, who pointed out government officials often think of securing computer systems as an added cost, not an inherent part of their duty to protect residents.

“A general problem, and not just for cities, is that no one wants to pay for security, and nobody knows what security looks like,’’ Lindqvist said. “It’s like, if you go buy a used car, the seller knows much better what’s wrong with the car and what are its features and so on. It’s the same with security products.’’

Lindqvist said proper protection would involve backing up all the systems and deploying a strategy for bringing them back online after an attack. That’s not a cheap endeavor.

McKnight, who’s working with the city of Syracuse and the federal government on a secure cloud architecture for so-called smart cities, said the hacking perpetrated on Baltimore wasn’t particularly sophisticated. Too many cities are simply unprepared to fend off those attacks, and it’s going to take time for them to get up to speed.

According to Joel DeCapua, supervisory special agent in the FBI’s Cyber Division, those vulnerabilities include legacy systems that aren’t updated, weak passwords set up by administrators and a failure to monitor networks. Attempts at providing cybersecurity are further complicated by tight budgets.

DeCapua said hackers aren’t necessarily targeting cities over other victims, but find them easier pickings.

“Hackers are opportunistic, and if they’re able to crack a weak password or find a specific vulnerability, they’re going to exploit it,’’ DeCapua said. “It may seem like you’re hearing more about municipalities being targeted because when a municipality is affected by a cybercrime, a lot of people find out. Either they can’t pay their traffic tickets or the court system has to go on standstill.’’

Folks in Baltimore know all about that.

This article originally appeared on USA TODAY: 'Soft targets': Beleaguered Baltimore still reeling from a cyberattack. And that's just its latest woe.