One of the Biggest and Most Boring Cyberattacks Against an American City Yet
Want to hear a boring story?
I can’t submit an expense report for a recent out-of-town work trip. I’ve got all the receipts, except one from long-term parking at the Atlanta airport. A sensor lets me in and out of the parking lot there, and my account gets charged automatically. Later, I can download a receipt from a website, which I submit to accounting at my university, which creates an expense report, which eventually processes a reimbursement.
But the website has been inaccessible all week. I’m assuming it’s a consequence of the recent ransomware attack on the City of Atlanta’s computer systems. In what The New York Times has called “one of the most sustained and consequential cyberattacks ever mounted against a major American city,” a group of hackers has been holding the systems hostage for a ransom of about $51,000 (payable in Bitcoin) since late last week. To stop the spread of the attack, the city has shut down some of its online services, including some that provide consumer services. The airport’s Wi-Fi system has been disabled—and, apparently, the parking system I use there, too.
I emailed the manager of the airport-parking service, but chances are she won’t be able to respond; Atlanta has directed many workers to turn off or unplug their computers, another precaution that they hope will help control the damage. Until the city decides to pay the ransom or extract the virus, many city officials are processing paperwork by hand.
In a statement, Atlanta’s mayor, Keisha Lance Bottoms, assured citizens that utility and safety systems, like police and water, are unaffected. She also noted, “This is a massive inconvenience to the city.”
Tell me about it. This is the new, humdrum reality of information-security breaches. When they don’t leak reams of personal information for theft and resale on the black market, they make ordinary life annoying in small but important ways.
Here’s more boring corporate bureaucracy for you: My university uses software made by Oracle and PeopleSoft for accounting and expense management. The system assumes one expense report per trip, which means that now I have to wait until the parking-system website comes back online so I can extract a receipt (for $100 or less) and submit it. Until then, I can’t get reimbursed for the rest of my trip, which totals far more than $100, unless I want to absorb the parking expense in the interest of expediency.
I’ll be fine, but not everyone can wait days or weeks for their reimbursement. In fact, other Atlanta citizens might fare worse. The city courts, unable to process tickets or warrants automatically, have been forced to do so by hand. Surely someone will make an honest mistake, and a ticket could be advanced to warranting after registering unpaid, or a warrant could wind up assigned to the wrong person.
The City of Atlanta assures its residents that anyone who can’t pay a utility bill won’t be penalized if they cannot access an online system to do so. But those exceptions would also have to be entered into a computer. Someone’s account could be incorrectly marked in arrears, and their water service shut down. Perhaps turning it back on again will require visiting the City of Atlanta Department of Watershed Management in person with payment by cashier’s check or money order. I can’t tell you what they’d have to do, because as I write this, the Atlanta Watershed’s billing website is down. Taking time off from work to correct inadvertent consequences of the computer outage could easily cost someone a shift, or even a job.
These are the kinds of cascading failures that take place when internet-connected systems get taken down, whether by surprise on the part of hackers or intentionally by municipalities or corporations impacted by them. Nobody means for these things to happen. Not the City of Atlanta. Not even the hackers who initiated the ransomware attack. But they are the consequence of building and operating computer infrastructure interconnected via the internet.
When a breach at the credit agency Equifax exposed almost 150 million Americans’ most personal information last year, I remarked on how banal the matter seemed. Equifax didn’t even appear to be trying to treat the situation with the gravity that it deserved, and the public seemed resigned to the matter. “Breaches have settled into a kind of modern malaise, akin to traffic or errands,” I wrote. “They are so frequent and so massive that the whole process has become a routine.”
That routine is only accelerating. Last week, when news broke that tens of millions of Facebook users’ personal data had been extracted by a personality-quiz app and sold to the political consultancy Cambridge Analytica, public reaction was strong mostly because that data appears to have been used in U.S. election targeting. The fact that the data was vacuumed out of the social network has also raised hackles, even if people don’t fully realize that Facebook was designed to allow that very extraction.
All of these incidents arise from a slow, steady drip of small changes to the way people store, access, and manage information and services. Contemporary civilization has rebuilt itself atop a lattice of fragile computer systems, all interconnected. The chaos that ensues when these systems fail or get breached is so constant, it feels expected. Almost natural.
But it didn’t use to feel that way. Sure, computer systems have gone down temporarily for their whole existence, whether from system failures, human error, or even malicious interventions. Many years ago, after the dot-com crash but before Facebook existed, I worked on e-business services for big companies. Once, my team inadvertently erased a major automaker’s American customer database, due to a miscommunication over a change to systems that synchronized consumer website information with a mainframe that managed warranty records. The whole thing got restored from backup and reinstated quickly, but the incident was considered a major failure for everyone involved. Postmortems were conducted, at which ties were worn. All in the name of accessing an automobile owner’s account online, at a time when a lot fewer people did things like that, let alone very often.
That wasn’t so long ago. But since then, the standards for a “critical” system—one that really needs to be operational and accessible almost all the time—have dropped. Not just the technical standards, but the cultural standards. Ransomware attacks like this one are extortion cons—Bottoms accurately called it a “hostage situation.” But that language is an overstatement compared to how routine the situation has become. SamSam, the ransomware group behind the Atlanta attack, has already extorted over $1 million in ransoms this year, according to The New York Times.
Decades of wonky, half-baked, internet-connected systems, popularized and exposed to invite risk, have lowered expectations so much that nobody is even surprised when they don’t work for days at a time. As more urban infrastructure, including smart-city systems, go online, cities and their citizens should be terrified by the Atlanta ransomware hack. But for now, it isn’t even really considered an infrastructural catastrophe. It’s just a “massive inconvenience,” part and parcel of living with those bonkers things called computers. After all, what else are you going to do?