[Image via csoonline]

electionineWeekly’s Mindy Moretti has an amazing (and scary!) story about a recent ransomware attack that has paralyzed the City of Baltimore, Maryland – taking down city agencies including the elections office. Here’s the story:

Baltimore City’s new mayor had been on the job for just four days when he had to announce that the city’s computer system had fallen victim to a ransomware attack.

The person(s) behind the attack, which has been dubbed the RobinHood ransomware attack wanted $75,000 in Bitcoin to release the city’s computer system.

Mayor Jack Young has said the city will not pay and so while the city’s systems staff is trying to solve the problem, city agencies, including the Board of Elections have been left scrambling.

Abigail Goldman, deputy director of the board of elections said on the morning of May 7 staff at the board knew something was up because emails weren’t functioning properly, but they soon discovered it was much bigger than that.

“We found out about it with everybody else when the announcement was made by the mayor,” Goldman said.

After consulting with the city’s IT department, which took the elections office completely offline — no Internet, no word processing, no nothing — Goldman said call number two was to the State Board of Elections.

According to Nikki Charlson, deputy director of the Maryland State Board of Elections, the SBOE immediately disconnected the local election office from state networks and asked all network administrators to analyze system logs and network traffic looking for unusual activity. To-date, they have seen no unusual activity.

“We were basically dead in the water at that point,” Goldman said. “When people came in we were able to use paper forms.”

Goldman said that the SBOE and other boards in the state have been very helpful with helping the BCBOE get back on its feet.

Six staff from the BOE will be working remotely for the next few weeks. Three will be stationed in theBaltimore County Board of Elections and three will be stationed at the Harford County Board of Elections.

Sarah Mohan with the Harford County BOE said the staff are excited to have Baltimore City employees in their office and she hoped that getting back into their routine will bring their spirits up!

“We here at Harford County are always willing to lend a hand to other counties around the state,” said Cynthia Remmey, director of the Harford County BOE. “We are in this together.”

The SBOE is also helping how they can.

“Because we have a statewide, top-down voter registration system, we started processing electronic voter registration applications from Baltimore City voters,” Charlson said. “We also will accept filings from individuals who wish to file for next year’s Baltimore City mayoral and city council offices. Immediately, after the incident, we kept them updated on the steps we took to disconnect them from State networks and the results of our analysis of system logs and network activity.”

Goldman estimates that once those staff are in place in place and able to complete the necessary tasks like data entry, the city will be at about 80 percent of where they would normally be.

“Thank goodness it’s not an election year,” Goldman said.

Ransomware
So what exactly is ransomware and how can elections offices protect themselves from it?

“Ransomware is unfortunately one of the more challenging cybersecurity threats that election offices might face,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology.

Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.

Hall said that in general there are two things that election officials can do to best prepare for this kind of event:

  1. Make sure all software is updated in a timely fashion; and
  2. Make sure you are backing up critical systems so that you can recover.

“Updating software may sound easy, but if an elections office has dependencies such as relying on the wider city or county infrastructure, this may be out of the election office’s hands and they may not be able to demand that the software they are using is updated as soon as new updates are available,” Hall said.

He noted that some of this can be mitigated by using what is called cloud computing or software-as-a-service, where some of the key office productivity tools an office would normally use locally (Word, Excel, email, etc.) are not hosted and maintained by the election official (or their city or county) but by a company that focuses on maintaining that software and protecting millions of other small-business-like entities.

Backing systems up has complications too, Hall said. So many people back systems up but rarely do they “practice” trying to use those backups suddenly to restore normal operations.

“This is why it is important to simulate a ransomware attack: have everyone realistically pretend that the office has been hit by a ransomware infection and, working with a few spare machines, they restore recent backups to those machines and demonstrate that they were able to recover and conduct normal elections business,” Hall recommended.

Moving forward, Goldman said the city estimates it will be at least three weeks before everything can be rebuilt and the departments are back up to speed.

As for how to prevent something like this from happening again in the future, Hall said that’s difficult. While the city could consider isolating the elections department systems like they did when Potter County, Texas was recently hit by a virus, but Hall said it’s not that simple.

“Isolating systems on different machines, different networks, or otherwise can mean that the program that want’s to ‘jump’ to another machine won’t be able to do that so easily. However, often there is some basic need for systems to be able to communicate (e.g., an elections staffer needs to update the elections webpage) and that can be increasingly painful in terms of heightened isolation of these systems,” Hall said. “After all, the most isolation in an typical elections office should be that of the Election Management System which should be ‘air-gapped’ meaning it is so isolated that there is no wired or wireless connection between those systems and other local or public networks, like the internet.”

Hall noted that there is no “silver bullet” solution, but Goldman has found a silver lining.

“Everybody is doing the best that they can,” Goldman said. “People [voters and candidates] are being very understanding of this.”

Ransomware is just one of the new types of cyberthreats facing state and local governments. Hopefully the experiences of Baltimore and other communities affected by ransomware will remind everyone to practice good cyberhygeine and be on the lookout for suspicious attempts to gain control of their networks. Thanks to Mindy for jumping on this story and sharing it with the field – let’s all be careful out there! Have a great weekend and stay tuned …