One of the Biggest and Most Boring Cyberattacks Against an American City Yet

binarydesign/Shutterstock.com

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
By Ian Bogost,
The Atlantic

By Ian Bogost ,
The Atlantic

|

A recent ransomware attack on Atlanta’s computer systems is disruptive, but so ordinary.

Want to hear a boring story?

I can’t submit an expense report for a recent out-of-town work trip. I’ve got all the receipts, except one from long-term parking at the Atlanta airport. A sensor lets me in and out of the parking lot there, and my account gets charged automatically. Later, I can download a receipt from a website, which I submit to accounting at my university, which creates an expense report, which eventually processes a reimbursement.

But the website has been inaccessible all week. I’m assuming it’s a consequence of the recent ransomware attack on the City of Atlanta’s computer systems. In what The New York Times has called “one of the most sustained and consequential cyberattacks ever mounted against a major American city,” a group of hackers has been holding the systems hostage for a ransom of about $51,000 (payable in Bitcoin) since late last week. To stop the spread of the attack, the city has shut down some of its online services, including some that provide consumer services. The airport’s Wi-Fi system has been disabled—and, apparently, the parking system I use there, too.

I emailed the manager of the airport-parking service, but chances are she won’t be able to respond; Atlanta has directed many workers to turn off or unplug their computers, another precaution that they hope will help control the damage. Until the city decides to pay the ransom or extract the virus, many city officials are processing paperwork by hand.

In a statement, Atlanta’s mayor, Keisha Lance Bottoms, assured citizens that utility and safety systems, like police and water, are unaffected. She also noted, “This is a massive inconvenience to the city.”

Tell me about it. This is the new, humdrum reality of information-security breaches. When they don’t leak reams of personal information for theft and resale on the black market, they make ordinary life annoying in small but important ways.

Here’s more boring corporate bureaucracy for you: My university uses software made by Oracle and PeopleSoft for accounting and expense management. The system assumes one expense report per trip, which means that now I have to wait until the parking-system website comes back online so I can extract a receipt (for $100 or less) and submit it. Until then, I can’t get reimbursed for the rest of my trip, which totals far more than $100, unless I want to absorb the parking expense in the interest of expediency.

I’ll be fine, but not everyone can wait days or weeks for their reimbursement. In fact, other Atlanta citizens might fare worse. The city courts, unable to process tickets or warrants automatically, have been forced to do so by hand. Surely someone will make an honest mistake, and a ticket could be advanced to warranting after registering unpaid, or a warrant could wind up assigned to the wrong person.

The City of Atlanta assures its residents that anyone who can’t pay a utility bill won’t be penalized if they cannot access an online system to do so. But those exceptions would also have to be entered into a computer. Someone’s account could be incorrectly marked in arrears, and their water service shut down. Perhaps turning it back on again will require visiting the City of Atlanta Department of Watershed Management in person with payment by cashier’s check or money order. I can’t tell you what they’d have to do, because as I write this, the Atlanta Watershed’s billing website is down. Taking time off from work to correct inadvertent consequences of the computer outage could easily cost someone a shift, or even a job.

These are the kinds of cascading failures that take place when internet-connected systems get taken down, whether by surprise on the part of hackers or intentionally by municipalities or corporations impacted by them. Nobody meansfor these things to happen. Not the City of Atlanta. Not even the hackers who initiated the ransomware attack. But they are the consequence of building and operating computer infrastructure interconnected via the internet.

When a breach at the credit agency Equifax exposed almost 150 million Americans’ most personal information last year, I remarked on how banal the matter seemed. Equifax didn’t even appear to be trying to treat the situation with the gravity that it deserved, and the public seemed resigned to the matter. “Breaches have settled into a kind of modern malaise, akin to traffic or errands,” I wrote. “They are so frequent and so massive that the whole process has become a routine.”

That routine is only accelerating. Last week, when news broke that tens of millions of Facebook users’ personal data had been extracted by a personality-quiz app and sold to the political consultancy Cambridge Analytica, public reaction was strong mostly because that data appears to have been used in U.S. election targeting. The fact that the data was vacuumed out of the social network has also raised hackles, even if people don’t fully realize that Facebook was designed to allow that very extraction.

All of these incidents arise from a slow, steady drip of small changes to the way people store, access, and manage information and services. Contemporary civilization has rebuilt itself atop a lattice of fragile computer systems, all interconnected. The chaos that ensues when these systems fail or get breached is so constant, it feels expected. Almost natural.

But it didn’t use to feel that way. Sure, computer systems have gone down temporarily for their whole existence, whether from system failures, human error, or even malicious interventions. Many years ago, after the dot-com crash but before Facebook existed, I worked on e-business services for big companies. Once, my team inadvertently erased a major automaker’s American customer database, due to a miscommunication over a change to systems that synchronized consumer website information with a mainframe that managed warranty records. The whole thing got restored from backup and reinstated quickly, but the incident was considered a major failure for everyone involved. Postmortems were conducted, at which ties were worn. All in the name of accessing an automobile owner’s account online, at a time when a lot fewer people did things like that, let alone very often.

That wasn’t so long ago. But since then, the standards for a “critical” system—one that really needs to be operational and accessible almost all the time—have dropped. Not just the technical standards, but the cultural standards. Ransomware attacks like this one are extortion cons—Bottoms accurately called it a “hostage situation.” But that language is an overstatement compared to how routine the situation has become. SamSam, the ransomware group behind the Atlanta attack, has already extorted over $1 million in ransoms this year, according to The New York Times.

Decades of wonky, half-baked, internet-connected systems, popularized and exposed to invite risk, have lowered expectations so much that nobody is even surprised when they don’t work for days at a time. As more urban infrastructure, including smart-city systems, go online, cities and their citizens should be terrified by the Atlanta ransomware hack. But for now, it isn’t even really considered an infrastructural catastrophe. It’s just a “massive inconvenience,” part and parcel of living with those bonkers things called computers. After all, what else are you going to do?

NEXT STORY: Here’s What a Company’s Data Breach Game Plan Looks Like

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.