Guest editorial: Pay now for security, or pay later
For a month, public services in Baltimore, Md., have been degraded by a powerful cyber attack on the city's computer network. Utilities payment systems have been crippled. Phones and email systems have been compromised. Home sales in the city have been delayed.
Welcome to this new world of cyber terrorism, where hackers can attack the systems of cities and hold them hostage in return for ransom.
Baltimore isn't the first public victim. According to the research firm Recorded Future — and reported by The Washington Post — there have been more than 170 such attacks on public government entities since 2013.
Nor will Baltimore be the last, since experts say public services especially are vulnerable because some public entities may be hesitant to burden taxpayers for the costs associated with protecting their systems.
The Post also has reported that Baltimore's city computers had not applied freely available software patches and therefore were operating without effective backups.
In Baltimore, the ransom is $100,000. But not paying comes with a much larger cost; estimates of damages in Baltimore range upward of $18 million.
Imagine arriving one day in a public office, only to find that all the records have been moved to a secret warehouse, a National Public Radio reporter suggested. Imagine finding only a note, explaining that the records have been hijacked. Essentially, that's what's happening.
What if it cripples police services? What if it happens at a hospital, and jeopardizes emergency care there?
Baltimore has refused to pay the ransom, which is good. Paying now only encourages future troubles and — as the Post has reported — could help fund dangerous criminal and terror networks.
However, all public entities must remember that they could be the next target, and that a few dollars spent now might save millions later.
Earlier this year, North Dakota Gov. Doug Burgum signed into law a plan to unify and improve the state's cybersecurity efforts. Burgum said the new approach "strengthens our ability to protect the state network's 252,000 daily users and more than 400 entities from cyberattacks."
Burgum gets it. We're glad efforts are being made at the state level, no matter the price tag.
Further, residents of communities must hold their public officials — mayors, councils, board members and so forth — responsible for ensuring that vital data infrastructure is safe and sound.
The combined solution has two parts, both starting with "d" — dollars and diligence.
Public budgets must include lines for cybersecurity, whether it's software, actual employees or hired services to monitor it. Insurance is an option, too, but is comes with a cost.
Diligence is important, as well. In Baltimore's case, the city saw four systems managers either fired or resign in a period of five years. Perhaps that turnover left open a window through which the hackers gained access.
Without proper management now, public entities are at risk, and cost is only part of the resulting problem. Most unnerving is the inconvenience and danger of a disabled system.