Should Baltimore Pay Ransom to the Hackers Holding City Computers Hostage?

Baltimore's city computers are still down.

They've been down since May 7, when the city learned that the ransomware known as RobbinHood had infected many of its computer systems and encrypted their files. To restore the data, the city was given four days to pay three Bitcoins—about $23,000 at today's prices.

The city did not respond by the deadline. So the ransom increased to 13 Bitcoins—about $100,000—with a new deadline of May 17.

Baltimore again refused to pay. The second deadline also passed. Predictably, computer chaos continued. The city's email, voicemail, and some websites were down. Its online bill payment system was offline and a database of parking fines was inaccessible. Permits could not be issued, text alerts could not be sent, and real estate transactions, including home sales, could not be processed.

The news isn't all bad. Baltimore is also having problems collecting property taxes, giving financially strapped homeowners a few extra weeks of tax relief. The city also couldn't update its controversial "gun offender" registry, which requires anyone convicted of certain firearm-related crimes to register with the police commissioner for three years. (Among the crimes requiring registration: carrying a handgun without a permit, manufacturing unapproved handguns, and possessing "assault pistols." Baltimore has proven more diligent at curbing Second Amendment rights than at securing its Windows PCs.)

Should the city pay the ransom? Mayor Jack Young, a Democrat, was firmly against the idea at first. "That's just like us rewarding bank robbers for robbing banks," he told the press. "No, we're not going to pay a ransom."

But now the mayor is signaling some flexibility. Asked again this week about whether Baltimore would pay the ransom, Young told the interviewer: "To move the city forward I might think about it."

If Baltimore were a private company, with its annual budget of around $3.5 billion, it likely would have paid the modest ransom of three Bitcoins to recover its computers (and then secured its systems to prevent a repeat). "Many consumers opt to pay rather than lose their precious photo and video memories, financial records, and other files they value," an F-Secure report says. A ProPublica article last week revealed that outside consultants hired by victims often just pay the ransom (sometimes negotiating discounts or extensions for their clients).

Even the FBI has endorsed this approach. "To be honest, we often advise people just to pay the ransom," the assistant special agent in charge of the FBI's cyber program said at a Boston security conference, according to The Security Ledger. The bureau endorses the payoffs, the agent said, because "the ransomware is that good."

But when the computer systems held hostage belong to the government, a different set of standards seems to be applied.

A Slate article this week argues that it's "ethically" a "bad idea" for Baltimore to pay the ransom. "Public entities, like city governments and police departments, have a particular responsibility to protect the public good by doing the slow, hard, expensive work of restoring and securing their systems rather than taking the easy way out—which will, in the end, only make everything harder," the author says. A Baltimore Sun editorial echoes this view, saying the city "shouldn't pay the ransom to end the City Hall hack."

This argument suggests that public officials must act more "ethically" than the private sector—that is, they should set a virtuous example for the rest of us to follow.

If we're given a choice between a government that's virtuous and one that's not, most of us would reasonably choose the former. But in Baltimore, that ship may have sailed long ago. This is the city where a squad of police officers took, in the words of The New York Times, "every opportunity to rob those they were supposed to be policing or protecting, and barely bothering to cover up their deeds." One supervisor instructed officers to carry a toy gun in case they found themselves "in a jam" and needed to plant one. Baltimore's previous mayor, Catherine Pugh, quit earlier this month amidst a bizarre scandal involving $700,000 in payments from city-linked businesses for her self-published children's books; Maryland's governor has asked for a criminal investigation.

Whatever Baltimore decides, it's not alone. Cloud security company Armor reports that so far this year, there have been 22 known ransomware attacks against state and local governments. The affected municipalities include Amarillo, Texas; Augusta, Maine; Imperial County, California; Garfield County, Utah; Greenville, North Carolina; Albany, New York; Atlanta, Georgia; and the Cleveland Airport. A recent ransomware analysis conducted by Recorded Future, a real-time threat intelligence firm, suggests that 45 percent of all public and private organizations targeted by such attacks pay the ransom, but only 17 percent of state and local governments did.

Baltimore could have been better prepared: Its 911 dispatch system was taken offline in March 2018 in what turned out to be a ransomware attack. But even after that experience, Baltimore neglected to purchase an insurance policy to cover cybersecurity incidents. A Sophos Naked Security report says that the city council was told "last year at a budget hearing that the city needed one, but it didn't happen." Instead, Young—then the council president, now the mayor—called for a feasibility study for a municipal-run broadband network. (Given Baltimore's evident technical expertise, this could only end well.)

For now, at least, Baltimore is experimenting with manual workarounds for transactions typically done electronically. The city has declined to say how long it will take for services to return to normal, though most guesses say it will be at least a few more weeks. The mayor's most recent press release offers no details, instead saying laconically: "I am not able to provide you with an exact timeline on when all systems will be restored."