For several days the week before the presidential inauguration on Jan. 20, 127 of the 183 networked video recorders used by police in Washington DC were off-line and unavailable to record video evidence. According to an investigation by The Washington Post the video cameras were disabled by a ransomware attack during this period.
In Washington, each of the networked video recorders is attached to multiple surveillance cameras, so each one of the devices is recording as many as four video sessions.
The recorders exist to provide evidence of crimes and to allow law enforcement to follow events seen by the cameras over time. The recorders are attached to the internet to make it easier for officials to access the cameras from anywhere.
The ransomware infection was discovered on Jan. 12, by the Metropolitan Police Department in DC, which then notified the city’s Office of the Chief Technology Officer. The OCTO initially found four infected digital video recorders, but a sweep of the system turned up the full number.
Fortunately, the networks supporting the surveillance cameras were not integrated with the city’s operational network, so the ransomware was unable to spread beyond the networked video recorders. It’s also fortunate that the city’s video recorders didn’t contain any evidence of crimes vital to police or prosecutors, which made the city’s response to the ransomware infection easier.
Employees of the OCTO were able to simply erase the content of the digital video recorders and reinstall the operating software. This allowed city employees to recover and regain access to their video surveillance recorders in three days, allowing everything to be up and running on Jan. 15, five days before the inauguration.
City officials said that no ransom was paid and that no critical evidence was lost. However, the city’s law enforcement officials have not said who they suspect for the ransomware attack. In this case, Washington was lucky, but it was also the beneficiary of good design and planning.
Some cities haven’t been so fortunate. In December, 2016, the Dallas suburb of Cockrell, Texas, found that it had suffered a ransomware attack that also took out surveillance video, along with police reports and body camera video.
The town was presented with a bill for four Bitcoins worth just under $4000 to decrypt the police files. The ransomware seriously impacted several criminal cases because defense lawyers were unable to gain access to the videos and police reports they needed to defend their clients.
In this case, the police department was able to retrieve the original versions of the evidence, including the video files and restore the nearly eight years’ worth of evidence. While some court cases were delayed, so far none of the cases has been dismissed because evidence wasn't available. Police investigators told Dallas television station WFAA that no ransom was paid, and they said that the attack was the result of a forged email.
Several other cities haven’t been so lucky or so prepared. A number of other smaller communities have been attacked and some have had to pay ransoms to get their data back. Worse, in a few cases city officials were unable to find the attackers so that they could pay the ransom. The attacks on smaller communities seem to be part of a growing trend because in many cases they lack the technical and the financial resources to defend against it.
Also lacking is any centralized effort to educate smaller municipalities about malware threats including ransomware, as well as to teach them how to secure their networks, how to back up data files and how to design their data systems to make data loss less likely.
Hackers are increasingly targeting networked internet of things devices such as surveillance cameras they lack adequate security defenses making it easy to take control of them.
This is an important area in which state-level officials can make an important difference. Likewise, it’s an area where the FBI and other agencies including the Department of Homeland Security can be proactive in helping to prevent malware of all types from bringing down the IT systems of smaller government entities.
For example, state attorneys general and state police investigators can provide guidelines to prepare municipalities to deal with the inevitable malware attacks in a manner that is consistent with their state laws and enable critical parts of local government to keep running despite hackers' efforts to shut them down.
Likewise, the FBI and other federal law enforcement officials frequently end up being called in to help these smaller localities after an attack, when the chances of success are much lower.
It would make sense for such agencies to provide training and guidance for local governments in advance of an attack to make success less likely and recovery more certain.
In the meantime, it’s important for communities to know that because of their relative weakness, they are apparently becoming a favored target of hackers and malware distributors.
The hackers reason that the municipalities' lack of defenses and the importance of the information they have on hand make it more likely that they’ll pay up rather confront much worse outcomes ranging from failed criminal prosecutions to the ultimate failure – losing the next election.