Ransomware attacks are on the rise and appear to be a long-term problem. For example, last February in California, the Orange County Transportation Authority (OCTA) suffered a ransomware attack that shut down a number of its computers, causing more than $600,000 in damages. Specifically, the OCTA reportedly paid nearly $330,000 in labor costs and $218,000 for emergency contracts for technical assistance with the incident. The attack is said to have cut off access to 88 OCTA servers that limited access to a number of programs including e-mail, voicemail, intranet, employee assignments and payroll. Rather than pay the requested $8,500 ransom, OCTA worked for days to restore the servers, find the malware and secure the servers against future attacks. OCTA officers stated that services were uninterrupted and no credit card or other personal information was compromised during the attack. This ransomware attack and the OCTA response provide a great opportunity to analyze the response in the hours, days and months after a ransomware attack.
Hours After Cyber Attack: Pay $8,500 Ransom or $600,000 to Fight the Hackers
In defending the decision to not pay the ransom, the OCTA spokesperson stated, “[t]he FBI opposes paying ransom for cyber attacks, and so does [the Transportation Authority]. If we pay ransom to a criminal, there is no guarantee that our servers would be released, and the agency would likely be a target again because the attackers know they pay up.”
Regardless of whether this decision was correct or not, it’s clear that victims will have to make the tough decision on whether to pay the ransom or fight their attackers in the first few hours after an attack. While there is no information about when OCTA made this decision, the best strategy includes considering the potential for an attack and having a plan prior to an attack. Here, OCTA adopted a philosophy not to pay the ransom. While there are valid arguments to both situations, there is no question that the best time to make this decision is before a ransomware attack.
Days After Cyber Attack: Violation of California’s Open Meetings Law?
Since the attack, people have started to question whether OCTA complied with California’s Open Meetings Law, which requires governmental entities to make information available to the public. The OCTA’s board members were not notified about the attack until it had been resolved and the public received no information beyond statements that OCTA was experiencing technical problems. Now that the attack has been disclosed, some opponents are questioning the OCTA’s $218,000 payment for security because it “was not on the agenda and it was authorized in an unlawful closed session.” The OCTA spokesperson reasoned that, “[t]he last thing we want to do is make a public announcement…why would you let people know that your systems are compromised? It would invite, potentially, other people to hit you.”
In the days after a cyber attack, the key for any organization will be to determine its obligations under various state and federal laws. One important question will be whether the private information of others was compromised in the attack. In this situation, OCTA stated “…in this crime against OCTA, information wasn’t lost or stolen and service wasn’t disrupted. If that had been the case, those impacted would have been notified…”
Therefore, the ransomware incident at OCTA demonstrates that different types of cyber crimes will give rise to different obligations for the victim. Further, this attack demonstrates the importance that an organization must consider all the various local, state and federal regulations that may apply given certain scenarios before an incident occurs.
Months After Cyber Attack: Providing Notice and Protecting Against Future Attacks
The OCTA ransomware incident was not publicly disclosed until the first week of August, nearly six months after the incident. While OCTA claims it waited to disclose this incident until it was certain that its systems were safe from further attacks, there is growing concern that a number of cyber incidents are not being reported for reasons other than safety. In fact, there may be a number of reasons to not disclose an incident. For example, there is significant evidence that the underreporting of these incidents by government and corporate leaders comes from their worry about the impact an incident could have on their careers. Also, the risk that an entity’s reputation will be tarnished is another reason cyber incidents go unreported.
In the end, it is easy to second guess some of OCTA’s decisions in the time after the ransomware attack; anyone responsible for cyber security should assume their actions will be questioned after a cyber incident. However, the best way to survive this scrutiny is to consider as many cyber security issues before an incident ever happens.