Paying a ransom to regain access to a city’s data and systems has become increasingly common over the last few months. However, one study shows that most taxpayers are not happy when their elected officials give in to an attacker’s demand.
Sixty percent of taxpayers said they are against giving in to the ransom demanded by malicious actors, according to a survey – conducted by Morning Consult and sponsored by IBM Security – of 2,200 U.S. citizens spanning various city sizes, ages, incomes and political views. The same number stated they would rather see their tax dollars go toward paying for a recovery effort – even if it is more expensive – than putting their hard-earned dollars into a criminal’s pocket.
While paying ransoms has not become the norm, many governmental organizations have opted to do so this year, with many citing the fact that their cyber insurance policies would cover the majority of the cost. Lake City and Riviera Beach, Fla.; the Rockville Center, N.Y. School District; LaPorte County, Ind.; and Jackson County, Ga. all opted to pay, citing insurance coverage and the high cost of rebuilding their systems as the primary reasons.
Baltimore and Atlanta chose not to pay their attackers, a decision that forced them to spend millions of dollars and rebuild over months.
Most recently, New Bedford, Mass. Mayor Jon Mitchell explained why his city declined to pay the $5.6 million ransom after it was hit with Ryuk in early July. The attack took offline 158 of the city’s computers, or about 4 percent of its system, but no key systems were involved.
“Several key areas experienced little or no loss of data; other areas experienced significant encryption. The investigation determined that emergency dispatch (911) was completely unaffected, and all fire department, police department and EMS units could communicate and deploy as usual,” Mitchell said.
ZDNet reported that New Bedford had made a $400,000 counteroffer to its attackers, but was rebuffed.
Interestingly, the IBM survey found a large number of surveyed taxpayers do not consider 911 and other emergency services critical enough to warrant paying a ransom.
“While citizens are most likely to support payment of ransoms for services they see as critical, the services they do not consider critical are surprising. More than 30 percent of taxpayers surveyed wouldn't support payment of any amount to assist 911 emergency services, police departments and school systems if they were targeted by a cyberattack,” IBM wrote.
Even those who are willing to let cities pay to restore key services are in many cases only in favor of it if the cost runs below $50,000. For instance, only 38 percent of respondents said they are prepared to pay more than $50,000 to regain 911 emergency services. Thirty-nine percent of respondents specifically noted they wouldn't pay anything to assist K-12 public schools, and 37 percent said they would not want cities to pay anything to help police departments get back on their feet.
The survey also found people that believe the federal government needs to play a larger role in protecting cities. Just over half responded that it is state and local officials who are responsible for arranging cybersecurity for their respective municipalities, but many more were willing to accept money from Washington, D.C.
Ninety percent are in favor of increased federal funding to protect cities, and about three-quarters believe the federal government should be reimbursing those cities who continue to be crippled by the aftermath of their attacks.