In the early morning of May 3, the City of Dallas, Texas, fell victim to a ransomware attack. The Royal ransomware gang later claimed responsibility for the attack, which severely disrupted the city’s police, fire rescue, water service payment, and development systems, among others. As a result, many departments were forced to resort to manual work and handwritten and radio communications.
A report released on June 9 revealed that over 90% of the work to restore the systems had been completed. However, departments that had reverted to manual work were still in the process of updating their records in the systems. Throughout the attack and the ongoing restoration efforts, the city has provided limited information to the public. Officials stated that they could not share specific details that could impede the investigation or expose vulnerabilities that could be exploited by attackers.
On June 1, Catherine Cuellar, the communications, outreach, and marketing director for Dallas, emailed the mayor and city council with directions to refrain from sharing any details about the attack. They were advised to respond to constituents with three statements: “Thank you for your inquiry,” “Rest assured we are working with third-party experts and law enforcement, and our investigation is ongoing,” and “We will share updates as appropriate.”
When asked for more information on the attack, Cuellar responded by saying that the city remained committed to transparency but could not disclose any further details because the matter was still under investigation.
Some residents of Dallas expressed frustration with the lack of information regarding the ransomware attack. Roger Stierman, a retiree, highlighted the uncertainty surrounding the situation and said, “There’s this black cloud, and we just don’t know what’s going on with the city.”
Cybersecurity experts argue that local governments face a delicate balance when it comes to communicating with taxpayers about ransomware attacks. While citizens have the right to know basic information about the disrupted services, too much disclosure could play into the hands of attackers and potentially reveal sensitive information or increase the government’s liability.
Allan Liska, a threat intelligence analyst, believes that municipalities have a greater obligation to be open compared to private organizations. Ransomware attacks on cities impact not just the entity itself but also everyone who resides or works there. However, many cities choose to remain tight-lipped about such attacks, even going as far as denying Freedom of Information Act (FOIA) requests for information.
Munish Walther-Puri, a senior director of critical infrastructure, suggests that the pressure on municipalities differs from that on businesses. Cities are expected to provide services to their citizens, and when those services are disrupted, some form of communication becomes vital. He recommends regular updates, even if there is no significant update to share, to keep citizens informed of ongoing efforts.
The unwillingness to disclose details about ransomware attacks is often influenced by legal advice, insurance companies, and law enforcement. Lawyers typically handle incident response teams, allowing their reports to be protected by attorney-client privilege. Law enforcement agencies may also limit the information shared to aid ongoing investigations.
Insurance companies play a role in keeping cities quiet about ransomware attacks, as they may prioritize profitability and negotiate ransom demands behind the scenes. Public disclosure laws and a lack of technical understanding among public information officers further contribute to the limited information shared by municipalities.
The fear of providing attackers with information is also a concern. Ransomware gangs actively monitor press reports about their attacks and may use that information to their advantage. Municipalities must carefully consider the amount of information they release to avoid empowering attackers or inviting further malfeasance.
Overall, there is a clear need for effective communication during ransomware attacks on municipalities. Striking a balance between transparency and security is crucial, as citizens have the right to be informed about disrupted services while also protecting sensitive information and minimizing the risk of further attacks. It is essential for cities to develop clear and consistent communication strategies to address these challenges effectively in the future.