Does Baltimore’s IT failure constitute a disaster?

As you are reading this, major parts of Baltimore, Maryland’s IT infrastructure are still offline, including its email system which was only just redirected to Microsoft’s Office 365 platform so that some form of email delivery could resume. That makes it over 4 weeks without email for city employees and services. For any normal business this would definitely qualify as disastrous, but is it an actual “disaster” by government standards thereby qualifying for the federal aid such a designation bestows? It’s definitely worth considering that if the IT recovery effort doesn’t start picking up steam soon, failures in critical city infrastructure could create life-threatening situations and further breaches of security and privacy in adjacent sectors that rely on the missing city services.

The Real Disaster: A failure in management and budget

While sources have reported that the ransomware attack was likely caused by a city employee falling for a phishing attack, the real failure was the city government’s utter mismanagement of their IT infrastructure, which at the time of the attack, was powered by systems built decades ago that have been chronically under-supported by a budget of less than half of the national average, and run by a series of CIOs that appeared to be, at best, in way over their heads or at worst, possibly criminal.

Unfortunately, rather than taking a hard look at their management failures, city leaders instead are trying to lay some of the blame at the feet of the federal government, more specifically the NSA who is purportedly the original source of the EternalBlue exploit (leaked in 2017) that was part of the ransomware code used to shut down Baltimore’s IT. Call me cynical, but if it hadn’t been some bit of code powered by NSA-developed exploits, it was only a matter of time before Baltimore’s poorly funded and managed IT systems fell victim to some other form of attack.

In case you aren’t picking up what this story is laying down, here are the lessons any city or business should take away from Baltimore’s “disaster”:

1. Make sure you are maintaining a proper IT budget. Baltimore was spending half of what they should have been spending for a city of their size.
2. Make sure your employees are properly trained on workplace technology security. They don’t need to be security experts, but they should know how to spot a phishing email.
3. Make sure your critical systems are backed up and a proper DR plan is in place. A lot of Baltimore’s headaches would have been cleared up much sooner with proper backups.
4. DIY IT is no longer an option for any serious business. Modern, secure IT services require professionally-maintained and monitored systems for which most businesses lack funding or expertise or both. There are companies that specialize in delivering turnkey IT services at a fraction of the cost of comparable on-premise systems.