Fidget spinners. Tamogotchis. Peppa Pig. Twerking. Every year has its trends and – in the US at least – 2019 is fast becoming the year of the local government cyber attack.

The problem has become so widespread, that on Thursday the US Conference of Mayors made a pact not to pay up if their city is hit by ransomware. The agreement was signed by 300 mayors from across the US, and while it isn’t legally binding, it’s a step in the right direction. Municipal attacks are easy pickings right now and last month’s high profile attacks in Florida saw $1.1m in ransom money paid from Riviera Beach and Lake City alone – not bad for a day’s work. 

Of course you shouldn’t pay the ransom

It’s a good old fashioned shakedown and paying the ransom only increases the potential for future attacks. There’s also no assurance that a back door hasn’t been left on the system, letting the extortionists come back for more at a later date.

You can see why it’s tempting, especially when you look at the cost of recovery from a cyber attack. When the city of Atlanta was hit in March 2018, it didn’t pay the $51k ransom - and it cost them, with a cleanup cost of around $17m. As one of the most high profile cyber attacks on a city, it doesn’t paint a promising picture for organisations finding themselves facing the same choice.

What’s interesting about these city attacks is that it’s a corporate problem, moved to the public sphere. If a private organisation choses to pay the ransom that’s one thing, but if a government organisation pays up – at least some of the money is coming out of the taxpayers’ pocket (with the remainder hitting insurers).

Tax money should be going to fund schools, hospitals and social projects, not lining the pockets of cyber criminals. But if paying the ransom would cost the taxpayer significantly less in the long run, does that make it right? Defending the decision, Stephen Witt, mayor of Lake City said, “With your heart, you really don’t want to pay these guys…But, dollars and cents, representing the citizens, that was the right thing to do.”

Getting an insurance company to pay the ransom doesn’t make it ok. Not only will it raise premiums, but it continues to make crime pay. And on a practical note, an insurance payout is not guaranteed – as some insurers reminded the world when they declined to payout over NotPetya, on the grounds that it was an act of war.  

It’s the principle of the thing

But sometimes principles are a luxury and practicality wins out. When faced with a potential $17m clean up cost, many mayors may make the same decision as Lake City and Riviera Beach – regardless of what pacts they’ve signed. And you can’t blame them for it. When the next municipal attack hits – and sadly it is a when, not if – it will be interesting to see what happens.