Cyberattack a $2M 'wake-up call' to Ingham County

LANSING - A computer network attack that affected about 1,600 Ingham County workstations cost over $86,000 to stop and could cost nearly $2 million more to strengthen the county's cybersecurity. 

Deb Fett, the county's chief information officer, wrote this week in a memo that the county needs "a true response plan" to anticipate "various scenarios" that could compromise its network and data. She also recommended nearly $2 million in improvements to better protect the county.

More:Safer? BWL loses 13 IT employees after cyberattack

Clerk's offices remain closed after malware attack

In Michigan, a digital government with digital problems

Fett also said in the memo sent to County Controller/Administrator Tim Dolehanty the county "must control what information is allowed out into the public during a crisis." She added the county's transparency about the disruption could have caused it to have lose the data "we continuously work so hard to protect." 

"We were admonished by the MSP (Michigan State Police) and the FBI for allowing the true nature of our event to be put in the news," Fett said. "This is a huge danger and exposed us to increased risk of data loss." 

Dolehanty provided Fett's memo, dated May 15, to the Lansing State Journal on Friday. It says attack cost $86,495. Of that, $41,044 covered 1,460 "regular hours" of "internal labor" and $25,451 covered 559 hours of employee overtime.

The memo also states $17,000 covered help from Dewpoint, a Lansing-based external consultant, and $3,000 paid for help from "governmental partners." 

Those costs weren't high enough for the county to file an insurance claim, Dolehanty said. The county annually budgets a liability fund that is expected to cover the overtime, Dewpoint and governmental partners' expenses. 

"This one is behind us," Dolehanty said Friday of the network attack. "I'm pretty confident saying that. But looking forward, we have to look at what's out there and what we're afraid off." 

Officials confirm the attack was caused by malware, considered malicious software designed to damage or manipulate a computer network. It was detected April 28 by IT officials who determined the malware had tried to obtain banking information. 

On May 4, Dolehanty told the LSJ that no county data was compromised or lost and that scanning workstations in 33 county departments during the first week of May was a precautionary measure to make sure all were virus-free. 

Investigators haven't told county officials the source of the attack, Dolehanty said. 

"They haven't identified it to us, and I'm not sure they necessarily would," Dolehanty said Friday.  

Fett's memo said the "outbreak" started with a single infected computer and spread rapidly to "many others" before it was contained. 

In Fett's memo she said the county's Board of Commissioners will receive a revised security policy for approval in the next 30 days. The county, according to the memo, has $145,000 worth of network security applications and updates budgeted for this year. 

Fett's memo also suggests nine unbudgeted items the county should pursue through 2020 for improved cybersecurity. Those include $1,800 for "additional Security Mentor licenses,"  $1.25 million for implementing a redesign of the county's computer network and $125,000 to add a new security analyst position to the IT staff.

Fett stressed the county's culture needs to shift because security, according to her, must be a consideration for everyone who uses its technological resources. 

"In spite of our best intentions, it has become obvious that it sometimes took a backseat to political or business interests," Fett said. "We have just experienced a very, very minor taste of what that can cost us.

"Consider this to be our wake-up call that the bad actors in the world will not give us a pass." 

About a year ago, the Lansing Board of Water & Light was infected by malware and had to pay a $25,000 ransom to restore its network. No charges were filed in that attack. Its total costs were more than $2 million.

Contact Eric Lacy at 517-377-1206 or elacy@lsj.com. Follow him on Twitter @EricLacy.