Tillamook County commissioners voted Monday, Jan. 27, to negotiate for an encryption key to regain control of the government’s computer systems after a cyberattack struck.
Information Technology Director Damian Laviolette told the board of commissioners in a late Monday meeting a significant amount of investigation was done into the cyberattack with help from forensic computer firm Arete Incident Response. Laviolette said the integrity of many, but not all aspects of the county systems have been restored or protected.
“At this time, we are looking to Arete to potentially begin the process of negotiation for an encryption key for the remainder of the systems we have been unable to protect or retain the integrity of," Laviolette said.
The board of commissioners voted unanimously, but with apparent reluctance, to authorize negotiations by Arete for an encryption key, the cost of which the county will later reimburse. A potential ransom cost has not yet been made public.
“We have to keep moving forward,” County Commissioner David Yamamoto said.
“This is an extremely difficult process and I’m grateful for everyone’s patience, and we’re ready to take the next step,” County Commissioner Mary Faith Bell said.
Officials have not yet commented regarding possible cyberattack suspects or discussed details regarding any demands for payment to relinquish control of the computer systems.
"The lesson that many governments seem to have drawn from these attacks is not that they need better network and data protections in place as well as more effective incident response plans, but rather that what they most need is more insurance coverage to help pay the ransoms demanded of them – a phenomenon that only contributes to more ransomware and better-funded criminals,” said Josephine Wolff, Assistant Professor of Cybersecurity Policy at The Fletcher School, Tufts University.
After meeting in a closed-door session Wednesday, Jan. 22, county officials confirmed a cyberattack took place. The county’s server and internal computer systems were down, and phone systems and email networks were affected. The Tillamook County website, which hosts numerous departments, was also down. County computer network connections were disabled to contain the spread of malware.
Bell said Wednesday the attack was apparently ransomware in nature, though no demands had been issued yet. The attack was first suspected to be a storage system technical issue, but it was quickly realized that something sinister was in play. Bell said it was not clear if the malware was still spreading internally, but everything with connectivity was shut down.
“We hope that we contained it, and that it’s not spreading outside our system, but it’s possible that it’s still moving around inside our system,” Bell said.
Bell added that cyberattacks are essentially an industry now, a growing concern for governments and companies as well as private citizens. She emphasized that there was no indication that any data was compromised in the attack.
This past year, 113 state and municipal governments and agencies, 764 healthcare providers, and 89 universities, colleges and school districts in the U.S. were hit by ransomware attacks, according to Brett Callow, a threat analyst at Emsisoft, a cybersecurity software company.
Tillamook County had been ramping up cybersecurity since it hired Laviolette this past year. Bell said Laviolette has been invested in bringing his banking cybersecurity savvy to Tillamook. She noted that with the push to go digital for everything, she still sees value in traditional paper documents and methods, in particular physical voting ballots.
“It’s a mixed bag … if there was a loss of data, you would certainly wish for hard copies,” Bell said. “I think the lesson is to backup absolutely everything because I think this kind of thing will become more common. There are places in the world where people are just doing this for a living.”
Bell said county officials were discussing whether to pay a ransom when and if a demand was received. She said all options were on the table, but none them were good. Bell said it would be a case of choosing from the “best of bad options.” She also acknowledged that paying a ransom was no guarantee of a return to normalcy.
Tillamook County Sheriff's Office experienced effects to its phone system and email, though Interim Sheriff Jim Horton said jail operations and the ability for deputies to respond were not hampered by the cyberattack. Tillamook County Emergency Communications District's dispatch and 911 services appeared unaffected, though Administrator Doug Kettner said his agency was investigating to further assure the cyberattack had no impact.
County commissioners scheduled another immediate closed session for late Wednesday to discuss what was called a "data security incident." An emergency open session on the matter was held Thursday morning.
A county-issued statement regarding a cyberattack said computer difficulties with several systems had arisen Wednesday. Information Technology staff immediately launched an investigation and determined there was a malware attack.
County officials said in the statement they would coordinate with law enforcement as well as retain an independent computer forensics provider and legal experts to assist in the investigation. The investigation was in its early stages. The FBI was also contacted.
County officials have apologized for the inconvenience to the public. The statement said there was no indication yet that the personal information of employees or residents has been accessed or misused. The projected cost to regain control of the system was not yet known.
"Tillamook takes the security of the information entrusted to us very seriously. We are taking steps to prevent a similar event from occurring in the future, including strengthening security measures," the county statement said. “Although we are not at liberty to share many details about this matter at this time, we will provide a further update once the investigation is complete."
In Thursday morning’s emergency meeting, Laviolette said system outages would continue in the coming days, and additional systems could fail as well, noting that some services that were working early in the attack had later gone down. He later added that it was not confirmed how the malware had entered the system.
An additional emergency meeting of the board of commissioner was slated for 8 a.m. Friday, Jan. 24, at the county courthouse. A closed-door meeting was set for 4 p.m. that day.
In the Friday morning meeting, Laviolette said there was not much additional technical information to share, primarily because contracted professionals had not yet arrived to assist. Arete Incident Response was due at the courthouse later that morning. He was hopeful more details would be available by the end of the day.
“Help is on the way. They’re professionals; they do this for a living,” Laviolette said. “This is not their first rodeo.”
Laviolette said in the days leading up to the Friday morning meeting he received good offers of help from a plethora of individuals and agencies as well as other county governments. He said while nothing had necessarily been turned down, county officials were following the best practices in waiting for the specialists to arrive before deciding whose assistance might be needed.
“As of today, we do not know what type of cyber event we are truly dealing with,” Laviolette said. “We do not know the specifics … that will come with the professionals’ work.”
County commissioners thanked Laviolette for his diligent efforts to upgrade an old information security system and for his leadership in the wake of the cyberattack. Baertlein said he hoped the incident would be used as a lesson to drive technological improvements.
With county government in crisis mode and reports of misinformation in the community, Tillamook County Emergency Manager Gordon McCraw was named incident commander and public information officer in charge of all communications. McCraw said an incident command team was formed to handle the situation.
To overcome communications issues, McCraw recommended using the emergency alert service Nixle. You can subscribe to the service by texting your zip code to 888777 or by going to Nixle.com and registering. On the website, you can select what type of alerts you receive. Tillamook People’s Utility District also sends alerts through Nixle.
Tillamook County Emergency Management established temporary contact methods due to computer difficulties. Emergency Management can be reached at by phone at 281-254-0970 or by email at email@example.com.
The courthouse and other external departments remained open for business. However, the ability to do business electronically was compromised. Tillamook County Circuit Court, being part of the state judicial department, was reportedly unaffected the county problem. The Justice Court also continued to function.
Tillamook County Health Department and Department of Community Development directed patients and customers who could not get through by phone number to use alternative phone numbers, which are provided below.
Tillamook County Health Department was open, although there was no access to electronic medical records. The county statement assured that personal health information was protected. If patients cannot get through on regular phone numbers, please call:
● 503-812-3916 for medical and behavioral health clinic scheduling
● 503-812-3774 for dental clinic scheduling and services
● 503-354-4257 for WIC, public health and environmental health
Department of Community Development is open Mon. to Fri. from 8 a.m. to 4 p.m. Please visit the office for planning and other department services. Please call:
● 503-812-8543 for building, plumbing, mechanical and electrical inspections
● 503-812-2431 for sanitation