Citing security concerns and open case exclusions in state law, the county refused to comply with a Times request for documents related to the ransomware incident. After the Times attorney’s involvement, including correspondence and verbal negotiations, county officials accepted an interview about the incident but declined to release actual copies of the documents.
In this on-site interview this week, county officials provided the most detailed information to date about the attack. Yet they did not say:
How the cyber attack happened and where the breach in the network occurred. Deputy county administrator Zach Propes, who now serves as interim director of financial services, said they “will never know with 100% certainty” what happened.
What the attackers demanded.
What cybersecurity companies were hired in the year following the attack.
Propes and Hall County spokeswoman Katie Crumley and county attorney Van Stephens attended the interview with The Times.
Propes said they wanted to be transparent but also managed “our ability to minimize this from happening again.”
âBased on the secure information posted, it helps people in this area (to) potentially hack us again,â he said.
A “crippling” attack
The director of management information systems, James Thomas, who is now retired, advised to disconnect from the Internet soon after the attack. Propes and Deputy County Administrator Marty Nix were among the first to know.
âIn a matter of minutes we were back to 1980, and I think you really realize how much you dependâ¦ on technology to interact,â Propes said.
“He (Thomas) called Marty that morning when he kind of started to come to terms with what was going on, and he said, ‘I never wanted to make that phone call, and I have to make that phone call. . We’re going to have to take the network down, âCrumley said of Thomas.
As an added wrinkle, County Administrator Jock Connell was on vacation in the West.
The deputy county administrators went their separate ways, with Nix keeping in touch with the chairman of the council of commissioners, Richard Higgins, as he made his way to the emergency operations center. Propes went to the Hall County Government Center and briefed the department heads.
After learning that the public security departments could still function, the real problem became the other government departments – finance, human resources, planning and development, etc. – which depend on software to function.
At the end of the morning, the American secret services and internal security were contacted.
âIt was decided that we would not pay a ransom, that we would recover from our backups,â Propes said.
This meant that a county of about 1,700 employees would have to have its approximately 2,000 devices cleaned by MIS employees before being redeployed.
The emergency operations center, which is often the command center in the event of a natural disaster such as a tornado or hurricane, was now used for a man-made disaster.
Propes said the operations center became a âcomputer factoryâ with employees working 24/7 shifts at the start. Some employees are said to be living there, using the operations center dormitories and washrooms.
âOne thing I took away from the event is how much our employees care about providing service to the community,â said Propes.
With a possible threat to public safety under control, county officials have focused on public services such as the Office of the Tax Commissioner, which reopened on October 12, 2020.
The office only had the basic software: the Microsoft Office suite and a few other things, but no email.
County employees faced additional challenges as they tried to recover from the cyberattack.
Hurricane Zeta washed away roads during the last week of October 2020.
âWe didn’t have our emergency management software available to help manage this event,â Propes said.
The emergency operations center was always filled with people working long hours cleaning computers, so county officials gathered in a conference room “handling the weather event on pen and paper and using radios and cellphones, âPropes said.
In short, Crumley called the cyberattack experience “crippling.”
Work to rebuild
On December 15, 2020, the county said “all major IT services have been brought back online and are up and running.”
Since the attack, Propes said it has invested in training employees on these issues and in additional infrastructure to prevent repeat cyber attacks.
Several antivirus software scans the network and a security company provides 24/7 monitoring, Propes said.
âHonestly, at the end of the day, I know for a fact that we are better and more educated in cybersecurity than ever before,â Propes said.
The county provided a limited breakdown of the $ 1.7 million in costs resulting from the cyberattack:
$ 1,134,197 for “infrastructures”
$ 478,128 for “recovery”
$ 85,222 for “security oversight”
$ 30,590 for overtime
Propes and county officials declined to provide further information on the companies that were paid as well as the additional investments in infrastructure.
Months have been spent retrieving documents to reconstruct files in the legal and financial services.
At the Hall County Courthouse, documents filed between June 2019 and October 2020 were temporarily unavailable in the Global Justice Information System following the attack.
Court workers worked to re-scan the documents, court administrator Jason Stephenson previously told The Times.
To Propes’ knowledge, all documents have been recovered.
âAll the files were there, but the way we searched for the files and indexed the files was what was compromised in this situation,â Propes said.
Yet no one was held responsible for the attack.
Propes said he was unaware of the status of U.S. Secret Service and Homeland Security investigations. To Propes’ knowledge, no one has been charged with the attack.
U.S. Secret Service and Homeland Security have not returned any messages from The Times regarding the status of their investigation.
A legal shield
A bill tabled and passed in the last legislative session made it possible to discuss certain information on cybersecurity plans in executive sessions instead of public meetings.
House Bill 134 provided an exemption for “meetings during discussions or deliberations on cybersecurity plans, procedures and contracts relating to the provision of cybersecurity services.”
The bill also exempted the disclosure of records comprising “any document or protection plan relating to the existence, nature, location or function of cybersecurity devices, programs or systems designed to protect” against such cyber attacks. .
The Hall County Council of Commissioners sent a letter on December 2, 2020 to Hall’s legislative delegation regarding some issues the council “would like the Georgia General Assembly to address in the 2021 session.”
Below the broadband rollout, electoral issues, annexation and regulation of short-term rentals, the commissioners wrote this regarding cybersecurity:
âAs you may know, the Hall County government suffered a cyberattack in October 2020, significantly crippling operations across the county. Legislation allowing local councils of commissioners to discuss cybersecurity issues in an executive session rather than a public meeting could potentially shield other governments from what our organization has been through.
Representatives Lee Hawkins and Matt Dubnik, R-Gainesville, were the sponsors of the bill.
Hawkins said Hall and other local governments had been affected by cyber attacks before the legislation.
âThey (Hall County officials) brought this to our attention right after we were targeted and said, ‘Hey, this is something the legislature might want to look at,'” Dubnik said.
Dubnik said there were a number of House officials who were former city council members or county commissioners, who supported the measure.