 We're gonna get started in about a minute read four o'clock Some people coming in in the bag Hey, is everybody ready? Good afternoon everybody and thank you so much for being here. My name is Beverly Thompson I am the director of public affairs for the city of Durham I want to thank you again for joining us to talk about both the city and the county status Following a cyber malware attack. I need to emphasize first said we believe that these attacks were Two separate attacks for two separate organizations Okay, but the city and the county City manager Tom Bonfield will come to you first along with the city's chief information Officer who is Kerry good and they're going to talk to you about how the city is responding and how this occurred Afterward county officials will speak to the county status and then following that we will open it up for questions Okay, Tom Thank You Beverly. Good afternoon everyone on Friday evening the city of Durham Data networks experienced a serious cyber malware malware attack which affected our entire network Thanks to our advanced notifications systems our technology solutions department acted quickly To take networks and phones offline which greatly minimized the damage to the city's operating systems The malware has been contained and we are in recovery mode with city staff and other cyber security Professionals working around the clock to get everything back up and running There is no mistaking. This was a serious incident in the city's advanced threat detection and cyber security software allowed us to respond quickly a Forensic investigation is underway But due to the nature of the event and the kind of malware that was used the cyber security Professionals has have confirmed and we are highly confident that no personally Identifiable information was compromised as a result of this breach including city employee and resident data At this time most city networks and phones remain intentionally offline During the initial stages of the recovery process With assistance from the fire and police departments Durham emergency communication center continues to receive 9-1-1 calls and has been dispatching police fire and EMS Responses as needed since the incident occurred While phones are down city residents can still access services and make payments via our Durham NC.gov website Which was not affected by the attack This includes putting in a request to Durham one call via our website or phone app and paying water bills through the payment This application again. These systems were not affected. I am very grateful to our technology solutions department Who made sure that we were prepared? Responded quickly and continue to work tirelessly as we work through the recovery process I also want to give my thanks to these agencies who are helping with the recovery effort Including the National Guard cyber security team Duke University IT specialists in Carolina IT At this time, I'd like to introduce Kerry Good the city's CIO who will provide additional details on the timeline and recovery process I'm Kerry Good. It's CIO and the director of technology solutions. So let me begin with by saying we have a cyber security program and We have planned for this day to occur We have a contingency plan that we had built and so immediately Upon notification from the monitoring system. We Activated our response plan and that called bringing together a team of professionals including MS Isaac including Carolina's cyber response team and Including the state the IT we came to bear on this problem, so What we did initially is what? Tom Bond to the city manager said was to contain it. We turn off our core switch So that the spread will be contained and at that point we started doing forensics to understand What we were dealing with and based on the MS Isaac and Huntress our monitoring team. We clearly identified the virus as Ry UK virus and It is one of the premier malware ransomware type of virus So so immediately on we met Saturday morning We had a meeting with our response team and then we had a meeting with MS Isaac We gathered more information And then we created a get a plan of action to move forward with the containment and even eradication We created a a plan we called our black gray and white plan Was that the network presently is black? We need to turn our network into white So we did is take every device within the network And we went through a process of clearing that device using tools an analysis And once the device is we think it's clear we move it to the gray Gray, we will test it on a separate network To ensure that it doesn't have ransomware And then we will plug it back into our citywide network Which is going to be the white network So we have a three tier program and also at the same time We asked the question is there any better tools out there to defend to see that we quickly identified a tool That can catch this type of ransomware And eradicated and we're putting that on the workstation as added precaution So every workstation goes on the network will have this agent that will identify in a further Contamination and it will shut the workstation. They are reported to us as well so we have put together some technology teams led by technology solutions This is the resources came from duke it national guard Carolina it we have approximately 20 additional PC specialists that will help us go around and to clean approximately 1,000 workstations that was contaminated. We had 80 workstations 80 servers in our data center contaminated So and we're in the process currently Restoring our core business servers men we use menace And when I last left we were 86 percent restored Of course, that's our biggest server. It's probably approximately 20 to 30 terabytes in size So it takes a little bit of time to download from our cloud backup system We expect it to be back online Soon the next two of the hours it will be back online And this is our system that does our core business hr payroll utilities And then we bring it up our work order system Of a one-call system Which is not as big and they should be coming online tomorrow We we think our data center will be fully recovered In two days And then the remainder of the work will be along the lines of restoring each work station And and giving that connectivity back to the employee That's our game plan and of course with every plan we run into contingencies And if we do it makes slows down But the city can be assured that our backups Are very good because they're immutable which means that ransomware cannot us consume our backups We're using a product called rubik is one of the leading backup systems you can purchase and One of the reasons we purchased it was because it was a backup system that could not be consumed by ransomware And at this time That's the update that I have for you as far as how we're going to move forward with this uh Clearing and bringing the city back into production on our computer systems Thank you. Thank you. Tom. Good afternoon. I'm deborah craig ray Durham county general manager for strategic planning and innovation Now it's time to hear from our county manager windell davis Who will talk about the county's perspective and impact during this attack? Mr. Davis Thank you deborah and good afternoon So darin county was notified on late friday evening about the malware attack on our county resources Soon thereafter our isnt team called in additional cyber security resources to investigate Perform forensics and determine the extent of the impact I am comfortable that we have and will acquire the resources to address this breach Our goal is to continue to provide citizens services as appropriately as possible During the time that our systems are down That can mean some manual processes And other workarounds that will be bought to bear during this period But it is important that we take our time to fully investigate And restore our business systems To ensure we provide enhanced security so that this situation does not reoccur The recovery period is critical and we must do it right At the end of the day We ask our citizens and our employees for their patience As we work through this business interruption At this time i'd like to recognize our isnt director greg maro Who will report to you on our current situation and how we move forward from this point? I also want to take the occasion to well, thank sisco systems Our national guard cyber security unit as well as microsoft for their assistance in this effort In addition to greg coming forth We also have some additional department heads president in the room To ask any subsequent questions that may come up around public health Emergency services and emergency management and more so greg Thank you county manager. My name again is greg maro cio with the county of derm And as the county manager mentioned similar to the city We experienced a ransomware attack on friday evening as well And we executed our incident plan on friday evening As county manager mentioned, we are taking a slow process in terms of investigating the The cause of the attack And looking deeply into our systems to ensure that when we do our backups We don't affect We don't have this problem a week from now And so we're following a very similar process to the city not going to repeat that process But we're going through an investigative stage I think it's fair to say we are wrapping up our investigation stage. We do know it's a ransomware attack We now know where it imminent, you know from and and how it how it Entered the the county network Uh in terms of restoration We're beginning that process now. So we're moving out of the investigation stage Into the restoration process and our focus at the county is beginning to look at social services public health to ensure that citizens can quickly and expeditiously begin to Utilize services that are provided through Whether it's online whether it's through computers whether it's through our call center And so that's our focus over at the the county As carry mentioned our numbers look about the same We have about a thousand computers or so that we need to re-image On the county side, we've decided that we're going to take the precaution And re-image all desktops and all laptops And in terms of our data center, we have about a hundred servers out that we have decided to Rebuild from scratch just for precautionary precautionary measures and lastly, I'll just mention as the county county manager said We have a full team of folks working with us from the national guard to The state of north carolina to other agencies within North carolina who have gone through this process who are now here Working with us and we also have several of our business partners Microsoft Cisco and and a few other partners who are actively working with us to help us get back to normal And so I think that's pretty much it from the from the county side. So thank you We're going to open it up for questions and after our questions We're going to have a statement from mayor shul and commissioner Jacobs So we do have a mic And okay, all right Do you have any idea how this even got onto the workstations? Did somebody open up an email or Download something ask our experts to come up and talk to you about that I don't know if you heard the question. Can't you repeat the question? Do you know how this ransomware even got onto the server or network? I'll go first from i'm carrying you to see out for the city of Durham based on our forensic analysis up to this point We had several animals look at our patient zero information. We have identified Five workstations that could possibly be Patient zero and based on the analysis it looks like an email was the Way that it infiltrated into our network. So when clicking on a attachment within an email Greg merrow again from the county side similar to the city We've identified two two laptops and we believe that The virus entered our the malware entered the county through someone clicking on an email as well And this question is for mr. Merrow With respect to the county Has any data Information on say voter registration records been compromised if they've been stolen lost I've heard a number of Comments from the public About voter registration information What can you say to that end? So based upon our investigation to date We have no indication that any data Has been stolen or or tampered with And it's also important for me to say that all of our data sitting at rest or in transit is encrypted But as as part of the forensic investigation, we have no indication that any data has been tampered with And in your forensic investigation. Have you had any indication of why? Durham city and county were targeted in this No, we haven't seen we don't we don't know if any specific reason other than The hackers the cyber threat actors don't don't need a reason to attack you other than They they want to to do it And now and also we haven't received any ransom notes yet We've been looking for it, but we haven't received received any screens Or any kind of ransom Any question That leads me to my question. What was the nature of the email attachment? Do you know We can get that information for you, but we don't have that Information right now the the analysts didn't didn't share that with us because we didn't ask Okay, I am curious and Which specific office inside city and county government Did this email? I guess infiltrate Yeah, on the on the county side All we've have identified as a particular laptop. We have been gone to You know, okay, what what office is this connected with or what person is this connected with right now? All we're concerned with Is understanding the nature of the situation is communicable To the and I echo what on greg merrill said our focus was Understanding the how and not the who at this time Will there be any type of education Among your employees since it seems to be a user error That this started at the city of Durham. We've been doing cyber security awareness And we even test them to see if they are cognizant of what we did when we trained them And we had a very high score of employees compliant with not clicking on phishing email attempts Uh, of course, we're not not all employees pass, but it was a high degree of employees that passed the test Can can employees continue to work at their offices over the next couple of days or Do they have to work from home? What does this mean for the employees who can't access Records and so forth Certainly, um The work is adjusted all of our employees receive notice that they are to report to work and they are They are at their work. Uh, their work may be different in some cases. Uh, it is as rudimentary as paper and And pencil In other cases, there are some some systems that you know that are allowed to to accumulate data But the most important thing is we want to be You know available as soon as the phone systems are up and certainly city hall the doors were open and we have facilities all over the city And all operations were were available to to meet the public today Any suggestion that this Hack might have had anything to do with the elections that is an election year No, I mean the the technical folks can can answer that question While while it may be perceived that Durham was targeted or Durham city and county were targeted From what I understand and Kerry can confirm I mean these attempts are going on all over the country all over the world this particular virus is prolific has has Retained a significant amount of ransom being paid by a lot of people And and I think this was really just you know something that Uh, it was it wasn't identified. I identified just as the city or the county of Durham We just happened to have had the misfortune of of You know this happening Simultaneously Kerry you want to talk about right? Um tom bonfield is correct. Um I'm forensic information. I haven't seen any specific reason why we were targeted But we do know that this particular ransomware will have earned three billion dollars Up to this point based on the analysis. So it's a high earning type attack by the cyber threat actors And I think they just wanted to see if they can Penetrate and get us until they get our backups Consumed we can always recover And I like not like other cities our backups were not consumed by the by the Mayor where so just time element for us to recover Thank you So there was a question about whether or not our employees are working Obviously, all of our employees are at work today We do business continuity planning and so we essentially just activated our bit activated those plans for the most part And it means a number of different things for our various departments some folks bought their printers to work And work offline along with their computers and Things of that nature And so all of our employees are working and if you know, we get Ultimately to a point that we have to exercise Our telecommuting practices and things of that nature. We will but we are not at that point I think that we are in a good recovery place Can you tell us why the public wasn't notified about this until two days after the attack happened? Yeah, I'm not sure that is exactly correct And we've issued we issue statements when we have information to share While we get a lot of questions The the staff our staff the city staff was working around the clock to try to understand What was going on and what was you know, what was the the extent of the problem? And we wanted to wait until we had our hands around handle around that Before we issued the official public statement. I think that was was that yesterday But this was not something that We were you know, there was anything to be kept secret about we just very concerned about Misinformation coming from from guessing what happened until we were sure what happened I don't have anything I can add to that My question will this incur any additional costs? Well, I think it depends on how you how you describe additional costs obviously We've got additional staff time additional resources The city does have cyber security insurance We have had cyber security insurance for quite some time Our cyber security insurer has been put on notice And at some point we will make an assessment about What additional costs that we incurred that would be eligible to to come under that coverage Again, I would just echo what tom said on the front end of his statement We do have that same insurance as well on the county side As we go through these experiences, obviously we will learn some things about our system And as we learn those things we may have to make additional investments But we're not at that point yet to understand Precisely what that means in the broader context of this investigation But if we discover that additional investments need to be made then We will have that conversation internally and we'll have some conversations with our elected leaders When was the last time employees were trained on cyber security awareness? At the city of Durham, it was last fall around November the summer time frame And at the county, we do cyber security training on an ongoing basis So as part of new employee orientation Cyber security training is included in that We're always doing something on a monthly basis in terms of training And warning and preparing employees for these kinds of incidents And let me add Our training is continuous New employees are trained on cyber security throughout the orientation Also on our screen savers We have training that they see every time that screen goes into screen saver mode We warn them about phishing emails and and about spear spear phishing and and how Cyber security is very important to how they use their computers And anyone working to see they see that screen saver every day And just just to kind of sum things up again, you've addressed this Here and there but to summarize when do you anticipate everything will be quote back to normal when things will be functioning normally at the city and county level? At the city I have a great great deal of confidence that within two weeks we'll be back fully operational And on the county side, I would say that You know, we're still and we are a little bit more cautious And so we're we're starting the restoration process today I would say on the on the You know If everything goes great it it could be within a week and then if there's some Uh, Estimulating circumstances that that you know come up. It may be two weeks So now we're gonna hear from commissioner chair Jacobs and mayor shul I just want to say what while they're coming up that So we're gonna keep you up to date on our social media Forums and just get information out whenever we can and need to to the public to keep you apprised of what's going on Good afternoon. I'm wendy Jacobs chair of the Durham county board of commissioners And I just want to share with our residents that We are in very good hands. We have outstanding I.T. Staff our our I.T. director greg marrow And all of our I.T. Staff are fantastic people have been working as hard as they can Around the clock This unfortunately is something that they have prepared for And trained for As you heard from from comments Um Are all of our employees and even me personally as a county commissioner Have been trained to Watch out for fishing expeditions, but we know that in today's world unfortunately These types of attacks are very very skillfully crafted All of us know From the emails that we get personally from the phone calls even that we get That these attacks can look like a bank statement or an order Purchase order It is it is very very difficult and it is very easy For somebody to just click on an email or an attachment And this is what happens. I think the good news is that we have prepared for this We have the county has invested very heavily In Preparing for this moment And I have full confidence in our staff And we just ask people to be patient. We ask our residents To just be patient And that everybody is doing doing their best To make sure that all of our residents are Having the services and programs that they need and that that is our number one priority So everyone is working as hard as they can Social services public health EMS our 911 center the office of the sheriff Making sure that we are taking care of residents in our community. So again, I just want to thank Our county manager All of our department heads who are here All of the county staff You know, everyone's learning to talk to each other face to face and talking on the phone things that we Maybe don't do as often as we should and we will we will all get through this together. Thank you everyone Thank you commissioner Jacobs and Thank you all for being here today I want to echo what wendy has just said We in the city are very fortunate that we have super capable people in our technology solutions department Who are doing a great job and Were prepared for this Let me just say a little bit about our cyber security One of the things that I don't believe kerry did say is we back up all of our data In the city every two hours So when something like this happens we lose no more than two hours worth of data So that is one of our cyber security protections Another one of them is something that Our both greg and kerry have also mentioned as did commissioner Jacobs, which is We all we we are all the time educated about these phishing attempts And here are some of the ways we're educated one is Uh, we have on our screens every day something comes up on my screen that educates me about not Answering something that looks like a phishing email, but there's another thing that happens in the city Which I think is even uh more powerful, which is Our technology solutions department sends us fake emails To see if we will open them I've gotten these I don't know how often because they're I try not to open them And what I frequently do uh is I will send this to kerry and say This looks like a phishing email is this and he will send back. Yes. This is one of our tests So we are being educated in that very practical way as well And then one of the questions An important question is you know about derm being targeted My colleague mark anthony middleton who's here today just said to me. I thought which is a really good metaphor for this We're not being targeted. What's happening is These viruses are just rattling doorknobs. They're rattling doorknobs and they're seeing what's open And this happens we are attacked But the city and the county thousands of times a year by people attempting to break into our system This time they succeeded because of someone or someone's Opening an email that was a phishing attempt, but this is not rare. This is common And I think the the the way that I think we need to all view this is This was not a question of if this was going to happen. This was a question of when this was going to happen And the question is are we prepared and the answer is we are prepared and I'm very confident that We will be back up soon that our major systems will be back up by either late this afternoon or tomorrow And then subsequent to that we mainly have to do work on work stations getting each making sure that each of the Thousand work stations itself is not contaminated and that will be that will take a little bit of time So I appreciate everyone being here and have again just Real appreciation for our county colleagues As well as our own staff. So thank you