The scourge of ransomware: time to take stock for governments


Media exposure to the impact of ransomware attacks has grown and has ended up consuming executives in both the public and private sectors, who now recognize it as the # 1 cybersecurity risk factor their organizations face.

Highly visible attacks on Atlanta, Baltimore, Tulsa, New Orleans, Newark, the Washington, DC Police Department and many other jurisdictions and agencies have created a new sense of urgency for government leaders. According to The Washington Post, more than 400 ransomware attacks have hit U.S. city and county governments since 2016, affecting hospitals, school districts and higher education, police departments, and various other municipal departments. State governments have witnessed attacks on agencies as diverse as the Texas and Colorado Departments of Transportation, the New Mexico Utilities Regulatory Commission, and the agency that operates Massachusetts ferries. Comparitech estimated that ransomware attacks against government agencies in the United States from 2018 to 2020 potentially affected more than 173 million people, and that downtime and recovery may have cost nearly $ 53 billion.

These figures do not take into account the impact on private sector services essential to the economy and to the safety and welfare of the public, such as the attacks on Colonial Pipeline in May and on JBS, the world’s largest producer. meat in the world in June. In the past two weeks alone, there have been reports of farmer co-ops in Minnesota and Iowa being attacked; it has been estimated that up to 40 percent of the country’s cereal production and the feeding program of 11 million animals could have been affected. And a new trial alleges that a 2019 cyberattack on an Alabama hospital contributed to the country’s first ransomware-related death, that of a newborn baby.

To non-technologists, the sustained and growing crescendo of ransomware attacks must seem absurd. How can the very technologies we have invented be turned against society in such a disruptive way and consume so much time and resources? And yet the ransomware question always ends up coming back to this: Should we pay the ransom or not? And this is a leadership decision, not a technological decision.

Mike Russo, former head of information security for the State of Florida, told me that “five years ago my comment on ransomware would have been simple: it’s a form of extortion, it is illegal and no one should pay a ransom ”. However, Russo added, “Cryptocurrency, cybersecurity insurance, and the growth of sophisticated and targeted attacks have reshaped the landscape, and the risk of disruption to citizen services has changed dramatically. There is no longer a simple answer, and whether or not to pay should be a carefully considered option based on the risk and impact on the organization and its citizens. “

Many experts, including the FBI and other law enforcement organizations, are urging ransomware victims not to pay their attackers, as ransom payments can then be used to support further cybersecurity attacks or even more destructive and disruptive criminal activity. However, when the health and safety of your constituents is threatened, let alone the costs of disrupted government operations like issuing driver’s licenses, providing social services, and maintaining public services like water, electricity and wastewater treatment facilities is not a simple binary decision.

It’s not that there is no alternative to payment. The Biden administration warned Russia, and by implication other countries, that attacks on US critical infrastructure were “prohibited” and would lead to aggressive responses. Since almost all ransomware events are carried out through the use of cryptocurrency platforms, the administration also plans to announce a variety of actions, including sanctions against cryptocurrency exchanges, that will make it harder for hackers and ransomware gangs to generate revenue. But given indications from the Treasury Department’s Office of Foreign Assets Control that it is illegal to make ransomware payments to sanctioned entities, state and local government organizations could soon find themselves in a situation where they are at both the victim and the criminal as a result of a ransomware attack. .

Fortunately, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency aggressively markets a variety of resources to state and local governments that include free cybersecurity assessments and cybersecurity tools. Additionally, $ 1 billion is spent on state and local government cybersecurity under infrastructure legislation currently under consideration in Congress.

But state and local governments must do more and not wait for the federal government. This includes planning and preparation before the event with a strategy that includes buying cryptocurrency. “Adversaries often take advantage of common technological gaps and missteps, so implementing and managing basic operational resilience practices is a fundamental deterrent,” said Vitaliy Panych, Chief Information Security Officer for the State of California. “Paying a ransom is not an optimal defensive strategy and should never be considered a routine recovery practice. The best defense is to actively manage operational recovery practices, redundancy, and security controls across the enterprise.

It may not be possible to completely eliminate the threat of ransomware, but there are a few clear and consistent goals that can help organizations mitigate the damage:

• Cyber ​​security training is the lowest of all the fruits at hand. Regular and consistent awareness training on cybersecurity threats offers the best return on investment.

• “Zero trust” is a cybersecurity buzzword that simply means that all users and devices are limited to only the data and infrastructure needed to do their jobs.

• The lack of regularly tested offsite data backups and ‘out-of-band’ control systems – which enable the management of critical assets when core control systems are compromised – are the main reasons organizations find themselves without options in their business. a ransomware event.

Ransomware is called the bane of 21st century cybersecurity, and no organization is immune. State and local government leaders need to work closely with their cybersecurity and technology officials to understand where they can be most effective in helping to mitigate this emerging and increasingly costly threat. Paying a ransom shouldn’t be the only option.

GoverningOpinion columns reflect the opinions of their authors and not necessarily those of Governingthe editors or the management of.


Leave A Reply