Will Government Ransomware Outbreak Spur More Legislation?

This year more than 70 state and local governments have been targeted by hackers that have locked up their computer systems and demanded ransoms to release them. A majority of states have taken legislative action in recent years to protect data held by government agencies. But the current ransomware outbreak could spur state lawmakers to do more.

State and local governments have been dealing with ransomware attacks since at least 2013, according to analysis by the cyber threat intelligence company Recorded Future. That analysis also uncovered 46 ransomware attacks against government entities in 2016, 38 incidents in 2017 - a dip that extended to ransomware attacks against non-governmental organizations as well - and 53 in 2018.

In the first seven months of this year, according to a report released late last month by the cybersecurity group Barracuda Networks, there were already more ransomware attacks on state and local governments than in all of last year. Of the 55 total incidents covered by the report, 38 involved local governments, 14 involved county governments and three involved state governments. And while 16 percent of the targeted municipalities were cities, such as Baltimore, with populations over 300,000, 45 percent had populations of less than 50,000 and 24 percent had populations under 15,000.

“Smaller towns are often more vulnerable because they lack the technology or resources to protect against ransomware attacks,” the report said.

The report included only five of the 22 Texas communities involved in a coordinated ransomware attack reported on Aug. 16 because the other 17 hadn’t been identified at the time of Barracuda’s analysis. Those additional targets bring the total number of state and local governments hit by ransomware attacks this year to 72.

The attacks have caused considerable disruption. Georgia’s Department of Public Safety was hit on July 26. And as the New York Times reported nearly a month later: “The computer network remains down. Every device, including laptops and tablets, is being examined and reconfigured. Much of the email system cannot be entered. State troopers are unable to use computer systems in their patrol cars.”

The Washington Post noted that the attacks had “potentially deadly consequences,” with many having knocked 911 systems and emergency services offline.

To escape such turmoil a few cities have opted to meet the hackers’ ransom demands. In June, Riviera Beach, Florida, a city of about 35,000 people in Palm Beach County, agreed to pay a ransom of $600,000 in bitcoin in the hope of regaining access to its computer systems. A week later another small Florida municipality, Lake City, with a population of about 12,000, said it would pay a $460,000 ransom.

The FBI advises against paying such ransoms not only because it encourages more attacks but also because doing so doesn’t guarantee access to the targeted systems and sometimes just results in additional ransom demands from the perpetrator. But the cost of not paying the ransom can be far higher.

The perpetrators of an attack on Atlanta in March 2018 demanded roughly $51,000 in ransom, which the city refused to pay. Recovering from that attack could end up costing the city $17 million. Baltimore refused to pay the $76,000 ransom hackers demanded in the attack there this year. And the city has estimated the attack will cost it over $18 million in direct recovery expenses and delayed revenue.

Mark Orlando, chief technology officer at Raytheon Cyber Protection Solutions, said the way a city deals with a ransomware attack often depends on its size and resources.

“It’s hard to ignore the pattern that we’ve had some large cities that were able to find the funds to rebuild, and then we’ve seen the smaller municipalities that choose the other direction,” he told The Hill.

The expense for cities that pay the ransom can be even lower if they have cyberinsurance. All but $10,000 of the $460,00 ransom demanded of Lake City will reportedly be covered by its policy. And that alternative was more appealing to the city’s mayor and council than a prolonged recovery that would have taken the city over its $1 million cybersecurity coverage limit, according to a report by ProPublica.

“Our insurance company made [the decision] for us,” said Sgt. Michael Lee, public information officer for the Lake City Police Department. “At the end of the day, it really boils down to a business decision on the insurance side of things: them looking at how much is it going to cost to fix it ourselves and how much is it going to cost to pay the ransom.”

Cyber insurers making that decision could just be compounding the problem. As insurers have been paying out ransoms over the last year, attackers have been demanding more money, observed ProPublica, citing a sixfold increase in the average ransom paid by clients of ransomware response firm Coveware between October 2018 and July 2019, from about $6,000 to about $36,000.

Josh Zelonis, a principal analyst at Forrester Research, also told ProPublica that the increase in ransom payments correlates with the revival in ransomware attacks after their decline two years ago. And the publication referenced indications that hackers may now be specifically targeting organizations with cybersecurity policies.

At its annual meeting in Honolulu this summer - after Riviera Beach and Lake City announced their ransom payments and an editorial was published in the Washington Post calling for a federal law banning such payments - the U.S. Conference of Mayors adopted a resolution pledging that it “stands united against paying ransoms in the event of an IT security breach.” Only the 227 mayors in attendance signed on to the resolution, however. And there are more than 1,400 cities with populations over 30,000 represented by the organization.

Baltimore appears to be the only major U.S. city to have passed an ordinance this year referring specifically to “ransomware,” according to LexisNexis State Net’s local ordinance database. That particular measure makes a $10,000,000 general fund appropriation for the city’s “ransomware response and recovery.” At least six local governments - the cities of Denton, Texas; Houston; Jacksonville, Florida; and San Diego; and the counties of Los Angeles and Saint Louis - have considered ordinances in the last two years dealing with cybersecurity.

State lawmakers, meanwhile, have shown growing concern about the security of government data and critical infrastructure. As of late February, at least 29 states had laws - many enacted within the past two or three years - requiring state government agencies to implement security measures to protect the data they hold, according to the National Conference of State Legislatures.

“A fair number of states have gone from not addressing security practices in statute, or from simply requiring ‘reasonable security practices’ to specifying what those practices should be, like cyber awareness training programs for state employees, periodic security audits or assessments, development of statewide standards and guidelines, or creating a statewide [chief information security officer (CISO)],” Pam Greenberg, who tracks technology issues for NCSL, told SNCJ.

As of April at least 37 states had introduced legislation dealing with government cybersecurity, 16 of which had enacted such measures, according to analysis by the National Conference of State Legislatures. Since then at least eight other states have enacted government cybersecurity bills, LexisNexis State Net’s legislative tracking system shows.

Several of the enacted measures deal with election security, the exemption of government cybersecurity information from public records laws and studies on the use of distributed ledger technologies by government agencies.

Other enactments authorized the use of the national guard for cybersecurity threats (Arkansas HB 1128); expanded a program providing college students with certifications required to do cybersecurity work for government agencies (Maryland HB 1315); allowed public entities to share cybersecurity information (Louisiana SB 46); provided for an electric utility cybersecurity monitor (Texas SB 936); and prohibited public entities from using products or services banned by the U.S. Department of Homeland Security for use on federal computer systems (Virginia SB 1233).

Numerous bills are also still pending, including many more dealing with election security, public records exemptions and distributed ledger studies, along with a few that would make appropriations for cybersecurity programs or establish a state government procurement preference for information technology vendors with cybersecurity insurance.

Recent research indicates that two of the most critical challenges currently facing state and local government IT leaders are inadequate funding and a shortage of cybersecurity talent. Several states appear to be attending to those matters.

But this year’s ransomware outbreak has only added urgency to the larger issue of government cybersecurity. And that’s unlikely to change any time soon. As the cybersecurity firm Barracuda’s analysis revealed, government entities are now “the intended victims of nearly two-thirds of all ransomware attacks.”



 Bird’s Eye View

 Government Cybersecurity Bills Introduced in Nearly 3/4 of States in 2019

At least 37 states have introduced legislation this year dealing with the cybersecurity of government agencies, 24 of which have enacted such measures, according to information from the National Conference of State Legislatures and LexisNexis State Net. The measures deal with a range of issues, including election cybersecurity, the exemption of government cybersecurity information from public records laws and studies on the use of distributed ledger technologies by government agencies.