Cybersecurity touches our everyday life in many ways; online banking, debit/credit card use in retail stores, shopping on the internet, email use at home, mobile working, access to online healthcare, even renewing our driver’s license. Individually, we take responsibility to protect our home computers from malware, we watch our online transactions for wrong entries, we keep an ever-growing list of internet login passwords, and we combat email scams, telephone fraud and package theft with internet connected solutions.
All the while, cyber criminals continue to target the less vigilant, and most recently this includes city and county governments and other local government entities (police, fire, utilities, etc.). In the last 12 months, numerous city and county computer networks have been victimized by cyberattacks that have affected individual tax payers and residents.
The most recent list includes multiple entities in Georgia, including the Georgia Emergency Management Agency (GEMA), the Lawrenceville Police Department, Henry County, and the Georgia State Patrol, which included Georgia Capitol Police and the Georgia Motor Carrier Compliance Division due to their shared information technology infrastructure.
Other state and local governments recently affected by highly publicized ransomware incidents include Atlanta, Baltimore, Akron, Albany, Newark, and three smaller towns in Florida.
All were infected with malware that entered the computer systems by way of a malicious phishing email that enticed an employee to open an attachment or click on an internet link. The malware spread itself across the internal network and locked up the computers demanding a ransom to unlock them.
An article in the Miami Herald states: “According to FBI estimates, there were 1,493 ransomware attacks in 2018, with victims paying a total of $3.6 million.”
The destructive impact to local government services included the inability to close real estate sales in Baltimore, outage of 311 services in Akron, the police department had no access to their computers in Albany, and the loss of tax/fee collection in Atlanta.
About half of the governments decided to pay the ransom (against FBI advice) and the others have struggled to rebuild the systems (like Greenville, NC) without buying the decryption keys from the attackers. See the table below for a brief comparison by city:
The city of Akron stood out as being well-prepared. They cited spending $9M over the last five years to upgrade IT infrastructure and implement security detection/prevention solutions. When they were attacked, the IT organization knew who to contact, took a planned set of response actions, and minimized the impact without paying the ransom. All city services were back up and running in just a few days.
Contrast that with Atlanta and Baltimore where millions were spent over a period of months attempting to recover from an attack.
A few clear lessons emerge for local government leaders:
1. Be prepared for an attack. Regardless of your size (Key Biscayne or Atlanta), expect to be hit with an infection that will take your computers offline.
• Ensure you have offline daily backups of data and applications.
• Ensure you have the technical ability to detect, contain, and respond to a future attack.
• Rehearse your incident response (IR) plan. Know in advance what steps the organization should take, who they will contact, and who can provide help.
• Consider a cloud first strategy and workstation virtualization that allow immediate refresh.
2. Perform a security assessment to gauge the organization’s ability to detect, respond, and recover. Leadership should expect the IT organization to report on their preparedness or a cyber crisis just as they expect first responders to have an assessment for an active shooter situation.
3. Conduct awareness training and phishing simulations for all employees on spotting malicious emails and phishing attacks. The attack methods look very realistic. Employees need to practice identifying and need to know what action to take.
4. Review your cybersecurity insurance coverage. Much of the initial ransom cost could be covered with the right insurance policy, however, understand that an insurance policy alone will not protect services; it will only help the government recoup some of the cost.
Even if you decide to pay the ransom, you must immediately allocate funds to determine root cause of the breach, close the holes which caused the breach originally, upgrade systems that were exploitable, increase employee training, hire additional expertise, replace aging backup systems, etc. The cost of the ransom will likely be a minor portion of what it will require to increase your network resilience.
Considering the critical services (Police, Fire, 911) and sensitive data local and state organizations store and process (driver’s license, birth certificates, tax and voter registration) for its residents, there is an expectation they will do what’s necessary to protect the data and continue vital services in the face of a natural or man-made crisis, including a cyberattack.