The Underbelly of Ransomware Attacks: Local Governments
Michael Garcia is the senior policy advisor for Third Way’s National Security program, a 2021 Shawn Brimley next generation national security fellow at the Center for a New American Security, and a former staffer on the U.S. Cyberspace Solarium Commission.
Globally, ransomware increased 148 percent [PDF] from 2019 to 2020, and last year the FBI reported [PDF] nearly $25 million in losses, which is likely just a small fraction of the total cost. These are large numbers but they fail to capture the societal impacts that ransomware wreaks upon communities. Local governments oversee water utilities, airports, schools, health care facilities, and other services that people tend to take for granted, and cyber criminals are all too aware of our dependency on these services. 2,400 U.S.-based governments, health-care facilities, and schools were victims of ransomware in 2020. These attacks disrupted medical treatment during a global pandemic, interrupted remote learning, and disabled public transportation.
I was fortunate to be a member of the Institute for Security + Technology’s (IST) Ransomware Task Force, which was convened to develop recommendations on how the government, private sector, and U.S. allies can combat ransomware and help victims, such as state and local governments. The Task Force recently released forty-eight recommendations to deter, disrupt, prepare for, and respond to ransomware events. Given ransomware’s impact on public entities, it is worth briefly diving into how the Task Force’s recommendations could help states and locals. Indeed, the Task Force concluded that “Ransomware attacks impacting local governments are catastrophic not only for the organizations themselves, but also for the constituents they serve.”
Local governments face a troubling predicament. They are one of the most targeted sectors, yet have arguably the least resources and capabilities to prepare for and respond to ransomware. Indeed, a 2020 survey [PDF] of state chief information security officers found that 70 percent listed ransomware as a top concern because of funding challenges and lack of confidence in localities’ abilities to protect state information assets. And after a ransomware event occurs, only 45 percent [PDF] of local law enforcement agencies felt that they “had access to the resources” to examine digital evidence to attribute the crime. This then allows criminals to operate with impunity, as Third Way found that only 3 out of every 1,000 cybercrimes reported to the FBI result in an arrest. This is untenable.
The IST Ransomware Task Force identified several recommendations to resolve these challenges, but three sets of recommendations deserve particular attention.
First, the federal government should promote and expand grants that state and locals could use to support their cybersecurity and cybercrime investigative needs. Despite over $1.8 billion in grants that could have been used to address cybercrime in 2019, the federal government does not know how much of this was actually spent to fight cybercrime. Moreover, the Justice Department never prioritized cybercrime as a priority for their $500 million grant program. Further, only 2 percent [PDF] of all Department of Homeland Security (DHS) preparedness grants (roughly $1 billion) were used for cybersecurity purposes. The task force recommends that the federal government highlight existing grants that could be used to combat cybercrime and expand the cybersecurity expenses that could be used under DHS’ Homeland Security Grant Program. This, however, would not be a blank check. The task force recommends that recipients of these funds be required to adopt limited baseline security measures, such as joining the Multi-State Information Sharing and Analysis Center (MS-ISAC) and signing up for MS-ISAC’s Malicious Domain Blocking and Reporting system. These two measures would provide localities access to MS-ISAC ransomware training, support, and software that prevents IT systems form connecting to malicious web domains.
Second, the federal government needs the ability to declare a disaster or state of emergency in the face of a widespread ransomware event, similar to what the world saw with NotPetya. The Stafford Act, which is the current law under which governors request federal emergency assistance and the president can declare disasters, does not account for significant cyber incidents. Therefore, the resources and authorities that are normally available to the federal government during natural or other man-made emergencies are not accessible for cyber events. To free up cyber disaster authorities, the task force recommends that Congress either amend the Stafford Act, or establish a new, separate authority.
Third, to deal with the long-term financial consequences that ransomware can cause, the U.S. government needs to establish a Cyber Response and Recover Fund. The city of Baltimore has become an unfortunate poster child of the long-term fiscal costs of ransomware. While the city refused to pay the ransom that cybercriminals demanded to decrypt their computer systems, their recovery lasted several weeks and cost at least $18 million. Politicians in other cities will undoubtedly look at Baltimore as an example of what happens when you don’t pay a ransom and that it could be cheaper, and thus preserve taxpayer dollars, to pay the ransom. A National Cyber Response and Recovery Fund—initially recommended by the U.S. Cyberspace Solarium Commission [PDF]—that could support ransomware response and other cybersecurity activities would be highly beneficial in this regard. Although President Biden’s annual discretionary budget [PDF] proposal requested financial support to establish a Cyber Response and Recovery Fund, it only asked for $20 million for the entire fund. If a federal fund akin to that called for the Cyberspace Solarium Commission were available, local politicians and owners and operators of critical infrastructure would not have to solely factor in the monetary cost when deciding whether to pay a ransom. Again, this would not be a blank check, and requirements would be attached to receiving the fund, thereby preventing any moral hazard of abusing the fund.
These proposals are not a panacea to the woes plaguing state and local governments. But taken together with the other task force recommendations, they can begin breaking the ransomware epidemic.