Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

The Ransomware Scourge: Reckoning Time for Governments

As attacks on state and local organizations become the rule and not the exception, leaders need to reprioritize their defenses. And they may need to confront a difficult question: Should we pay up?

A ferry entering Nantucket Harbor.
A Massachusetts Steamship Authority ferry approaches Nantucket Harbor. The state-run service suffered a major ransomware attack earlier in the year.
(John Santoro/Shutterstock)
Media exposure on the impact of ransomware attacks has been growing and has come to consume both public- and private-sector leadership, who now recognize it as the No. 1 cybersecurity risk factor facing their organizations.

Highly visible attacks on Atlanta, Baltimore, Tulsa, New Orleans, Newark, the Washington, D.C., Police Department and many other jurisdictions and agencies have created a newfound sense of urgency for government leaders. According to The Washington Post, more than 400 ransomware attacks have hit city and county governments in the United States since 2016, affecting hospitals, school districts and higher education, police departments, and a variety of other municipal services. State governments have seen attacks on agencies as varied as Texas’ and Colorado’s transportation departments, New Mexico’s utilities regulation commission and the agency that operates Massachusetts’ ferries. Comparitech has estimated that ransomware attacks on government agencies in the U.S. from 2018 to 2020 potentially impacted more than 173 million people and that downtime and recovery may have cost nearly $53 billion.

Those figures don’t take in the impact on private-sector services essential to the economy and the public’s safety and welfare, such as the attacks on Colonial Pipeline in May and on JBS, the world’s largest meat producer, in June. Just in the last two weeks, it was reported that farming co-ops in Minnesota and Iowa had been attacked; there were estimates that up to 40 percent of the nation’s grain production and the feed schedule for 11 million animals could have been affected. And a new lawsuit alleges that a 2019 cyber attack on an Alabama hospital contributed to the nation’s first death linked to ransomware, that of a newborn.

To non-technologists, the sustained and growing crescendo of ransomware attacks must appear absurd. How can the very technologies we’ve invented be turned against society in a such a disruptive way and consume such a vast amount of time and resources? And yet the question about ransomware eventually always comes around to this: Should we pay the ransom or not? And that is a leadership decision, not a technology decision.

Mike Russo, a former chief information security officer for the state of Florida, told me that “five years ago, my comment about ransomware would have been simple — it’s a form of extortion, it’s illegal, and no one should pay a ransom.” However, Russo added, “cryptocurrency, cybersecurity insurance and the growth of sophisticated and targeted attacks have reshaped the landscape, and the risk of disruption to citizen’s services has been dramatically altered. There is no longer a simple answer, and whether to pay or not needs to be a well-considered option based upon the risk and impact to the organization and their citizens.”

Many experts, including the FBI and other law enforcement organizations, urge ransomware victims not to pay off their attackers because ransom payments can then be used to support additional cybersecurity attacks or even more destructive and disruptive criminal activity. However, when the health and safety of your constituents are at risk, not to mention the costs of disrupted government operations like issuing driver’s licenses, delivering social services and keeping public services like water, electricity and sewage-treatment facilities running, it’s not a simple binary decision.

It’s not that there are no alternatives to paying up. The Biden administration has warned Russia, and by implication other nations, that attacks against U.S. critical infrastructure were “off-limits” and would result in aggressive reactions. Since almost all ransomware events are carried out via the use of cryptocurrency platforms, the administration is also planning to announce a variety of actions, including sanctions against cryptocurrency exchanges, that will make it more challenging for hackers and ransomware gangs to generate revenue. But given the guidance from the Treasury Department’s Office of Foreign Assets Control that it is illegal to make ransomware payments to sanctioned entities, state and local government organizations could soon find themselves in a situation where they are both the victim and the criminal following a ransomware attack.

Fortunately, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is aggressively marketing a variety of resources to state and local governments that include free cybersecurity assessments and cybersecurity tools. Additionally, there is $1 billion for state and local government cybersecurity as part of the infrastructure legislation currently making its way through Congress.

But state and local governments need to do more and not wait for the federal government. This includes pre-event planning and preparation with a strategy that includes buying cryptocurrency. “Adversaries often take advantage of common technology operational gaps and missteps, so implementing and managing basic operational resiliency practices is a fundamental deterrent,” said Vitaliy Panych, chief information security officer for the state of California. “Paying a ransom is not an optimal defensive strategy and it should never be relied upon as a routine recovery practice. The best defense is actively managing operational recovery practices, redundancy and security controls across the enterprise.”

It may be impossible to completely eliminate the threat of ransomware, but there are a few clear and consistent objectives that can help organizations mitigate the damages:

• Cybersecurity training is the lowest of all low-hanging fruit. Regular and consistent awareness training about cybersecurity threats pays the greatest return on investment.

• “Zero trust” is a cybersecurity buzzword that simply means ensuring that all users and devices are limited to only the data and infrastructure necessary to do their job.

• Lack of regularly tested offsite data backups and “out-of-band” control systems — which allow management of critical assets when primary control systems are compromised — are the top reasons organizations find themselves without options in a ransomware event.

Ransomware is being called the cybersecurity scourge of the 21st century, and no organization is immune. State and local government leaders need to work closely with their cybersecurity and technology leaders to understand where they can be most effective in helping mitigate this burgeoning and increasingly costly threat. Paying ransom need not be the only option.



Governing’s opinion columns reflect the views of their authors and not necessarily those of Governing’s editors or management.
Mark Weatherford, Governing's cybersecurity columnist, is the chief strategy officer for the National Cybersecurity Center.
Special Projects