In the spring of 2018, the city of Atlanta's computers began seizing up.
It wasn't due to user error or outdated platforms: The city's data was being systematically attacked and encrypted by ransomware — an insidious form of malware that encrypts files on a victim's network and demands a ransom, paid out in cryptocurrency, for the decryption key.
Atlanta didn’t pay the $50,000 worth of bitcoin the hackers were demanding — nor did they have the chance to do so. The payment portal was taken offline, the city was left with a hobbled network, and IT professionals scrambled to bring the city's systems back online. At the end of the day, the total cost to the city was north of $2.7 million.
Atlanta's experience, of course, is far from unique. Ransomware is a growing problem — what some experts are calling an epidemic — and it's one that state, county, and local governments are woefully ill-prepared to deal with.
In 2020 alone, at least 2,400 public entities were hit by ransomware attacks, says Michael Garcia, senior policy adviser at Third Way’s National Security Program and member of the Institute for Security and Technology’s Ransomware Task Force. And according to research conducted by Comparitech, over the past three years ransomware has affected an estimated 173 million people and may have cost up to $52.88 billion.
“We never want to be alarmists, but I think now we have cause to be alarmed,” Garcia says. "Governments control the water we drink, the traffic lights that guide traffic, as well as airports and schools, for instance, and our day-to-day lives rely on a functioning public sector. Now most every aspect of the public sector is at risk of these disruptive attacks."
In the early days of ransomware attacks, the common wisdom was to simply pay the ransom and sweep the attack under the rug. Michael Makstman, chief information security officer for the City and County of San Francisco, says that approach has led to larger problems today.
"I think paying ransom in the last few years fueled the ransomware industry," Makstman says. "It's left us all in a worse place."
Indeed, ransomware attacks are now more sophisticated, the payments demanded are much higher, and cybercriminals mostly operate with impunity. And many local jurisdictions just don't have the resources and expertise to fight them.
How Local Governments Can Prepare
Obviously, steps for defending against a ransomware attack vary based on the size of the government entity and the resources available to each one. Huge metros will take different approaches than small townships that lack dedicated IT security staff.
However, some universal best practices include hardening systems, making sure software is up-to-date, utilizing two-factor authentication, and training employees on best security practices. But for local governments, rooting out ransomware ultimately will come down to two things: system architecture and partnerships.
Makstman compares the former to a city's zoning codes and fire departments.
"For example, just as the fire department ensures that a fire in any one place does not burn down the whole city, we have to architect our environments, our technology, in such a way to reduce impact and spread of the event and ask the question where [do] we have those firewalls in place? Where [do] we have a separation [between systems]?" he says.
This involves taking into account the fact that people will make mistakes, intruders will get in, and damage will occur, Makstman adds. The key, he says, is building systems in such a way that one user error or one piece of malicious code won't take the whole network down.
This is an exceedingly daunting task for most governments, he concedes, but it's one that must be undertaken to mitigate the threat of ransomware.
"We have to be smart in our design," Makstman says.
One useful resource is the Cybersecurity and Infrastructure Security Agency and Multi-State Information Sharing & Analysis Center (MS-ISAC)'s "Ransomware Guide," which provides best practices and guidance on how to evaluate your threat level for a ransomware attack and how to mitigate the risk of becoming a victim. Keeping updated, offline backups and segmenting your network are key best security practices. They also are major factors in preventing an attack and minimizing damage if one occurs.
MS-ISAC itself offers training, webinars, and free security tools. Its mission is to improve the overall cybersecurity posture of state and local governments across the country by focusing on threat prevention, protection, response, and recovery.
"At this point, the MS-ISAC has over 11,000 SLTT [state, local, tribal, and territorial government] members," says Josh Moulin, MS-ISAC's senior vice president and deputy of operations and security services. "We provide them with a number of different things that they can take advantage of to help them mature their cybersecurity posture."
But oftentimes governments exist in silos, which thwart their ability to team up to protect themselves from ransomware attacks.
"One of the things that I think is key is partnerships and working with other organizations and groups," says Daniel Clark Lee, the City of Los Angeles' integrated security operations center manager.
Governments need to understand the importance of partnering, he adds, because ransomware isn't an issue that affects one entity — it affects all members of an ecosystem.
Los Angeles’ Cyber Lab is a public-private partnership that aims to leverage knowledge and experience across both sectors to better prepare the community as a whole to deal with cyberthreats. Christopher Covino, policy director for cybersecurity in the office of Los Angeles Mayor Eric Garcetti, says this mindset has led to a posture of collective defense, where information and resources are shared to help protect everyone.
There are more than 80 cities and special districts in the L.A. region, an area that includes LA Metro transit authority and the Los Angeles Unified School District. "If any of these organizations went down because of a ransomware attack, it's going to have a significant impact on the whole region," he says.
The Mayor's Office leads a regional Cyber Collective Defense initiative focused on sharing information on potential cyberthreats. "For example, we provide machine-to-machine indicator-of-compromise sharing via LA Cyber Labs Threat Intelligence Sharing Platform. We coordinate joint threat briefs with local, state, and federal partners and produce and disseminate joint city/Cyber Lab Fusion center cyber advisories," he explains.
Ransomware Task Force
The Institute for Security and Technology’s Ransomware Task Force recently released a report that provides recommendations for a comprehensive framework to tackle the ransomware problem on a global basis.
Among the task force's recommendations: a coordinated effort by international diplomatic and law enforcement agencies to prioritize ransomware through a well-resourced strategy to direct nation-states away from offering safe haven to cybercriminals; government recovery funds for ransomware attack response and mandated alternatives to ransom payment; and a White House-led anti-ransomware campaign.
"Tackling ransomware will not be easy; there is no silver bullet for solving this challenge," the report states. "Most ransomware criminals are based in nation-states that are unwilling or unable to prosecute this cybercrime, and because ransoms are paid through cryptocurrency, they are difficult to trace. This global challenge demands an “all hands on deck” approach, with support from the highest levels of government."