The day after Christmas, the small town of Cornelia, Georgia, suffered a ransomware attack, the fourth cyberattack to hit it in the last two years. The incident joined a worsening trend that experts say is bringing cyberattacks against state and local governments that are increasingly frequent and severe.
The latest attack on Cornelia, a community with a population of about 4,000 tucked in the northern part of the state, took the city’s administrative software offline, but left a majority of public services unaffected. But this was after the city was hit with a cyberattack in September 2019, prompting the city to spend nearly $30,000 to upgrade its firewall, hoping to prevent yet another incident.
Yet this incident, said Philp Reiner, a former National Security Council official and chief executive of the Institute for Security and Technology, suggests that perhaps city and regional governments shouldn’t be expected to prevent ransomware attacks entirely on their own.
“There are tools that are available, sometimes even for free, that could be very beneficial to state and local actors,” said Reiner, whose organization last week announced the creation of a ransomware task force that will produce a framework designed to help cities like Cornelia. “They’re just not aware that that’s available to them. There’s training abilities that could be provided to those state and local officials that they could get access to that quite honestly would give them the ability to better defend themselves and handle it on their own. But these are silos of work that do not ever cross.”
Reiner told StateScoop the task force’s framework will capture what works well in cybersecurity, as well as where gaps are, pooling the expertise of organizations like Microsoft, McAfee, the Cyber Threat Alliance and a security and law center at the University of Texas at Austin.
2021 will be ‘more difficult’
The frequency and scope of ransomware incidents have gotten worse in 2020. Hackers have increasingly sought to steal the information of their targets, rather than simply freeze their systems, bringing more attacks this year on K-12 school systems and hospitals, which often lack the internal IT staff to defend themselves. There’s been at least 80 publicly reported ransomware attacks on health care providers in 2020, according to Allan Liska, a ransomware specialist at the threat intelligence company Recorded Future.
“The prevalence of this style of attack is going to continue to increase in its breadth and depth, if you will, and the severity of these types of attacks is going to continue to increase,” Reiner said. “Across the board, anybody you talk to will say the same thing: 2021 is going to be that much more difficult for everybody when it comes to ransomware.”
Ransomware is also increasingly lucrative, Reiner said. Malicious actors have figured out that certain organizations are “soft targets,” he said, that haven’t designed their cybersecurity with ransomware in mind.
The shift to remote work during the pandemic has also, in many cases, expanded the attack surface of these institutions, he said, creating more opportunities for malicious actors.
But the incoming presidential administration could improve the resources available to state and local governments, Reiner said. In a statement released earlier this month, President-elect Joe Biden said that he would make cybersecurity a top priority during his administration, with investments in cybersecurity infrastructure and in intergovernmental partnerships. In a news conference in Delaware last Tuesday, Biden admonished President Donald Trump for not prioritizing cybersecurity during his tenure, claiming that he would respond to the widespread SolarWinds hack recently shown to have compromised several federal agencies.
Some federal lawmakers have also called for greater cybersecurity assistance to state and local governments in the past few months, including Rep. Lauren Underwood, D-Ill, head of the House Homeland Security Committee’s panel on cybersecurity. The FBI and Department of Homeland Security have long directed government agencies always to refuse paying hackers, but Underwood said that’s not enough.
“It is not realistic to tell state and local governments, hospitals or small businesses to simply to not pay a ransom demand,” Underwood said at a cybersecurity event in Washington, D.C. in November. “Instead we must empower potential ransomware victims with options and weaken their attackers. That means helping state and local governments and critical infrastructure operators improve their cybersecurity postures.”