A brief report Thursday from Moody’s Investors Service concludes that statewide emergency declarations following a cyberattack improve the chances that victims will recover with minimal lasting damage from the incident. Specifically, the analysis looks at Louisiana Gov. John Bel Edwards’ decision last month to declare an emergency following a string of ransomware attacks against school districts across the state.
Edwards’ move has helped the affected districts avoid paying the ransoms demanded by their hackers and mitigate damage to affected computer systems, even as the number of schools affected has grown, Moody’s said.
The initial victims reported July 24 when Edwards made his declaration included school districts in Morehouse, Ouachita and Sabine parishes, though more incidents have cropped up in East Carroll and Tangipahoa parishes. Neither the ransom amounts nor the types of malware used in the attacks have been identified, but the Moody’s report states the school districts have been able to avail themselves of resources that would usually be unavailable.
Since Edwards made his declaration, the schools districts have been aided by the Louisiana National Guard, Louisiana State Police, the state’s Office of Technology Services and computer scientists at Louisiana State University. The Governor’s Office of Homeland and Security and Emergency Preparedness is overseeing the collective response. One immediate result of the emergency declaration is that the school systems have endured the ransomware attacks without any impact to their credit ratings, which Moody’s, a credit-rating bureau, has previously said can be undermined by ransomware attacks.
“The attacks underscore the growing and credit-negative threat to governments across the country from cybercrime,” the Moody’s report reads. “However, the Louisiana school districts benefited from pre-emptive measures that the state had taken to prepare for malicious cyber incidents, which led to the rapid deployment of technical assistance to the affected organizations.”
GOHSEP spokesman Mike Steele told StatesScoop that Edwards’ declaration was motivated in large part by the cyberattacks’ proximity to the start of the new school year. Many of the schools affected begin classes next Monday.
“We were so close to the start of school that the governor wanted to make sure no schools’ schedules were impacted,” Steele said.
Melissa Stilley, the superintendent in Tangipahoa Parish, which sits across Lake Ponchartrain from New Orleans, said in a statement on her district’s website that while data-recovery efforts are still ongoing, the ransomware attack is not expected to disrupt the first day of classes.
“The good news is we have off-site backups of all student data,” Stilley said. “Schedules have been completed; class rosters are ready, and once our printers are back online, they can be distributed.”
According to Moody’s, the school districts do not expect to incur any material costs because of the ransomware attacks, as they plan to reformat affected hardware and restore files from backups. Some of the schools held cyber insurance policies.
Edwards is the second governor to treat a cyberattack like a disaster, following a precedent set in March 2018 when then-Colorado Gov. John Hickenlooper declared a emergency over a ransomware attack against the state’s transportation department. Hickenlooper’s decision has been credited with restoring nearly all of the department’s internal business systems within a month.
Response plans that treat cyberattacks with the same level of severity as natural disasters are becoming increasingly common among state governments. These cyberattack plans corral “whole-of-state” resources that involve statewide agencies, educational institutions and the private sector. Since early 2011, 24 states have formed cybersecurity commissions tasked with drawing up response plans — Edwards created Louisiana’s in 2017.
“It’s good to see how all the parts were synchronized with this event,” Steele said.
But states are still being prodded to shore up their digital defenses. A National Governors Association briefing last month recommended that states draft or update existing cyber disruption response plans. State and local governments got a stronger warning July 29 when the NGA, the National Association of State Chief Information Officers, the Multi-State Information Sharing and Analysis Center and the U.S. Cybersecurity and Infrastructure Security Agency issued a joint statement telling them to take “immediate action” to avoid being the next ransomware victim.
Although only two states have taken the steps to make a cyberattack a formalized emergency, Moody’s predicts that more will follow as ransomware continues to harass all levels of government.