State and local governments give federal agencies like the FBI, the Cybersecurity and Infrastructure Security Agency and the U.S. Secret Service solid marks on the assistance they provide after ransomware attacks. But states and localities also feel broadly that those agencies could improve their outreach and communications, according to a report made public Tuesday by the U.S. General Accountability Office.
Interviews with four states, eight localities and one tribal nation about the support they’ve received in response to the ransomware threat found appreciation for the advisories and technical tools federal agencies provide. The GAO also interviewed six national organizations, including the National Governors Association, the National Association of State Chief Information Officers and National League of Cities.
Across the board, interviewees said, there are areas for improvement.
“They had generally positive views on ransomware guidance, detailed threat alerts, quality no-cost technical assessments, and timely incident response assistance,” the GAO report reads. “However, respondents identified challenges related to awareness, outreach, and communication.”
Good times, bad times
The GAO, Congress’ auditing arm, found that while most state and local governments were generally pleased with the training and advisories CISA offers, some have found the agency difficult to contact. A few local and tribal governments interviewed told the GAO they were unaware of CISA’s regional personnel, including protective security advisers and the statewide cyber coordinators the agency’s been hiring since early last year.
One public school district told GAO investigators it was unaware of the Multi-State Information Sharing and Analysis Center, the Department of Homeland Security-funded operation that coordinates threat intelligence and cybersecurity resources for state and local entities.
Local officials also reported confusion about the roles each federal agency plays when responding to a ransomware incident. Three localities reported that they were unaware that the FBI’s role is only investigative and does not include hands-on technical services.
The governments interviewed for the GAO report generally praised the incident response services they’ve received. One county described CISA’s assistance after a ransomware attack that disrupted a 911 dispatch center as “outstanding,” crediting tips that county officials picked up at CISA-led seminars, as well as the technical services the agency provided in the wake of the incident. CISA also was credited with providing forensic and data-preservation tools to find the source of the ransomware infection and helping the county isolate the attack, analyze data and provide a “complete report” within hours of the incident being detected.
Others praised CISA for helping local governments develop incident response plans, sharing forensic software and conducting data analyses. Respondents to the GAO also mentioned the Secret Service’s network of cyber fraud task forces and its National Computer Forensics Institute, a program that trains state and local law enforcement on investigating cybercrimes and sends graduates home with about $14,000 worth of software and equipment.
Despite those success stories, the GAO found the federal government’s role in ransomware response can be impeded by bureaucratic confusion that sometimes leaves state and local officials unsure of which agency is responsible for which task. A national organization of state officials told auditors there is “no clarity at the state level about federal agency roles to know who does what and when in the event of a ransomware attack on an SLTT.”
FBI never called back
And while that criticism reflects across the federal government, the FBI was singled out, both for a “lack of clarity” in its role and several anecdotes about poor communication with ransomware victims. Half of government respondents reported “inconsistent” communication with the bureau, despite it having the lead investigative duty.
In one instance, an official told the GAO that a call to a 24-hour hotline went straight to voicemail and never received a response, even though the incident in question was later linked to a malicious actor based overseas — a core part of the FBI’s cyber purview.
“At the time of our interview, it had been 8 months since the SLTT had contact with the FBI regarding its ransomware incident,” the GAO report read.
Another local government told the GAO it notified an FBI field office of a ransomware attack and heard nothing for two weeks, by which time the incident had been resolved. Still one more locality targeted by ransomware said it didn’t bother to call the FBI at all, based on the bureau’s reputation for poor communication.
The FBI told auditors that it is obligated to protect victim data and preserve the integrity of its investigations, but that it will share information “to the extent possible.”
“The FBI acknowledged that prompt feedback is a challenge due to various factors including efforts to incorporate evidence into broader ongoing investigations and coordination with federal and non-federal entities,” the report reads.
The GAO’s report conceded that the responses it collected from state and local governments, as well as the several organizations interviewed, are “not generalizable.” But those anecdotes, the report states, should give some insights into the federal government’s role in ransomware responses.
It recommended that the secretary of homeland security ask both CISA and the Secret Service to evaluate concerns raised by state and local governments and to improve interagency coordination. The GAO made a similar suggestion to the attorney general regarding the FBI.
The report was ordered up by Sen. Maggie Hassan, D-N.H., who chairs the Senate Homeland Security Committee’s panel on emerging threats and who has been a leading voice on Capitol Hill for investing more federal resources in state and local cybersecurity, including DHS’s new grant program.