Local governments shouldn’t pay off ransomware demands, poll finds

A poll commissioned by IBM Security found that 56 percent of people say their local governments should not use public funds to pay off a ransomware demand, even if that raises the cost of recovery.
don't pay ransomware
Getty Images

Ransomware has become such a persistent issue for local governments that it is now the subject of that most timeless of American political devices: an issue poll. And, perhaps unsurprisingly, a survey published Thursday by IBM Security found that more than half of of U.S. citizens say their local governments should not use tax dollars to pay off hackers who successfully take down municipal networks.

Opinions moved somewhat when people were asked if they would support paying a ransom if it meant restoring IT functions to a specific government function, but even 33 percent of people still said they would not support paying a cent if it meant bringing 911 services back online.

The poll was conducted by the market-research firm Morning Consult, which surveyed 2,200 adults between Aug. 15-18 and found that while 56 percent of respondents would disapprove of their local leaders paying off a ransomware hacker — as several jurisdictions have done in 2019 — views on how governments should defend themselves varied widely when it came to the costs of cybersecurity.

Sixty-three percent of people said they’d rather see their governments pay the costs of restoring infected IT systems, even if it cost more than the amount demanded by the ransomware. But funding that work is less popular, with 54 percent of respondents saying they’d oppose paying higher taxes to cover the costs of heightened IT security.


The poll makes no mention of specific ransomware attacks, though many victims that have refused to satisfy hackers’ demands have wound up paying far more to rebuild their computer systems. Atlanta, which was faced with a $51,000 demand in a March 2018 attack, may eventually spend $17 million once all its post-incident upgrades are implemented. Officials in Baltimore have estimated that the cost of recovering from an attack that came with a ransom note of about $100,000 will exceed $18 million, $6 million of which the city recently transferred from its parks and public facilities fund to cover emergency IT expenses.

[ransomeware_map ]

Many other public-sector ransomware victims do not pay, including New Bedford, Massachusetts, which announced this week it elected to fix its damaged systems internally after negotiations to lower a $5.3 million demand failed. But the ones that do pay only increase attackers’ appetites, according to IBM Security.

“The use of ransomware to hold cities hostage for ransom payments continues to grow, and as those impacted pay off the attackers’ ransom, the more the price continues to increase,” Wendi Whitmore, vice president of the company’s X-Force Threat Intelligence group, said in a press release.

Overall awareness of ransomware as a threat against local governments remains fairly low, however. While 79 percent of those polled said they were “very concerned” or “somewhat concerned” about hackers targeting more cities across the United States, just 49 percent said they had any level of familiarity of what ransomware is.


But recent events could change that figure, including a highly publicized attack against 22 communities in Texas that occurred Aug. 16, one day after the IBM poll began. Along with widespread coverage in IT industry publications and newspapers across Texas, the attack was also featured in an Aug. 25 story on CBS News’ “60 Minutes.”

The poll’s respondents are most unified when it comes to the financial burdens of ransomware, especially when it comes to the role of the federal government. Forty-nine percent said the federal government bears the greatest responsibility to protect cities from ransomware attacks, with the remaining respondents splitting their responses between assigning responsibility to either state governments or the cities themselves.

Federal agencies do assume a variety of roles in responding to ransomware incidents, including the FBI investigating cybercriminals and the Department of Homeland Security playing an advisory role. But the bulk of the work is typically done at the state or local level. The response to the recent widespread attacks in Texas was led by seven state agencies, which were joined by the FBI and DHS. On Thursday, Texas officials said most of the affected governments “are back to operations as usual.”

The most popular role for the federal government, though, the poll found, is monetary: 88 percent of people supported an increase in federal funding for local cybersecurity programs. And 76 percent said the federal government should reimburse cities for damage from cyberattacks, similar to how the Federal Emergency Management Agency gives financial assistance to communities recovering from a natural disaster.

Federal support for state and local cybersecurity efforts was the subject of a U.S. House Homeland Security Committee hearing in June, when members seemed receptive to creating a grant program after hearing from Atlanta Mayor Keisha Lance Bottoms, though no such legislation has been put forward.


Read the full results here.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts