State

Louisiana is trying to keep better tabs on managed service providers

A spate of ransomware attacks prompted Louisiana to create a registry for MSPs doing business with public-sector entities.

By Benjamin Freed

July 11, 2022

Louisiana Secretary of State Kyle Ardoin, joined by CISA Director Jen Easterly, speaks at a National Association of Secretaries of State conference in Baton Rouge, Louisiana. (Benjamin Freed / Scoop News Group)

As ransomware attacks battered state and local governments nationwide in 2019, Louisiana was hit particularly hard, with school districts shutting down days before the start of the academic calendar, state agencies seized up and New Orleans faced down with a hacker’s demand.

Several of those incidents, notably a July 2019 attack that took down K-12 school systems, were later found to have taken advantage of weak security practices by victims’ managed service providers, prompting Louisiana officials to demand a closer eye on the IT services field. In mid-2020, urged on by Secretary of State Kyle Ardoin, Louisiana adopted a new law that requires MSPs doing business with any public-sector entity in the state to register with Ardoin’s office.

Nearly two years on, Ardoin’s chief information officer, Brad Manuel, told StateScoop the law has given officials a better grasp on the companies that are providing technology services to Louisiana’s statewide agencies, parishes, cities and public schools.

“We saw a need for knowing who the players are in the MSP field in relation to our government entities,” Manuel said in an interview Friday at the National Association of Secretaries of State conference in Baton Rouge. “Now we know who is providing services and we utilize that.”

While the MSP registration law “is not a vetting process” imposing specific regulations on the companies’ services or practices, it does require businesses to notify the state’s fusion center if they are on the receiving end of a cyberattack, potentially giving authorities a better opportunity to react, Manuel said.

“If you’re the victim, you have to notify us in 24 hours,” he said. “Then it allows our state to get ahead of the curve and start doing reconnaissance.”

Manuel declined to say how many MSPs have registered, but noted they range in size from multinational corporations to mom-and-pop businesses. He said service providers have been responsive to the new rules and are taking note of more recent threats, like stepped-up activity from advanced persistent threat groups backed by foreign governments — the subject of an alert issued earlier this year by cybersecurity agencies in the U.S., U.K., Canada, Australia and New Zealand.

“They understand now the severity and responsibility they have,” he said. “I think the tight federal partnership along with the legislation brings that home to them.”