Louisiana Secretary of State Kyle Ardoin lit into a major sector of the government-technology industry on Friday, saying that many managed service providers — the companies that many government organizations pay to host and manage various IT functions — do not offer security products sufficient to fend off cyberthreats that could target election systems.
Ardoin offered his criticism of MSPs, as the vendors are known, during a presentation on his state’s recent experience with ransomware attacks, several of which began as attacks on providers, which then filtered down to local governments.
“Firewalls and system patches and antivirus: what used to be sufficient for MSPs, they are no longer,” Ardoin said at a meeting of the National Association of Secretaries of State. “As attacks grow more sophisticated, many MSPs have not been upfront with their clients about the need to invest more in security. This leads to serious problems for their clients, and the MSPs themselves.”
Ardoin detailed for his fellow secretaries of state how his office reacted when other parts of Louisiana’s public sector were compromised last year by ransomware. An incident last July, in which an attack against an MSP resulted in several school districts having their systems locked up and Gov. John Bel Edwards declaring a statewide emergency. Ardoin said his office responded by temporarily cutting off parish governments’ access to its network, and also limiting email traffic to internal use only.
Louisiana was not the only state to be disrupted by a ransomware attack that came by way of an MSP. Twenty-three communities in Texas were hit last August after a ransomware payload was unleashed on their common service provider.
Another tense situation in Louisiana erupted Nov. 17, when several statewide agencies were the target of another ransomware attack. Many agencies, including Ardoin’s, took their digital operations offline briefly, though the Louisiana Office of Motor Vehicles suffered lingering effects that kept its physical locations closed for several days after the incident.
Ardoin has said previously that his systems and data were not compromised thanks to his office operating on a separate network than the rest of the state government. But on Friday, he added that Louisiana’s cautious reaction was in no small part because the state had just held its gubernatorial runoff election, and officials did not want to spook voters while results were being finalized and risk undermining the public’s confidence in the democratic process.
“Had we pressed the panic button, I think we would have done the voters a disservice,” he said.
But Ardoin said that while his statewide office has made many cybersecurity improvements over the past few years, many of the individual parishes he works with are struggling to keep up, a trend he pinned on MSPs. He said many providers deliver their services through web-based “remote monitoring and management” software that allows MSPs to install applications and updates on their clients’ computers from afar. But, he said, they often don’t use crucial security measures like multi-factor authentication.
“Nation-states and criminal enterprises have no problem accessing networks without MFA,” he said. “Russia, China and Iran can identify MSPs, target them through phishing and deploy devastating viruses. If MSPs aren’t protecting themselves, how can they protect their clients?”
Ardoin said his office uses a managed security service provider, or MSSP, a security-focused vendor that provides tools like endpoint detection, incident response, digital forensics and a security operations center. He recommended local election officials do the same, noting that MSSPs offer security by “preventing and detecting,” instead of merely responding to attacks.
“They’re not protecting local governments,” Ardoin told StateScoop. “When whole cities get attacked, when I’m having to [communicate] by facsimile and telephone because a local government can’t function, that’s an issue. They need to up their game.”
Yet MSSPs are typically much more expensive than regular managed service providers, a disparity that can put more advanced security products out of reach for small entities without big technology budgets. That’s why, Ardoin said, election officials need to fight for more IT security funding.
“You have to push back,” he said. “It’s not about saving money, it’s about protecting systems.”