Organizations that depend on managed service providers for their IT needs got a wake-up call Wednesday when cybersecurity agencies from the U.S., U.K., Canada, Australia and New Zealand published a joint alert warning of stepped-up aggression by malicious actors targeting those vendors.
Local governments across the U.S. rely on MSPs for a range of functions, but over the past few years, many localities have become just as familiar with ransomware attacks that begin when a criminal actor targets a service provider, eventually compromising that company’s government clients.
The alert Wednesday from the Five Eyes allies warned not only of criminal threats to MSPs, but increased activity from advanced persistent threat groups backed by foreign governments.
“Whether the customer’s network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects,” the alert read. It also reminded organizations to ask if their MSPs are using several critical cyber hygiene tools, including multi-factor authentication, event logging and principles of least privilege.
‘It wasn’t obvious’
To observers of local-government security, the alert couldn’t have come soon enough.
“It’s almost like stating the obvious, but it wasn’t obvious,” said Alan Shark, the executive director of CompTIA’s Public Technology Institute. “It’s a wake-up call for action. I think it should be taken seriously.”
Shark’s an outspoken advocate of local governments, especially those with fewer financial resources and minimal in-house capabilities, outsourcing their IT services, especially as technologies and threats become more advanced.
“More and more local governments are going to have to turn to MSPs for the better expertise they cannot possibly administer themselves,” he said.
But the managed service provider industry hasn’t necessarily kept up with the changing threat landscape, Shark said. Many businesses in that field provide mainline IT services — like data storage or application hosting — but not cybersecurity.
“They see themselves as cloud providers first,” Shark said. “They’re relying on local governments to maintain cyber hygiene in shared responsibility. There are very few [MSPs] that put security up front.”
Curtis Dukes, the executive vice president and general manager for best practices at the Center for Internet Security — the Upstate New York nonprofit group that runs the Multi-State Information Sharing and Analysis Center — concurred with Shark’s assessment.
“First and foremost, you’re talking about small and medium-size enterprises in both the public and private sector,” he told StateScoop. “There’s a general lack of awareness what to ask for. They need IT services to provide services. They don’t have the skills to do that, so they outsource.”
But security, Dukes said, is typically not a standard menu item in an industry built on providing core IT products at competitive rates.
“Their key performance indicators are around uptime and providing basic set of IT services at the lowest price point,” he said. “Security is not typically part of that discussion.”
Texas… then Kaseya
A few cybersecurity events involving MSPs have shifted the conversation in recent years, notably a August 2019 ransomware attack on a service provider that trickled down to 23 communities across Texas. Similar events occurred in other states, like Louisiana, where those incidents prompted Secretary of State Kyle Ardoin to lash out at service providers.
“They’re not protecting local governments,” Ardoin told StateScoop in January 2020. “When whole cities get attacked, when I’m having to [communicate] by facsimile and telephone because a local government can’t function, that’s an issue.”
Ardoin later that year pushed for a law requiring MSPs serving public-sector entities to register with the state and disclose cyber incidents and ransomware payments.
The conversation around MSP security became even more urgent last July, when the IT services firm Kaseya reported that a remote monitoring platform it sells to thousands of service providers was compromised by the REvil ransomware. That attack reached as many as 50 MSPs, which in turn affected more than 1,500 organizations worldwide, including schools, retail stores and several towns in Maryland.
“In a sense, I saw this coming,” Shark said. “There’s been a growing concern since Kaseya.”
He said some MSPs have been up to the task, including the company that services Leonardtown, Maryland, one of the communities swept up in the Kaseya breach. That provider, a local firm called JustTech, was quick to pounce on the ransomware infection and tell Leonardtown’s employees to shut down their computers, Shark said.
“I don’t think any [municipal] staff could’ve done what this MSP done,” he said.
But that may be more exception than rule in a cost-driven industry: “People think a lot of MSPs have not taken cyber as seriously as they should.”
Applying some pressure
Wednesday’s alert could move the MSP industry overall to be more cybersecurity focused — or at least it’s designed that way, Shark and Dukes both told StateScoop.
“If I’m an MSP or a customer, I’d kind of want to know if there are targeted threats to my sector or not,” Dukes said. “The one really important part is the tactical action around the roles and responsibilities between MSPs and their customers. I don’t think that’s always clearly defined.”
Shark said the alert can serve as a “checklist” for MSP clients to ensure they’re following key cyber-hygiene protocols like MFA and documented incident-response plans. He also said there could be added pressure from the cyber insurance industry, when it asks for evidence these steps are being taken before issuing a policy.
“I would advise any local government to ask their MSPs to verify this,” Shark said. “Many MSPs haven’t done all these things. This’ll put the pressure on them to do more.”