The closer collaboration with federal agencies that state and local governments depend on after incidents like a ransomware attack would be more achievable if those federal agencies played better with each other, according to a report last week by the U.S. Government Accountability Office.
The two-pager, published Nov. 16, points out that while the Cybersecurity and Infrastructure Security Agency, the Secret Service and the FBI all play vital roles in helping state, local and K-12 entities protect against and recover from ransomware, they lack clear lines of communication for facilitating that assistance. Much of the three agencies’ coordination when assisting a state or local agency has been “informal” and lacks documented procedures, according to the GAO, Congress’ auditing branch.
This latest report was meant as a reminder of lengthier reports the GAO put out this year analyzing federal agencies’ roles and performances in helping states, localities, tribes, territories and school districts protect themselves against what seems like an ever-escalating ransomware threat. Citing data collected by the Multi-State Information Sharing and Analysis Center, SLTT governments — including K-12 schools — experienced more than 2,800 ransomware incidents between January 2017 and March 2021.
“It puts a strain on resources and how we’re responding,” said Jennifer Franks, GAO’s director of information technology and cybersecurity, who authored last week’s report and longer studies published earlier this fall.
In a report completed in September, GAO auditors found that while state and local agencies are generally appreciative of the assistance they receive from federal agencies, communications with Washington can be spotty. That criticism singled out the FBI, which was flagged for delayed replies to requests for help, despite the bureau’s investigative duties.
And while CISA rated better, states and localities were sometimes challenged in identifying the federal cybersecurity services that agency makes available.
“It really comes down to education and awareness,” Franks told StateScoop.
Last week’s GAO brief also recalled findings in an October report on the Education and Homeland Security departments’ progress on K-12 cybersecurity. Those departments, the office noted at the time, need to establish a government coordinating council — similar to those in place for other sectors, like elections or electric utilities — to set policy goals and guidelines for improving schools’ cybersecurity.
The K-12 sector is bundled with a coordinating council of state, local and higher education officials, but Franks said grade schools need their own group.
“That’s because of the accelerated uptick of attacks and number of [K-12] organizations,” she said. “The resources and computing infrastructure is different. They need their own community to make sure the resources that are needed, that they’re receiving the same outreach in the same ways, but targeted to their industry.”