Just as biological viruses are most dangerous to people with weak immune systems, ransomware attacks have proven most harmful to the local governments that have allowed years to pass without sufficiently updating their IT infrastructures and workforces.
New ransomware attacks crop up each week, forcing governments to either spend weeks or months manually repairing critical systems or fork over thousands of dollars to hackers, with no guarantee that the attackers will undo the damage their malware wrought. Alan Shark, executive director of the Public Technology Institute, a group that helps local governments optimize their information technology management, says the solution is simple: outsource everything.
Shark, who has spent the past 15 years working with local governments, told StateScoop he believes that most of these municipal bodies can no longer keep up with today’s pace of technological change given their limited resources. All local governments, particularly the smaller ones, he said, should at least consider hiring an outside firm to handle IT functions.
“I think we’ve reached a crisis point where we really need to face what needs to be done,” Shark said. “Ransomware maybe isn’t preventable, but they should at least be better at reacting.”
There have been nearly 180 reported ransomware attacks against state and local governments since 2013, and the frequency seems to be increasing. Atlanta’s decision not to pay its ransom last year led into an estimated $17 million in potential repair costs. After not paying its attackers in May, Baltimore’s ransomware incident could top $18 million.
Despite the recommendation of federal authorities never to pay ransomware attackers, cities hoping to skirt prolonged, expensive and embarrassing incidents like those in Atlanta and Baltimore are paying anyway. Lake City, Florida, agreed to pay a $490,000 ransom last week. Riviera City, Florida, paid about $594,000 the week before.
In a recent opinion piece published by CompTIA, the technology company that purchased PTI earlier this year, Shark outlines 10 reasons why he believes outsourcing IT is the most prudent course for local government. Many of his arguments revolve around aging IT workforces and the difficulty of recruiting young talent to pick up the slack.
In fact, Shark told StateScoop he was most convinced that a major shift in local-government IT management was needed after hearing many rumors of “shadow” payments made by local governments that were struck by ransomware but did not tell their residents.
Many governments over the past couple decades have begun consolidating IT systems once managed by individual agencies. Shark argues that while this is a righteous effort, the resulting webs of integrated systems sometimes present attackers with gaping security holes.
It’s uncommon for a local government to outsource all of its IT, but the rise of cloud computing has encouraged agencies to outsource more of their services, allured by promises of scalability and cost-efficiency as their organizations become more compact. For the chief information officers who lead these centralized and semi-centralized IT organizations, this has increasingly meant abandoning the role of a back-office IT manager who is installing and fixing devices around government offices, and instead becoming an IT “broker” managing relationships with the vendors that provide the services.
The natural progression of this trend, Shark says, is for local government to outsource everything, as San Diego County, California, did in 1999.
“It was a big deal back then,” said the county’s CIO, Mikel Haas. “We were woefully behind and to bring us up to a level we wanted to get to would have taken a tremendous capital investment.”
San Diego County, now home to 3.3 million residents, was in a position that many governments encounter. It wanted to upgrade its aging systems, but couldn’t do it all at once. Further complicating matters, the county would’ve had to continue maintaining its existing systems while building the new ones, effectively paying for duplicate systems until the years-long upgrade was complete. That also presented a practical challenge in finding staff who knew how to design and operate modern applications, but also knew about mainframes and could code in old programming languages like COBOL.
“Rather than trying to incrementally climb out of that, the decision was made to get out of the [capital expenditure] business,” Haas said.
San Diego County originally hired Computer Sciences Corporation to manage all of its IT. The district attorney and the Sheriff’s Department opted out of the deal, but every other agency gets its technological needs from a single external source.
“We only buy services,” Haas said. “We don’t own anything. We don’t even own the laptops.”
Haas works for the county and oversees a team of about a dozen people who also work for the county. They set standards and develop the IT architecture and infrastructure upon which the current IT provider, Perspecta — a successor company to Computer Sciences Corporation — can build services. Haas said it may be an unusual arrangement for a local government, but after 20 years, he can’t imagine going back to managing services in-house.
He said it also has the added bonus of making the county’s IT costs predictable and insulates his department from budget cuts.
“It sounds trite, but IT is not necessarily a government function,” Haas said. “It’s not a core competency. Serving constituents is a core competency. IT is a tool. And like many tools, you can get it cheaper and faster and better by looking to the private sector.”
Where security is concerned, Haas said he’s especially confident because in some cases, such as cyberattacks, San Diego County’s contract provides unlimited liability coverage. (The Port of San Diego, which was hit by ransomware last year, is a separate entity.) If ransomware hits the county, the vendor is responsible for fixing it, paying for everything and ensuring all data and services are backed up.
“That’s a pretty strong incentive,” Haas said.
Not good enough
Not everyone loves Shark’s idea. Ben Hogarth, the public information officer for Stuart, Florida — which was infected by ransomware in April, but did not pay — said having all its IT staff and resources in-house allowed the city to respond more quickly to the attack.
“You can’t pull the plug” on your systems, he said, if there’s no plug nearby to yank.
“I don’t think that the industry is so black-and-white that all your IT services need to be all outsourced or completely in-house,” Hogarth said.
Stuart’s ransomware attack did lead the city to reconsider its disaster recovery arrangement, however. The city isn’t going to outsource everything, but it’s now building redundant systems that use a combination of on-site and cloud storage.
“We could have been better off having some of our systems externally hosted,” Stuart said.
Shark acknowledged that many local government IT workers whose job security could be threatened by greater outsourcing might not like his idea. But he also said he didn’t arrive at his conclusion overnight. He recalled years of correspondence with government officials working 18-hour days and weekends, but still coming up short in the face of challenges such as ransomware. Trying one’s hardest isn’t good enough anymore, he said.
“People are not happy with what I wrote but they understand why,” Shark said. “I would personally rather keep things at the local level. I just find it hard to believe people will keep up with what we’ve seen in the last 10 to 15 years.”