The ransomware attacks that have plagued state and local governments for the past several years continue to grow more frequent and sophisticated, while government organizations struggle to be prepared for these incidents, a new study by the consulting firm Deloitte argues.
The study comes after the end of a year that saw an agonizing spike in attacks against U.S. public-sector organizations — 163 by Deloitte’s count — with more than $1.8 million paid out to hackers and tens of millions of dollars more spent on recovering or replacing damaged IT infrastructure. The pace of attacks has also accelerated in part due to the increasing availability of ransomware as an off-the-shelf service, as other analysts have warned.
“With powerful algorithms and bitcoin offering easy off-the-shelf methods for encryption and payment, exploits are often the driver behind new waves of ransomware attacks,” the report reads.
Meanwhile, local governments — along with school systems and health facilities — continue to make some of the most tempting targets because of their growing dependence on emerging technologies, including internet-of-things devices, but limited budgets for cybersecurity.
“A few decades ago, there may have been a few computers in the central office of local school districts or police departments, but today every squad car has a computer, and each classroom likely has a few,” the Deloitte study reads. “This trend is not likely to stop either. Connected traffic cameras, ambulances, trash trucks, parking meters, and libraries (just to name a few) make up an incredibly varied, constantly growing array of endpoints, all connected to state and local government networks—and all potentially vulnerable to attack, creating a larger attack surface.”
The report’s author, Srini Subramanian, a Deloitte principal who leads the firm’s state-government and higher-education cybersecurity practice, chalked up the rise in attacks to three factors: governments’ lack of preparedness, small IT budgets and a limited workforce.
Ransomware attacks capable of debilitating an entire city government, such as one last year against Baltimore, will continue “until the time our local governments are able to confidently say we are prepared for a ransomware attack and that backups will not be compromised,” Subramanian said. “Look, you’ve gotta be able to confidently say we can restore our system.”
But Subramanian, who also conducts biannual cybersecurity surveys for the National Association of State Chief Information Officers, noted the twin problems of limited IT budgets and the low availability of security professionals. On average, a 2018 survey found, states commit just 1 to 2 percent of their overall IT spending to security, and Subramanian worried local governments are in far worse positions.
“State government is in crisis stage,” he said. “I can’t even fathom local government. There is really no way they can protect themselves against these threats.”
Subramanian also said that some local governments, such as two Florida communities that collectively coughed up $1.1 million last year, chose to pay off their attackers because the costs of paying ransoms were less than a full rebuild. That’s often the case, especially if those payments are covered by insurance. The city of Baltimore, by comparison, refused to pay a $76,000 demand when it was attacked last May, and now faces a recovery bill that could eventually reach $18 million.
But Subramanian also said there’s evidence that governments’ reliance on cyber insurance policies correlates with an increase in ransomware incidents and hackers’ demands. The Russian criminal group allegedly behind the Ryuk malware, appears to be reacting to the popularity of insurance by stepping up its attacks against public-sector entities, the Deloitte report states.
“While diverse in its targets, this syndicate appears to be specifically targeting U.S. state and local governments and demanding nearly 10 times higher ransom than average attacks,” it reads.
But rather than just pay a deductible and have insurers cover the cost of ransoms, Subramanian said there are steps local governments can take to protect themselves. Along with the familiar prescription of encouraging better cyber hygiene among workers and patching systems regularly, he stressed the importance of backups segmented from main networks. In the event of an attack, he said, an “air-gapped” system image, one disconnected from the internet or local networks, can help get vital systems, such as email and revenue collection, restored quickly.
“The cost of storage has become so cheap,” he said. “Have an air-gapped backup, and after [backing up], the backup is locked out of the network. I think that is a fundamental necessity in the age of ransomware.”
But the Deloitte report says the staffing shortage is a bigger challenge, though. It recommends communities avail themselves of programs like Michigan’s Cyber Civilian Corps, a roster of IT professionals who make themselves available to help respond to cyberattacks across that state, as well as regular war games for governments to test their capabilities against simulated ransomware incidents.
Subramanian suggested that local governments consider pooling their resources regionally.
“A voluntary force is great, but there has got to be a more robust model,” he said. “Cyber services have to be shared across state and local jurisdictions. Incident response as a shared service. In today’s age of talent shortage, that’s one way local governments can solve this problem.”