How Texas responded to a massive ransomware attack in ‘record time’

The coordinated ransomware attack that infected computer systems of 23 local governments in Texas simultaneously in August was met with a brisk response from the state government. It took careful planning behind the scenes to be ready for such a response, state Chief Information Officer Todd Kimbriel told StateScoop in a recent video interview.

It was thanks to years of preparation that prevented the unprecedented attack from having more costly and disruptive consequences than it did, Kimbriel said.

The attackers used malware alternatively called Sodinobiki or REvil, transmitted to the local governments through a vulnerability in a managed service provider used by all of the organizations. But the state responded and eradicated the threat within a week, Kimbriel said, a much shorter timeframe than typically seen in ransomware attacks and against state of local government agencies — both Baltimore and Atlanta took months to recover from their attacks.

“We were very fortunate in that we prepared for that event,” Kimbriel said. “We had a statewide cyber incident response plan put together in advance of the event. We had our state operations center that was prepared to execute that cyber event response plan. And then most importantly, our state legislature has given our governor the authority to declare a disaster for a cyber-specific event.”

Disaster declarations have become an increasingly common tool for states seeking to rally additional assistance more quickly. Louisiana Gov. John Bel Edwards declared an emergency twice this year in an attempt to prevent ransomware attacks from spreading and causing additional disruption. And according to an August report from Moody’s Investors Service, statewide emergency declarations following cybersecurity incidents do in fact improve the chances that victims will minimize damage.

In Texas, it may have looked like it all happened quickly, but it was actually lengthy preparation that allowed the state to respond as effectively as it did, Kimbriel said.

“We’re very proud of that,” Kimbriel said. “We’re pretty proud that we pulled that plan together and have that on the shelf and execute it. It took years of work to think about how to do that. It was not something that happened overnight. It was very cross-collaborative effort with different jurisdictions.”

Kimbriel on his top priorities and projects:

“Our top priorities right now are digital government. Right now for us that’s something I call ‘My Gov My Way.’ I’ve talked about it for several years. The idea is that we are changing the way that we consider the way services are delivered to citizens. Rather than delivering services, we want citizens to consume services in a fashion that is relevant for them.”

Kimbriel on identity and access management:

“Identity and access management is really a unique thing for us in the state, we’re so federated.”

Kimbriel on how he sees his role changing in the future:

“The state CIO job is a funny role. It’s part cheerleader, part evangelist, part strategist, part tactician, you know, part magician. It really is a broad role.”

These videos were produced by StateScoop at the National Association of State Chief Information Officers’ annual conference in Nashville, Tennessee, in October 2019.