Ransomware attacks are on the rise, with larger incidents hitting state and local level agencies across the country on a weekly basis, often halting everyday services constituents need. Just a few months ago, the computer systems for Los Angeles Unified School District — the second-largest school district in the country — were paralyzed by cyber hackers, with an official ransom being demanded two weeks after the initial systems compromise.


While 80% of state and local information technology leaders believe ransomware has become a formidable threat, less than half have an incident response plan in place. This gap is costing taxpayers more than $18.11 billion annually while threatening vital services.


The ongoing risk of organizations adhering to ransomware payouts is that you often signal yourself to more bad actors as an easier target because of your organization’s lack of proper cyber hygiene best practices and willingness to comply with demands. What’s more troublesome is that when you pay a ransom, the originating criminals will often leave behind a back door to come back later and hold your network hostage again.


Contributing to this spiral is the advent of cryptocurrency, which helps bad actors obscure payment information, allowing them to remain relatively anonymous.


State and local governments often turn to cyber insurance to counter these nation-state-level cyberattacks, which are beginning to come with higher premiums. The city of Portland, Oregon, saw a 48% increase in its annual premiums this year alone (from $220,000 to $325,388) due to cyberattack payouts.

 

Taking legislative action at all levels of government

The sense of urgency to counter the economic impact of these attacks is quickening as new Federal level directives and other collaborative measures have escalated to support states and their municipalities.


In March, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law with a requirement that critical infrastructure owners and operators report ransomware payments to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). In September, CISA and the Federal Bureau of Investigation (FBI) launched the agencies’ Joint Ransomware Task Force (JRTF), geared towards collaborating between the federal, private sector and state, local, tribal, and territorial entities to improve actions against ransomware.


These Executive Orders and commitment from the federal level are important because they tie federal money to funds that states need to reduce their attack surface, driving standardization of compliance and reporting across all 50 states.

But states are not waiting for Federal directives alone to act.


This past April, North Carolina became the first state to prohibit state and local government agencies from paying ransomware demands. The new law dictated that impacted agencies immediately report these attacks within and refrain from communicating or negotiating with hackers.


Florida’s state legislature passed a similar law last July. More bills to restrict or deny ransom payments are pending in Arizona, New York, Pennsylvania, and Texas along with several recently passed incident reporting laws in Indiana, New Hampshire, North Dakota, Virginia, and West Virginia.


Outside of these mandates, what can individual institutions do to defend against and mitigate these risks? The path to protection begins with continuous data care best practices and diligent data recovery measures, followed by public and private partnerships for reporting and public education.

 

Proactive cyber hygiene for real-time visibility

An organization’s absolute first line of defense are the proactive cyber hygiene measures taken to prevent access in the first place. You cannot protect what you cannot see. It’s important to have maximum visibility — a common security measure — into your endpoints.


But there’s no one size fits all solution, so taking that action starts with integrating and automating standardized tools across the security and IT operations environment with a central platform that both teams can work from. With this approach, both the IT and security organizations can gain real-time visibility into what is connected to their network, where sensitive data may exist, and allowing them to remediate any issues found in the process.

 

Preparedness for data recovery

IT security professionals — no matter the agency level, type, or size — should assume that a ransomware act will inevitably occur at some point. That makes data recovery best practices your last line of defense.


It’s become critically important to not just back up your data storage systems, but also to backup your network and firewall configurations as well. Applying “air gap” technology best practices will allow you to separate a copy of your backup data from your affected environments. If the day comes when you are hit by ransomware, your organization will be able to rebuild your devices and save your data with limited disruption.


How often an agency should back up its data depends on the organization’s mission. Archival data, for instance, that isn’t critical to mission operations will fall under less frequent needs. But backups for systems that are critical to citizen services — such as public safety, healthcare, payroll, financial assistance, and corrections — should be maintained as frequently as possible. If those systems are not available, the impact on society-at-large can be very dire.

 

Strategic alliances across state and local organizations

State, local and tribal entities are all grappling with how to reduce their IT risk. But many struggle with a fragmented governance structure, lack of streamlined policies and procedures and have little certainty of how to truly validate the level of cyber hygiene at scale — not to mention operating under tight budgets for talent and tools to keep up with modern cyber threats.


Additionally, many local institutions have some connectivity back to the state level and interface with state systems. In any security situation, you’re only as strong as your weakest link. So, if any single entity connected to your network does not have robust cyber hygiene programs in place, then you’re at risk as a whole.


A whole-of-state approach to cybersecurity allows a state to provide support for cybersecurity management for smaller local government entities — whether by offering pre-approved tools, key threat intelligence and secure reporting, training, or generalized funding in the form of grants — to help bolster cyber defenses across all levels of government.


This approach encourages information sharing across the whole-of-state enterprise and gives a higher level of visibility into cybersecurity practices across the state to achieve a more secure government, easing budgetary restraints on smaller, less-funded entities. A major proponent of this strategy is the State of Arizona, which dedicated $10 million per year to help school districts, tribes, and city and county governments build better cyber resiliency programs.


But the whole-of-state vision is no easy feat. To get it right, states must apply that same model of uniformity at the statewide agency level first before they expand on the local and tribal levels. A solid example in motion is the State of California’s Cal-Secure plan, the state’s first long-term roadmap to direct and decide cybersecurity strategies across state agencies. This multi-year plan establishes statewide cybersecurity standards, defense protocols, and a consolidated patchwork of cybersecurity technologies in prioritized implementation phases to safeguard the state’s critical infrastructure.


If states can get it right on both commitment levels, that two-tiered approach will be the most successful path to warding off ransomware attacks. The ultimate outcome for a successful defense against ransomware will be the same — a common security posture.

For more Cybersecurity Education & Training columns click here.