Lawmakers have offered few ideas on how to respond to the wave of ransom-seeking cyberattacks that have struck at least 80 state and local government agencies.
Ransomware attacks paralyzed Baltimore’s computer networks for much of the spring, shutting down the systems that collect parking ticket fines and water bills. Hackers took out City Hall’s help line in Akron, Ohio, during a major snowstorm. In Lincoln County, N.C., sheriff’s deputies had to take crime reports with pen and paper as their computers went dark.
Yet Washington has remained largely on the sidelines.
Lawmakers have offered few ideas on how to respond to the wave of ransom-seeking cyberattacks that have struck at least 80 state and local government agencies. Both the Department of Homeland Security and the FBI appear to be struggling with how to marshal resources to help victims, including basic questions of how they should respond or where they can turn for help.
“We don’t usually look to Washington to solve real problems we have in our daily life,” said Bill Beam, the sheriff in Lincoln County. But, he said, “I would welcome them with open arms to help us with a situation like this.”
Ransomware — generally perpetrated by foreign hackers — has become a costly headache for governments, businesses and ordinary people around the world, infecting and locking up their computers until victims pay up with Bitcoin or other digital currencies. Baltimore and Lincoln County each refused to pay ransoms but expect to spend big money to recover from the mayhem — $18.2 million and as much as $400,000, respectively.
Members of Congress have introduced only four pieces of legislation since January that even mention the word ransomware. None would begin to address the full scope of the attacks that experts say will become only more numerous and severe.
Meanwhile, the executive branch agencies in charge of cybersecurity are still working out the basic rules of the road.
“If I’m under ransomware attack, who am I supposed to call? Is that the same level as a disaster like a hurricane?” Jeanette Manfra, a top DHS cybersecurity official, told reporters after a hearing. “That’s the part we’re working on.”
It’s still unclear how federal, state and local government are even supposed to work together when ransomware hits, said Mieke Eoyang, vice president of the national security program at the Third Way, a center-left think tank that works on digital issues. “We all know what law enforcement does when it shows up to a murder investigation, because we all watch crime shows. What is the digital equivalent of that?”
DHS has taken some steps to recognize the need for more coordination, releasing a recent advice document to help local and state governments struck by ransomware schemes. The FBI has issued its own general guidance about ransomware, although most of it was aimed at companies rather than governments.
The department is also making efforts to help repel ransomware attacks on voter registration databases managed by local election administrators, fearing that hostile nations could use criminal hacker techniques to undermine the 2020 election.
But that will do little to offset the cost of the digital attacks nationally or improve cyber defenses in smaller municipalities. Those include nearly two dozen local governments in Texas, which were struck over the summer by a coordinated attack that led Gov. Greg Abbott to activate the state’s second-highest level of emergency response.
Atlanta Mayor Keisha Lance Bottoms called on Congress during a House Homeland Security panel in June to help cities and states by providing money to help them head off and respond to the attacks. Her city spent more than $7 million to recover from a ransomware attack last year .
Federal funding, she said, “would not only accelerate responsiveness and restoration but would also result in fewer municipalities paying ransoms and ultimately decrease the occurrence of local governments as targets.”
Baltimore, meanwhile, is still recovering from what may prove to be the most expensive ransomware attack ever for a state or local government in the United States.
The assault began May 7, and as late as the first week of June, city officials said just a third of Baltimore’s employees had regained access to their computers. The lockout delayed more than 1,000 home sales, knocked down a website for paying water bills, derailed city voicemail and email systems, took down a parking fines database and prompted cancellation of City Council hearings. In September, city auditors revealed that the attack had destroyed data in the information technology department.
The FBI received nearly 1,500 ransomware reports last year from all sectors, with an estimated damage total of $3.6 million. The cybersecurity firm Recorded Future, which has kept track of publicly reported ransomware attacks, tracked 80 on municipalities this year, compared with 53 in 2018, though both figures are likely to be underreported. And when it comes to paying the ransom to hackers, the cyber firm Coveware found that governments on average pay 10 times more than businesses.
Former national security officials acknowledge that Washington can do more.
“This is ripe for additional focus,” said John Dermody, a former DHS and National Security Council legal adviser who worked in the Obama and Trump administrations. “It’s underappreciated for how significant it’s going to be.
“The attacks are fairly simple to pull off,” he said, and state and local governments aren’t fully equipped to fight ransomware.
Another complicating factor: Federal agencies don’t always have the same agenda as the localities under attack. “The FBI wants to investigate and prosecute,” said Dermody, now with the O’Melveny law firm. “The private sector and state and locals may want to get back on line as fast as possible” by simply paying the ransom, he said.
The FBI should help potential targets focus on preventing attacks , said John McClurg, vice president and ambassador at large at BlackBerry Cylance. Additionally, he said, “The federal government should consider procuring next-gen technologies and providing them to the state and local governments that lack either the expertise or the funding to do the evaluations and make the purchases.”
Some in Congress want more action. Sen. Maggie Hassan, a New Hampshire Democrat who frequently asks ransomware questions at hearings of the Homeland Security Committee, said the executive branch could deepen its relationships with state and local governments and remind them about the severe nature of the threat.
“It’s really important that we recognize these ransomware attacks are really a growing threat to all levels of government and all sectors, too,” Hassan said.
The federal government could also lead more ransomware-specific exercises designed to prepare states and localities, said Courtney Modecki, vice president at firm SafeGuard Cyber.
States also need more immediate information about threats, said Charles Carmakal, strategic services chief technology officer for FireEye, a cyber firm that has helped respond to ransomware attacks.
Without help from Washington, state and local governments are acting on their own. At least five states — California, Connecticut, Michigan, Texas and Wyoming — have passed laws to explicitly criminalize ransomware and computer extortion, according to the National Conference of State Legislatures.
The United States Conference of Mayors this summer passed a resolution discouraging local governments from paying ransoms, saying it encourages more attacks when the hackers continue to profit. This summer, a variety of organizations — the National Governors Association, the Multi-State Information Sharing and Analysis Center, the National Association of State Chief Information Officers and DHS’ Cybersecurity and Infrastructure Security Agency — also teamed up to produce ransomware advice.
Some states have taken steps that, while not specifically designed to respond to ransomware attacks, have been used to do so, said Maggie Brunner, a program director at the National Governors Association’s Center for Best Practices.
Brunner pointed to Michigan establishing a Cyber Civilian Corps whose volunteers provide expertise to the state, while the governors of Colorado and Louisiana mobilized resources by declaring a state of emergency over cyberattacks.
Despite the lack of ransomware-specific legislation, several bills introduced this year could help, experts said. Hassan touted one of her own bills she sponsored with Sen. John Cornyn (R-Texas), S. 2318, that would require DHS to offer to state and local governments the same capabilities that the department uses to protect federal computer networks. Democrats at the House Homeland Security Committee are writing a ransomware-specific bill that could debut soon.
This week, the Senate also passed a version of a bill Hassan co-sponsored, H.R. 1158, that would enshrine into law the DHS cyber incident response teams that assist states and localities responding to cyberattacks.
For now, local officials aren’t waiting for assistance from Washington, nor do all of them want financial help.
“I think there’s absolutely a role for the federal government to play in terms of technical assistant, but I don’t like the idea of payments,” said Richard Permenter, Republican vice chairman of the Board of Commissioners in Lincoln County, N.C., where ransomware hit the sheriff’s office in July. “We wouldn’t like to have to incur the financial burden from recovering from this, but we could.”
But, he said, “If the NSA wants to send their best hackers down here to sit with the head of IT for week, we’ll even buy them lunch.”