COVID-19
would set aside $400 million per year for states to tackle ransomware and other cyberthreats.
Matt Pincus, director of government affairs at the National Association of State CIOs, told FCW that Congress and other policymakers became more engaged in the issue after the high-pro- file ransomware attack on the city of Baltimore last year. However, a one-size- fits-all solution is unlikely because each state has its own policies governing how employees use personal devices for work purposes.
“I would say that all the additional responsibilities of state IT [officials] since the pandemic began have exac- erbated the amount of responsibility they have in the cybersecurity world,” he added.
Pincus said state IT leaders have told NASCIO, which helped craft the bill that proposes $400 million in annual funding for states, that they need more training for employees so they can avoid phish- ing lures and other tactics that allow ransomware actors to make their way into government systems. He added that multifactor authentication, endpoint security, software patching tools and remote security assessments were also flagged as pressing cybersecurity needs.
Knake referenced the Obama admin- istration’s “Cash for Clunkers” program that encouraged people to trade in older cars for newer, more fuel-efficient mod- els and said Congress should approve a “Cash for Cobol” program to fund the replacement of agencies’ outdated IT systems.
Adam Meyers, vice president of intel- ligence at cybersecurity firm Crowd- Strike, called ransomware “the single biggest threat that we’ve seen to enter- prises today.”
In the past 18 to 24 months, cyber- criminals have transitioned from crimes such as bank fraud and wire fraud to focus their operations on ransomware, and they have increasingly targeted large entities that need to be up and run- ning at all times. Those criminals take
advantage of exposed services such as the Remote Desktop Protocol or deliver malware
in search of an ever-larger payday.
“Ransomware actors have,
I think, realized there’s a cash
cow in targeting many of
these organizations, particu-
larly when you get down to
the state and local govern-
ments that may not necessar-
ily have the cyber resources to
protect themselves adequately,” Mey- ers said. “They’re able to use that to their advantage to get these organiza- tions to pay.”
A report by the Cyberspace Solarium Commission states that confusion over who should help organizations recover from ransomware attacks is one of the major blind spots in U.S. cybersecurity. “Who is responsible for setting priori- ties (and providing funding) when it is necessary to ‘turn the lights back on’ fol- lowing a major cyberattack?... How do local hospitals, water treatment facili- ties and municipal offices ask the fed- eral government for assistance during a sustained ransomware campaign?” the commission asks in its report.
The hidden costs of paying ransom
Pincus said that in the past Congress has balked when NASCIO pushed for the federal government to subsidize cybersecurity at the state and local level. But the COVID-19 pandemic has demonstrated that those entities play a key role in distributing benefits from the federal government.
“The federal government charges the states to administer hundreds of fed- eral programs...even funding that’s in the CARES Act,” he said. “If you want unemployment insurance to be dis- tributed among citizens, you need to make sure that you have systems that are capable of doing it.”
Rep. Dutch Ruppersberger (D-Md.) has successfully advocated for more federal funding for state and local cyber-
“If you want unemployment insurance to be distributed among citizens, you need to make sure that you have systems that are capable of doing it”.
MATT PINCUS, NATIONAL ASSOCIATION OF STATE CIOs
security needs in the past and was one of four lawmakers who signed a letter to House leaders in April asking them to include grant funding in a future stimu- lus bill. A spokesperson for his office told FCW they have not yet received a response to their request.
“I think the challenge is going to be convincing members of the connec- tion between the pandemic and ran- somware,” the aide said, noting that emphasizing states’ and municipalities’ greater reliance on digital services dur- ing the coronavirus lockdown is a pow- erful argument. “I think it’s going to be a messaging battle.”
Most experts advise ransomware vic- tims to do everything they can to avoid paying a ransom. Pincus said NASCIO’s message to states is the same as that of the Cybersecurity and Infrastructure Security Agency and others: Don’t pay.
Knake said organizations that failed to heed that advice in the past have made the current situation much worse. Criminal groups have “built these orga- nizations starting from that $50 ransom- ware from your grandmother’s comput- er, taking that money and reinvesting it in their capability, and so what we’re seeing today is the result of that,” he said. “We have grown these criminal enterprises, we have paid their R&D budgets, and now they are targeting us, and we are in very bad shape.” n
34 May/June 2020 FCW.COM