What the ransomware attack debate is missing
The impact of ransomware attacks against state and local governments continues to make headlines. High-profile attacks against Atlanta, Baltimore and now Riviera Beach, Lake City and Key Biscayne in Florida expose the challenges governors, mayors and local leaders confront in deciding whether to pay a ransom to cyber criminals to regain control of their data.
Arguments have been made that no government official should pay a ransom (Atlanta), that the federal government is to blame for allowing cyber attack tools to be stolen and released on the internet (Baltimore), and that paying a ransom is the only option (Riviera Beach). All sides on this debate have important points with supporters in the cybersecurity industry, but their arguments miss the key issue: our state and local governments are not resourced properly to defend their networks. A better, smarter approach is needed and the answer is not legislation to outlaw ransomware payments.
There is not a state or local government in the United States that is fully funded to defend their information technology networks against cyber attacks. Like many private-sector enterprises, state and local governments make trade-offs with their limited IT budgets between competing priorities, knowing they can’t cover every cyber requirement. While there are many reasons behind this approach, such as insufficient staffing and training, the key issues are awareness of the threat and the funding to support building security and resiliency into the systems.
The most recent survey by Deloitte and the National Association of State Information Officers (NASCIO) makes clear that budget is the top challenge state governments face on cybersecurity — a challenge that hasn’t changed since the first survey was conducted in 2010. Unfortunately, what has changed is a threat environment that is increasingly complex, where the ability to exploit vulnerabilities is growing and the sophistication required to conduct such attacks is decreasing. As a result, our state and local governments fall even further behind in the race to defend their digital networks.
There is a very real question about what the federal government’s role should be in helping state and local governments improve their cybersecurity. We know what the answer would be in the physical world, but we are still falling short in the digital world. What is now needed is a recognition by Congress that protecting our nation’s digital infrastructure is a national and economic security priority that is on par with defending our physical infrastructure. While we have become dependent on the internet for so many government services, we have not provided our state and local governments with the capabilities to make these services resilient in the face of persistent cyber attacks.
The recently introduced State Cyber Resiliency Act by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) would establish a grant program for state and local governments that need help in paying for digital support. It is a good first step, but more is required. It’s not enough to just allocate money toward the problem; the federal government needs to establish an active coordination and remediation program for state and local governments that is supported by the Department of Homeland Security (DHS) and National Security Agency (NSA).
The proposed act should be expanded to include a program for the federal government to provide direct support to state and local governments to remediate those vulnerabilities that NSA and DHS deem critical, particularly in cases where state and local governments can’t do it themselves. The program also would assist states and local governments in the most important first steps toward cyber resiliency: map the networks they own, understand what is on them, and provide assistance to better secure them. This approach would allow the federal government to help our state and local governments fix their cyber potholes quickly and effectively.
Whether or not the vulnerabilities come from exploitation created by nation-states, criminal organizations or others is missing the point; the threat environment will only get worse and our state and local governments will continue to fall behind unless Congress helps now. Atlanta, Baltimore, and the Florida cities are the most recent examples of the dire situation our state and local governments face in addressing cyber threats.
Cybersecurity is one of the few issues to attract bipartisan support. Congress should strengthen and pass a fully funded State Cyber Resiliency Act as a needed first step in making our state and local government networks more prepared and resilient.
Kiersten E. Todt is the resident scholar at the University of Pittsburgh Institute for Cyber Law, Policy and Security, the former executive director of the Presidential Commission on Enhancing National Cybersecurity, and former staff member for the U.S. Senate Committee on Homeland Security and Governmental Affairs. Follow her on Twitter @kierstentodt.
Roger Cressey served in counterterrorism and cybersecurity positions in the White House under Presidents Clinton and George W. Bush. He and Todt are partners at Liberty Group Ventures, LLC.