It is by no means new news that governments around the world are been targeted by ransomware operators. Recently the US Coast Guard, Georgia Police Department, and the municipality of Jackson County have all fallen victim to a ransomware attack. This is not solely a problem experienced by US government departments, Emisoft determined that ransomware attacks impacted at least 948 government agencies, educational entities, and healthcare providers. Returning to the US briefly Recorded Future discovered that 81 successful ransomware attacks took place against US government bodies across the year. The successful attacks further impact other towns, cities, and departments in subsequent knock-on effects. This all begs the question as to why?
Two recently released studies attempt to answer the why. The first study conducted by IBM found that only 38% of local government employees are trained in ransomware prevention techniques. The research itself took place in January and February of this year. The research was conducted by The Harris Poll on behalf of IBM and contained responses from close to 700 US local and state employees in IT, education, emergency services, and security departments.
Another key finding of the research was that budgets for mitigating cybersecurity incidents have remained stagnant. This was a reality according to 52% of the respondents despite over 100 cities within the US experiencing some sort of ransomware incident in 2019. Polling data also found that 73% of government employees are concerned about future ransomware attacks against the US cites and organizations, placing ransomware above terrorist attacks when it came to perceived emerging threats. From the study it was clear that state employees do see ransomware as a threat, the study noted that,
“With ransomware attacks against cities likely to continue in 2020, both U.S. government employees and taxpayers believe the federal government should step in to assist. The survey shows 78% of government employees believe the federal government should provide assistance to communities in responding to cyberattacks, echoing sentiments from IBM's 2019 study where 50% of U.S. taxpayers said it's the federal government's responsibility to protect cities from ransomware. The majority (76%) of state and local employees also believe cyberattacks warrant emergency support, similar to those used for natural disasters.”
However, the acknowledgment of the problem does not appear to be what is potentially making these departments so vulnerable. The vulnerability lies in their ability to deal with and mitigate the threat correctly. With only over a third of employees receiving training and budgets stagnating, the problem was summarized by Wendi Whitmore, VP of Threat Intelligence, IBM Security, as follows,
“The emerging ransomware epidemic in our cities highlights the need for cities to better prepare for cyberattacks just as frequently as they prepare for natural disasters. The data in this new study suggests local and state employees recognize the threat but demonstrate over confidence in their ability to react to and manage it. Meanwhile, cities and states across the country remain a ripe target for cybercriminals.”
The institutionalized over confidence described by IBM can be a significant hurdle to clear when looking to defend government networks. A recent study by Deloitte titled “Ransoming government: What state and local governments can do to break free from ransomware attacks,” which explores how these incidents take place further helps shine a light on why governments departments, municipalities, and services have proven vulnerable to ransomware attacks. One of the key findings of the study is that government services are increasingly been offered via convenient online portals, this has increased the possible attack surface. When this is combined with the ease at which malware such as ransomware can be bought “off-shelf”, via ransomware-as-a-service for example, the problem is made substantially worse.
This finding is further complicated by government departments relying on old and outdated systems vulnerable to attack. These old systems are often so old that the software manufacturer considers them a legacy product and no longer provides support for them. This lack of support results in a lack of patches making the systems a security vulnerability. Tight operational budgets prevent these systems from being modernized in any meaningful way despite the services offered undergoing modernization plans. While increased attack surfaces and outdated systems are certainly part of the problem, researchers at Deloitte are of the informed opinion that the human link is the biggest issue in preventing ransomware incidents. Similar to the problem pointed at by the IBM study, unskilled staff in matters of cybersecurity are not capable of detecting attacks by phishing, flaw exploitation, or social engineering tactics to any reliable measure as to help prevent those incidents from occurring.
The study notes that ransomware is here to stay for the foreseeable future, Deloitte looks to provide advice which if followed will go a long to making government organizations hard targets rather than the easy prey ransomware operators see them as. The first consideration is to make the IT modernization leap sooner rather than later. By building a modern system with better security architecture, the security issues inherent in the older systems are now null and void. Second, staff training is essential. The IBM study also highlighted this issue and the longer staff are not given the skills necessary to help detect and mitigate threats the longer they will be vulnerable. Thirdly, Deloitte suggests that adequate patch management practices should be enforced and both data compartmentalization and air-gapped networks for backups should be considered. Lastly, the use of cyber insurance should be considered carefully as policies can have a knock-on effect of incentivizing threat actors to push for even larger payouts than the ones we are currently seeing.