Local Governments Suffered Nearly a Thousand Ransomware Attacks, Report Finds

Published January 20, 2020

At least 948 government entities in the United States were attacked by ransomware hackers extorting money in 2019, a new report states.

The total cost of the attacks could exceed $7.5 billion, states the report from Emsisoft, a cybersecurity firm. The attacks were made against “103 state and municipal governments and agencies, 759 healthcare providers, and 86 universities, colleges and school districts, with operations at up to 1,224 individual schools potentially affected,” Emsisoft reports.

“The threat level is now extreme and governments must act immediately to improve their preparedness and mitigate their risks,” Emsisoft states.

The December Emsisoft report was released in response to a ransomware attack on the City of Pensacola, Florida. The perpetrators of the attack demanded a $1 million ransom in exchange for a decryption key after they stole city data and denied the city access to its own data. The next day, New Orleans Mayor LaToya Cantrell declared a state of emergency due to a cyberattack on the city which posed a potential danger to citizens’ digital information.

‘More Likely to Pay’

Criminal hackers focus on local governments as targets of attacks, rather than the federal government, “because the assets and resources aren’t there to protect them,” says David Grantham, a national security policy and counterterrorism expert.

“A lot of them piggyback and are connected to other networks that could potentially provide a hacker backdoor access,” Grantham said. “The attack strategy seems to be to go after the more vulnerable. They’re more likely to pay ransom because they don’t have the sophisticated tools to repair it. A lot of networks overlap and connect, in ways even some of the designers don’t know.”

Unlike the federal government, local governments generally don’t allocate enough spending toward protecting their digital information, says Seton Motley, president of Less Government. The answer, however, is not to raise taxes but to use existing funds more wisely, says Motley.

“One of my rules is that when someone says, ‘Let’s raise taxes,’ the unspoken assumption is that every penny we’re already raising is being spent perfectly well,” Motley said. “That’s not the case. This is a spending problem, not a revenue problem. The solution isn’t a wealth tax or a higher income tax. The solution is to spend less.”

Utilizing Private Sector

Hiring private companies to protect a government entity’s digital data is a better solution in the long run than hiring government cybersecurity personnel who get pay and benefits, Motley says.

“There are experts at this in the private sector,” Motley said. “There’s no reason to insource this. You should hire a company and keep cronyism in the hiring process to a minimum.”

Private companies can have 1,000 or more customers and are efficient because they focus on one area of service, Motley says.

“[Private companies] have their code, then they just replicate it,” Motley said. “They have the sales force to add customers and internal workforce. They say, ‘We’ll tighten up our code here.’ They’re constantly working on it and doing it in scale, rather than the government sitting and waiting for it to happen.”

This approach to private contracting follows what Motley calls the “Yellow Pages rule”: “If you can find it in the yellow pages, the government shouldn’t do it,” Motley said.

Cyber ‘Amber Alert’

If the government knows exactly what it wants out of a contract, the private sector can be a good place to go, Grantham says.

“There is a vendor for every little tool you could want,” Grantham said. “There are a lot of counties and cities that have robust IT departments in Texas. They do quite well. They went and purchased programs that assist them in their work. Smaller departments could contract some of those capabilities out to the private sector.”

Regional cooperation could help by enabling cities and other government organizations to pool resources to protect their shared networks, says Grantham. On a regional basis, city and county governments could have a secured network where they could share attack information and communicate when attacks do happen, says Grantham.

“If you’re getting hit, maybe in Houston, someone could say in El Paso, ‘Let’s go ahead and shut down our system for now until we know more,'” Grantham said. “Having a communication system, almost like an Amber Alert, would be helpful.”

Pre-911 Mentality

New Orleans did the right thing in declaring a state of emergency and being open about the problem, says Grantham, but those solutions are good only if you know what the problem is. Local governments need to be more open to sharing information with other nearby localities about digital problems in order to address them as quickly as possible, says Grantham. That will require them to overcome obsolete attitudes about cybersecurity, Grantham says.

“We’re living in a pre-9/11 world when it comes to cybersecurity,” Grantham said. “People are scared to share information about being hacked, but the only way to learn how to prevent these situations is to share. It doesn’t mean you have to expose everything, but explain how the attack was carried out and what ransomware to look for.”

Nolan Ryan ([email protected]) writes from Hillsdale, Michigan.

Internet Info

“The State of Ransomware in the US: Report and Statistics 2019,” Emsisoft Malware Lab, December 12, 2019: https://blog.emsisoft.com/en/34822/the-state-of-ransomware-in-the-us-report-and-statistics-2019/

Bartlett Cleland, “Are You Secure? Really? How Do You Know?” The Heartland Institute, June 28, 2018: https://heartland.org/news-opinion/news/are-you-secure-really-how-do-you-know