‘WannaCry’ ransomware attack raises alarm bells for cities, states

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Jenni Bergal
 

Connecting state and local government leaders

By Jenni Bergal

|

IT officials say they often don’t have enough money to effectively fight sophisticated cyber threats, especially one of this scale.

This article originally appeared on Stateline, an initiative of the Pew Charitable Trusts.

The massive cyberattack that has infected computers in at least 150 countries this past week hasn’t had a major impact on the federal government. But it has struck at least one county and several universities and prompted some state and local agencies to scramble to beef up their protections against the virus.

In the Chicago area, the virus showed up on computers in some Cook County government offices. MIT and several other universities reported that some of their computers also had been compromised. In Connecticut, the state court system briefly shut down some of its computers to update anti-virus software. And in Michigan, state officials quickly began installing extra protection on servers, work stations and public kiosks.

State IT officials say they often don’t have enough money to effectively fight sophisticated cyber threats. And the scale of this one has made them even more concerned.

“This is a big wake-up call because it is cyber disruption,” said Doug Robinson, executive director of the National Association of State Chief Information Officers (NASCIO). “States and local government need to address this because it’s a serious threat. We have urged states to take action immediately.”

Cybercriminals launched the fast-moving virus, dubbed “WannaCry,” last Friday. So far, it has infected more than 300,000 machines in countries from Russia to Brazil. Its victims have included Britain’s National Health Service, universities in China and Germany’s train system.

The attackers used “ransomware,” malicious software that hijacks computer systems, encrypts data and locks machines, holding them hostage until victims pay a ransom or restore the data on their own. Hackers demanded $300 to $600 in payments in bitcoin, digital currency that is transferred all over the internet, which makes payments difficult to trace.

WannaCry spread across computers that run on Microsoft’s Windows operating systems. While Microsoft issued a patch, or security update, in March to protect against the virus, many systems that used older versions the company no longer supported remained vulnerable. Microsoft released special patches for the older versions after the cyberattack.

Cybersecurity experts say they’re not sure why more computer systems in the U.S. haven’t been infected. But they caution that state and local governments still could be affected.

“We’ve been getting a lot of emails from them wanting to know what they should do,” said Brian Calkin, a vice president of the Multi-State Information Sharing and Analysis Center, a federally funded group that tracks cybersecurity issues for states and local governments. “Our advice is to apply patches and keep your antivirus software up to date. Who knows what will happen?”

A growing threat

Hackers using ransomware increasingly have been attacking local governments, hospitals and police departments across the U.S. City and county governments, along with local school districts, have seen an “exponential rise” in threats in the last two years, said Srini Subramanian, a state cybersecurity specialist at the consulting firm Deloitte & Touche LLP. Victims have ranged from small police departments in Maine to a large hospital in Los Angeles.

Even if government officials decide to pay hundreds or thousands of dollars in ransom, their computer networks and communications are often crippled for a day or more by the viruses. And if they don’t pay, it can sometimes take days or even weeks to get their systems back up and running. In the meantime, public services for residents, schoolchildren and even hospital patients may be affected.

While federal officials say the WannaCry ransomware attack apparently has only raised about $70,000 in ransom and the infection rate has been lower in the U.S. than in many other parts of the world, they caution that the crisis may not be over, as the malware morphs into other forms that could threaten more networks.

Some state and local officials say they aren’t taking any chances.

In Connecticut, the judicial branch this week performed “preventive maintenance” on its computer system at courthouses statewide, said spokeswoman Rhonda Stearley-Hebert. She said some parts of the system had to be shut down briefly, including at New Haven Superior Court, where cases were delayed for two hours Monday as staffers installed a software update.

In Auburn, Mass.,, Information Technology Director Mike Marino said his office installed anti-ransomware software this week on every computer on the network, including those at the municipal building, senior center, library and fire stations.

Auburn’s school department was hit by a ransomware attack about a year and a half ago, and Marino said he doesn’t want town offices to go through that kind of situation. “Just the work required to get things back up and running is so time intensive,” he said. “Plus, any files that aren’t able to be backed up are just lost.”

Michigan took emergency steps to upgrade its network with the latest patch as soon as officials learned of the global cyberattack, said Rajiv Das, the state’s chief security officer. As of Thursday, all the work was completed other than at some employees’ desktops and kiosks used by the public.

“Right now, we are watching very carefully. This is definitely not the end,” Das said. “If you ask me, I’m worried. That’s why my team is on guard.”

In Cook County, WannaCry was discovered on “a small number of systems,” according to spokesman Frank Shuftan. He said as of Thursday, almost everything had been restored and staffers were making additional security improvements, but he would not give any more details, citing security reasons.

Cybersecurity challenges

For IT chiefs at the state and local government level, the failure to protect computers is often a matter of dollars or indifference, said Dan Lohrmann, chief security officer for Security Mentor, a national security training firm that works with states.

“Some agencies may have the funding to do updates; some may not. Some may be interested in doing it; some may not,” he said. “In many cases, it’s very decentralized. So it’s more like herding cats.”

While cybersecurity has become the top priority for state IT officials, funding is often inadequate, according to a 2016 survey of top IT security officers from 48 states by NASCIO and Deloitte. The report found that in most states, spending on cybersecurity was only a fraction of the overall IT budget, ranging from zero to 2 percent.

And while most elected and appointed state officials said they are very or extremely confident that IT security officials are well prepared for cyber threats, the report found that only about a quarter of the security officials responsible for dealing with the threats were very or extremely confident that adequate measures are in place to protect the data.

NASCIO’s Robinson said a global, organized cyber threat like WannaCry shows how important it is for those measures to be in place.

“I don’t think it’s over. There’s the chance they will regroup and do another targeted attack,” he said. “States need to patch their operating systems when the patches are released. They need to work to strengthen their firewalls and back up their computers. They need to be ready.”

NEXT STORY: Unlocking blockchain for government

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.