Robust federal investment and clear operational procedures would help state and local agencies better defend against ransomware, experts said.
When it comes to meeting ransoms demands to recover their encrypted data, there are plenty of pros and cons, according to a panel of state and local officials speaking at the Dec. 9 NextGov and Route Fifty Cybersmart Summit.
Although the discussion was titled, “To Pay or Not to Pay: Rethinking Our Response to Ransomware,” the panelists acknowledged that a question as nuanced as ransomware requires a considered response.
“There is no easy answer. In an ideal world, the answer would [always] be no,” New York State Sen. Diane Savino said. However, cybercriminals often target smaller, under-resourced organizations that cannot afford to remain offline for long, such as school districts, health care institutions and local governments. For many, paying the ransom seems the better choice -- even though in many instances, victims’ data is not recovered even after paying the fee, she said.
Additionally, the decentralized nature of U.S. state and local agencies has made it harder to come to a consensus approach against such attacks, said Ron Sanders, staff director of the Florida Center for Cybersecurity.
“It depends on the kind of support they’re getting from state and federal law enforcement and cybersecurity agencies, because while they are all islands unto themselves, this is a collective problem and it requires a collective defense,” he said.
Partnering with federal agencies like the FBI would allow state and local departments to come up with clear, standardized cybersecurity practices that everyone could follow, Savino said. She also emphasized the importance of training during the remote-work era.
“People in government are utilizing their own technology because the agencies weren’t able to provide them [equipment], but the risks associated with a state worker who has access to millions of New Yorkers’ Social Security numbers … is really frightening,” she said.
Another issue is that organizations are not required to report security breaches, which poses a dilemma for victims, Savino said. If successful attacks are widely publicized, criminals could target vulnerable institutions repeatedly. However, the lack of reporting and transparent information sharing between federal, state and local departments is ultimately a disadvantage.
Apart from more training and investments in cyber defense, Sanders suggested that the federal government could make it illegal to pay as a result of a ransomware attack. This would give smaller agencies something to hide behind, he explained.
Besides outlawing ransomware payments, the federal government needs to invest in “local governments, to help them shore up their defenses, to help them raise the resiliency bar, so that a bad actor can look at them as a potential target and realize it is not worth the attempt,” Sanders said.
NEXT STORY: Powering up red team operations