While ransomware is a relatively new phenomenon, ransom-related crimes have been around for generations. Here are four lessons from the past which we believe will help state and local governments protect themselves in today’s digital world.
In 2018, there were 56 targeted ransomware attacks reported by state and local governments in the United States, a 40 percent increase over the number reported the previous year, according to a May 2019 Recorded Future report. In the first half of 2019 alone there were 55 documented attacks, nearly equaling the 2018 total and suggesting that this trend is accelerating.
The increasing number of ransomware attacks in state and local government has resulted in an explosion of media coverage, most of which has focused on current causes and effects. We believe there’s value in looking at past instances of ransom-related crimes, such as skyjackings and kidnappings, and examining the actions taken to reduce them. These examples offer response tactics we believe can be applied to today’s digital world.
Let’s start with skyjackings. In the 1970s, over 150 planes were hijacked and held for ransom in the United States alone. Fast-forward to 2018: there were none. So what changed? Three things:
- More stringent airport screening;
- Hardened cockpits on planes; and
- Aggressive responses by passengers and crew to potential threats.
The response to political kidnappings can be equally instructive with regard to dealing with ransomware. The advent of “Kidnapping and Ransom (K&R)” insurance completely changed the calculus on these events by adding a risk reduction requirement to the policies. If you wanted K&R coverage you had to take precautions to actually reduce your risk of being kidnapped.
Using Past Ransom Crises to Define Future Ransomware Response Strategies
What do the responses to these past threats have to do with today’s digital attacks? We see four lessons learned from past ransom crises which we believe can be applied to protecting state and local governments from ransomware.
- Change behaviors. In the skyjacking example, increased airport screening has affected air travel for all passengers, but they’ve adapted to it. Taking off your shoes and going through a metal detector are now accepted practices. Similarly, cities might consider adopting e-screening techniques as a requirement before the public can access digital services. This might include something as simple as making sure residents have updated the operating system software on their mobile devices before allowing them access to city websites. Or, it might mean changing internal practices to implement more stringent patch management on agency-owned assets, such as using tools to prioritize this type of mitigation. In addition, city employees could be required to connect to work-related applications only with city-owned assets or via proprietary VPN connections using two-factor authentication.
- Harden the infrastructure. If a threat actor in a skyjacking scenario can’t get in the cockpit, they can’t take over the plane. Government IT infrastructure needs to be equally hardened. While information technology professionals understand the importance of implementing CIS controls and/or other standards, they often lack the budgetary influence to obtain the tools necessary to implement them. In the ongoing Deloitte-NASCIO Cybersecurity Study, which is based on biennial surveys of state CIOs, respondents have routinely cited a lack of sufficient funding as their No. 1 challenge in addressing states’ efforts to thwart threat actors. To address this, cities should transfer cybersecurity responsibility from IT to public safety. Public safety initiatives get funded because their work is visible to the public. More to the point, public safety leaders can acquire weapons and weapons systems — and cybersecurity tools could be branded as such. Here are three ways local governments can change the conversation when it comes to cybersecurity funding.
- All for one and one for all. Behave threateningly on an airplane today and fellow passengers will take action. While we’re certainly not condoning vigilantism, we believe cities should empower their communities to respond quickly and assertively to all forms of cyberthreats, from phishing attacks to complex exploits by threat actors. First, mayors should install someone in uniform as the city CISO and address cyberthreats in the same manner as any other potential crimes. Tools like Tenable’s, which offer predictive prioritization of vulnerabilities, can stand alongside crime reporting, analysis and forecasting tools like CompStat to ensure appropriate resources are applied based on the probability of these crimes occurring. Second, public safety officials should set up Crime Stopper-type channels for reporting cyberthreats and vulnerabilities and make them publicly available. Finally, mayors should create a “cyber corps” of local experts who can be called on as advisors during a crisis and also serve as a sounding board for public comment regarding cyberthreats.
- Use insurance as an instrument of change. Kidnapping and ransom insurance policies led to enhanced risk management requirements on behalf of the potential beneficiaries of these policies. The same will be true for cyber insurance. Cities will want to obtain the lowest rate possible for coverage and will therefore comply with similar risk management requirements. This will come with a cost, albeit a much lower one than a ransom. Mayors who choose to acquire cyber insurance can use this fact as a lever to gain increased budget for the acquisition of cyber tools and staffing to control the cost of premiums and further reduce the probability of future ransomware attacks.
While it’s true that the challenges we’re facing in today’s digital world are unique, it’s helpful to consider these and other ways state and local governments have responded to other major public safety challenges. If you have other ideas on how we can use historical responses to guide our future strategy, email me at [email protected].
- Read the blog: Cybersecurity as a Public Service: 3 Ways Local Governments Can Change the Conversation
- Read the ebook: 3 Things to Know about Prioritizing VUlnerabilities
- Listen to Tenable’s Cyber Exposure Podcast: Episode 10, “Eternally Blue about Ransomware.”