Cyber Attacks Against Public Entities and Laws Banning Payments
Author: Alliant
- 58% of state and local governments suffered a ransomware attack in 2021, an increase from 34% in 2020 (a 7% increase in a 1-year period);
- State and local governments reported one of the highest data encryption rates after ransomware attacks (72% versus 65% across all sectors);
- Only 20% of state and local governments were able to stop a ransomware attack before data was encrypted (well below the 31% across all sectors);
- Only 63% of state and local governments whose data was encrypted used backups to restore data (across all sectors the number is 73%);
- 32% of state and local governments paid ransomware demands to recover encrypted data—the lowest rate across all sectors and well below the global average of 46%;
- 80% of state and local governments reported having cyber insurance coverage against ransomware (across sector average is 83%); and
- Cyber insurance is motivating state and local governments to improve cyber defenses, with some 96% reporting having upgraded security to obtain cyber insurance.
According to the lead cyber research scientist at Sophos, the company whose 2022 annual report is cited above, public entities must devote necessary resources to training and support for their systems to be more attractive to carriers and less attractive to cyber criminals. “Security is not something you buy, rather it is something you do, and it must be done continuously if we want to see meaningful improvement,” according to the Sophos expert.vii
Among the recent high-profile public-sector data breaches was that of the District of Columbia’s computers in March of this year in which the personal data of more than 56,000 people was stolen in a hack of the U.S. Congress’ online health insurance marketplace.viii The D.C. Health Benefit Exchange Authority serves approximately 11,000 members of Congress, U.S. Senators, and their staff members and some other 100,000 people, including some Washington, D.C. officials, small businesses, and residents. Among the data compromised were names, social security numbers, dates of birth, and health plan information including home addresses, phone numbers, email addresses, ethnicity, and citizenship status. Apparently, the FBI was able to purchase data about congressional members and their families on the “dark web” due to the breach.ix
Other recent public entity attacks involved the data of 2 universities and 1 county government. IT systems at Tennessee State University and Southeastern Louisiana University were both hacked, presumably by ransomware attacks, in February of this year. In both instances, the hacks caused the universities to shut down their internet access on campus for several days. Tennessee State is a historically black university. HCBU’s have been frequent targets of hackers due to longstanding funding imbalances impacting their budgetary ability to afford the kind of network security needed to protect their data. At Southeastern Louisiana, school administrators also notified students following the attack that it had taken the network offline as a preventative measure.x
Late last year, Suffolk County, New York was forced offline due to a ransomware attack. As a result of the attack, 911 calls had to be taken down by hand, police had to radio in crime report details rather than emailing them and office staff had to use fax machines to transmit information. After 2 months, the county was still suffering from its cyber paralysis with officials admitting that more data than originally believed had been compromised, stating that personal information including driver’s license numbers associated with 470,000 traffic violations were exposed. During the months long shutdown of the county’s IT systems, essential county functions could not be completed as usual. Though Suffolk County had expended some $6.5 million in cyber security initiatives and conducted cyber-attack simulations drills, the recent hack revealed online vulnerabilities including the use of legacy systems, common in the public sector due to lack of funds to perform expensive upgrades.xi Following the release of an investigation of the incident late last year, what is clear is that the county had been warned of a flaw exposing its data to hacking and did not perform necessary work to repair it. xii
In November 2021, to combat ransomware attacks against public entities, North Carolina’s legislature passed the first law in the nation prohibiting state and local government entities from using public funds to pay ransomware demands of cyber criminals.xiii The law is broad in scope and includes provisions forbidding public entities from even communicating with malicious actors following ransomware attacks. Instead, the law requires public attack victims to consult with the North Carolina Department of Information Technology. A similar bill was passed in 2022 in Florida.xiv Unlike the NC bill, the Florida law imposes new security standards on local governments that must be met by 2025 and that are based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework.xv
Passage of these bills are not without controversy, however. Though designed to prevent attacks (since it becomes illegal for hackers’ ransom demands to be paid with public funds), at present there is no real-world evidence of the laws’ effectiveness in reducing the number of attacks. The fact of the matter is that just as in the case of the HBCU discussed above, there is a lack of funds available to prevent and remediate ransomware attacks at many public sector institutions. Although other states are considering legislative bans on public sector ransomware payments, paying the ransom is the fastest and cheapest way for many victims of ransomware attacks to avoid catastrophic failure or having to rebuild their entire systems from the ground up at a cost usually far greater than the ransom payment, which is often covered by cyber insurance. Without requirements in laws banning ransomware payments that the public entities have backup systems and data encryption to minimize ransomware damage, “there is little reason to believe that payment bans actually lead to an overall positive outcome.”xvi
Some policy experts believe that laws banning ransomware payments will backfire by forcing attackers to switch to even more destructive tactics. According to the CEO of Token, a large cyber security firm, “Almost all attacks are for financial gain and when you take that away, hackers will shift their efforts to targets with higher ROI (return on investment), like any smart business would. Government agencies will still be targets for attacks where the primary purpose is to damage or cripple US infrastructure, which is the goal of many attacks sponsored by nations that are enemies of the US.” xvii
Time will tell if other states fall in line with the 2 states that are hoping legislative bans on ransomware payments will spare public sector institutions from being victimized. However, policy arguments against them are worth consideration and may well carry the day.
[ii] The DRIB is an annual publication that provides analysis of information security incidents, focusing specifically on data breaches.
[iv] https://blog.knowbe4.com/wsj-cyber-insurance-went-up-a-whopping-92-in-2021.
[v] https://www.ciab.com/resources/q4-p-c-market-survey-2021/.
[vi] https://news.sophos.com/en-us/2022/09/28/the-state-of-ransomware-in-state-and-local-government-2022/.
[vii] https://news.sophos.com/en-us/2022/09/28/the-state-of-ransomware-in-state-and-local-government-2022/.
[x] https://therecord.media/tennessee-state-southeastern-louisiana-universities-hit-with-cyberattacks.
[xi] https://www.nytimes.com/2022/11/28/nyregion/suffolk-county-cyber-attack.html.
[xiii] https://www.ncleg.gov/Sessions/2021/Bills/House/PDF/H813v2.pdf..
[xiv] https://www.flsenate.gov/Session/Bill/2022/7055.