“As the ever-increasing number of ransomware attacks on state and local governments demonstrates, adequate investment in cybersecurity has been lacking,” said Yvette Clarke, chair of the U.S. Congress Subcommittee on Cybersecurity, Infrastructure Protection and Innovation, during a recent virtual hearing.
Clarke plans to soon introduce the State and Local Cybersecurity Act, a $500 million package of grants to bolster state, local and tribal cyber defenses, while also requiring these agencies to make their own budget commitments to the cause, she explained. Clarke convened the Responding to Ransomware: Exploring Policy Solutions to a Cybersecurity Crisis virtual hearing on May 5, 2021 to examine the financial needs and challenges facing lower levels of government.
The threat of ransomware is growing “unsustainabl[y]” testified John Davis, retired U.S. army major general and vice president of cybersecurity firm Palo Alto Networks, during the hearing.
Constraining these attacks to a manageable level requires a variety of robust policies and commitments, said Davis, who co-chaired the Institute for Security and Technology (IST)-coordinated Ransomware Task Force (RTF) that recently released a slate of 48 recommendations for strengthening global response to ransomware.
With ransomware evolving from simply a financial crime to one that deals new levels of damage, the fight cannot wait.
“It has crossed a threshold,” Davis said. “It’s no longer a criminal act driven purely by profit.”
STATE AND LOCAL FUNDING
The pandemic elevated the importance of digital services for reaching residents, while also prompting more state employees to work from home, creating an expanded attack surface that complicates cybersecurity work, said Denis Goulet, New Hampshire’s commissioner of the Department of Information Technology and state CIO.
At the same time, states lost tax revenue due to the public health crisis, giving them fewer funds available for security investments, said Megan Stifel, RTF co-chair and executive director of the Americas for the nonprofit Global Cyber Alliance.
Current federal funding sources like the Urban Areas Security Initiative (UASI) and State Homeland Security Program (SHSP) are simply not enough to usher in the anti-ransomware efforts needed, Goulet said. Both grants support combating domestic and foreign terrorism and other disasters and, as of 2021, 7.5 percent of each award is reserved for cybersecurity.
“Around the states, myself and my colleagues and the CISOs in the states receive very small percentages of the total grant funding … and the amounts we are able to access are not adequate to the task,” Goulet said of ransomware defense.
Providing funds to victims of ransomware can also be key to making the attacks less profitable — and thus less worthwhile — for criminals. The RTF’s global report calls for governments to create response recovery funds to support victims who refuse to pay ransom demands. Organizations could also be required to follow certain cybersecurity best practices before being able to tap into the recovery funds, as a way of encouraging improvements and reducing likelihoods of future security breaches. Such investments pay off, Stifel said.
“A dollar spent to prevent crime will be more effective than a dollar spent to recover from it,” she said.
Obtaining financing is not the only problem — organizations also may struggle to know how to use it most impactfully. The RTF, therefore, prepared a recommended framework for entities to follow should they be impacted, and financial support like the recovery funds helping them put these steps into action, Stifel said.
LOW-HANGING FRUIT
Ransomware may be powered by tech-savvy developers, but it doesn’t always take a high-tech approach to make life harder for these criminals.
“While we can all agree that more resources for state and local governments are necessary, we must also ensure they are spent responsibly and effect meaningful impacts on risk reduction,” said New York state Rep. Andrew Garbarino.
Garbarino noted that state and local agencies can improve their security through relatively simple steps like enacting multifactor authentication, updating software and keeping backups.
Many agencies’ defenses are hampered by legacy IT systems that may be both expensive to maintain and, in some cases, no longer supported by software updates, said Chris Krebs, former director of CISA. Too often, state and local governments lack the financial resources or personnel to modernize their systems and implement new security practices, however.
“Let’s do a 21st-century digital infrastructure investment act that will allow state CIOs and community CIOs to not just buy cybersecurity technologies, but to get off some of the dated legacy systems that they have,” Krebs said.
Direct funding is not the only tool available, either, and the federal government can also push private technology providers to make their software more secure, Krebs said. The White House might decide to only procure software the features multifactor authentication, for example, which would encourage vendors to make this the norm in all their products.
RAMPING UP CISA
States and localities aren’t going it alone, and CISA has a variety of tools to help. The agency already assists the federal government with supports like continuous diagnostics and mitigation services, and provides all levels of government with certain free offerings such as vulnerability and remote penetration scanning, speakers noted.
With more money, CISA could step up its assistance, Krebs said. That means both providing states with more services and hiring and deploying more statewide interoperability coordinators, who work to improve collaboration across levels of government. These personnel handle responsibilities like communicating with state CIOs and election officials to better understand needs and connect them with tools.
“The future of CISA is in the field,” Krebs said. “Ultimately, [this is] the area that CISA needs the most support from Congress in … We need not just 47 [statewide coordinators], we may need 150 of them.”
Cybersecurity, Infrastructure Protection and Innovation Subcommittee member and New York state Rep. John Katko similarly underscored CISA’s financial need, saying that while the FY 2021 National Defense Authorization Act has equipped the organization with important new authorities for tackling cyber crime, it needs the funds to enable it to best use these new powers.
“Congress needs to put CISA on the path to become a $5 billion agency,” Katko said.