17 March 2020

To Pay or Not to Pay Ransom Poses Big Dilemma for Governments

by Edward Gately

Cybercriminals increasingly are targeting state and local governments with ransomware attacks, and asking for more money.

That’s according to “Ransoming Government: What State and Local Government Can Do to Break Free From Ransomware Attacks,” a new report by Deloitte’s Center for Government Insights.

In 2019 alone, governments reported 163 ransomware attacks, with more than $1.8 million paid and tens of millions spent on recovery costs, a nearly 150% increase in reported attacks from 2018.

Srini Subramanian, principal at Deloitte & Touche, and cyber state and higher education sector leader, tells us MSSPs and other cybersecurity providers can be doing more to help state and local governments. Examples include cyberattack surface vulnerability assessments, cyber supply chain or third-party vendor risk assessments, identity and privileged access management, firewall management, and user-and behavioral-based analytics to promptly detect and protect against malicious cyber behavior, cyber war games and cyber resiliency exercises.


Deloitte’s Srini Subramanian

“State and local governments should live and plan with the reality that their critical systems and data will be attacked,” he said. “Even with cyber insurance and preventive measures in place, the growing frequency and sophistication of attacks calls for government entities to perform cyber health checks and revisit resilience strategies. The effort more than pays off. Governments can be better positioned to defend against catastrophic events that are expensive to recover from and could impact public safety and trust.”

According to the report, refusing to pay ransom demands may be the principled option, but it also may be far more expensive. For example, the city of Baltimore refused a $76,000 ransom demand, only to suffer over $18 million in recovery costs and lost revenue.

Sensing the vulnerability of state and local governments, criminal enterprises are demanding nearly 10 times what they demand from commercial entities, according to the report.

“The government agencies resorting to paying ransom to restore critical services quickly, with the assistance of cyber insurance, may be creating incentives for more attacks and escalating ransom amount demanded,” Subramanian said. “There is an urgent need to break away from that cycle and resolve not to pay ransom, but restore services quickly. That requires a proactive strategy to assure and test resilience.”

Government agencies should collaborate across jurisdictions, and set up and subscribe to cyber services like cyber awareness training, around-the-clock security operations center (SOC) monitoring, and incident response in a shared services model, as opposed to each city, municipal and county governments setting these up in silos, he said.

One encouraging sign is that associations like the National Association of State Chief Information Officers (NASCIO) and the National Geospatial-Intelligence Agency (NGA) are promoting collaborating across jurisdictions and laying foundations for state governments and large cities providing services for smaller municipal and county governments as well, Subramanian said.

To combat this growing risk, the report outlines several key considerations for organizations to move forward in this new reality: smarter systems architecture; a more prepared workforce; better cyber hygiene; cyber insurance usage scenarios; and practiced response.

“Connected devices, digital systems and integrated data mean governments have the opportunity to serve people and communities like never before,” said Deborah Golden, principal at Deloitte & Touche, and cyber risk services leader. “It also means there is a large surface for cybercriminals to attack local governments and hold sensitive citizen data hostage. Government officials need to understand the risk involved if their systems and data were suddenly gone or rendered useless.”

No comments: