The best technology and business processes in the world are useless without the skilled staff to implement them. Cybersecurity talent is in high demand, so governments must be creative about ways to attract and retain that talent, including sharing talent via rotational assignments within government, improving pay and benefits packages, or looking to the gig economy.30 For example, Michigan’s Cyber Civilian Corps not only offers new ways to attract talent, its CISO-as-a-service offering also helps to make that talent available to smaller governments that otherwise could not afford it.31
But training and reskilling efforts cannot end with IT staff; every worker should be cyber-aware. Programs such as the Federal Cybersecurity Reskilling Academy that educates non-IT workers in cybersecurity basics can be valuable tools in creating an aware and active workforce.32
Some ways in which risk can be minimized include improving basic cyber hygiene and using war-gaming to prepare for real-life attacks. State and local government leaders and their teams should know how to respond if attacked just as emergency responders know how to respond during a fire, car accident, or severe weather.
The maintenance of legacy systems can be a critical vulnerability for many governments, making improved cyber hygiene important to reducing the overall risk of attack. Timely application of software patches and updates are imperative, as are regular system backups to an air-gapped recovery vault. Updates can help limit the vulnerability of a government’s systems, while the system backups could speed recovery time if the systems are attacked and avoid the need to either pay ransom or spend more in recovering the data. Improving basic cyber hygiene also means regular trainings and evaluations for all staff. While the cost of effective training programs may seem like a less-than-critical expense, it’s generally far less than the cost of a ransomware attack. It is also feasible that as rates of ransomware attacks increase, insurers may require policyholders to meet certain basic requirements, including staff trainings, in order to pay out on policies.
Planning for a ransomware attack begins with a system audit to identify which systems, information, and people are critical to the organization’s operations and most vulnerable to ransomware. For example, a police department would cease to function if its emergency dispatch system was compromised, but it could function if the system tracking employee time sheets was compromised. With that information, governments can then test their protective measures and responses using war-gaming and simulation.
Cyber war-gaming and simulation are valuable tools in preparing staff and ironing out kinks in processes. Rehearse with a realistic scenario so that you’re able to simulate the decisions that you might have to make. You don’t want to be forced to decide under duress. Often, only during such simulations do leaders begin to see the many details that they must master—from the logistics of transferring bitcoin to learning what exactly is covered by a cyber insurance policy. Government can use the successes and failures of the war-game to craft a playbook spelling out responsibilities and key tasks in the event of an attack to speed response. Speedy recovery depends on everyone knowing the plan and being able to execute it quickly, and for that, there is no substitute for practice.
Attacks can strike even the best-prepared government, so knowing how to respond and restore critical services to citizens as quickly as possible is essential.
Finding and retaining skilled cybersecurity talent will likely remain a challenge in the near future, so deploying emerging technologies that can make the existing workforce more effective can be a significant cost advantage to governments. For example, artificial intelligence (AI) can help prevent ransomware attacks by blocking unusual downloads from links that employees unwittingly click on.33 The city of Las Vegas has used AI to detect and respond to cyber threats for three years with great success. In the words of director of innovation and technology, Michael Sherwood, “Ransomware can spread across your network rapidly, so you need tools that can prevent that from occurring. AI can autonomously take control and provide split-second reactions, which is very useful for preventing damage.”34
Governments should not try to go it alone. Information-sharing bodies such as industry-specific organizations can link governments to other local governments and organizations so that they can learn from each other’s successes and failures.35 Similarly, staying in touch with external researchers, vendors, and law enforcement can help governments access new tools and technologies and create the relationships that will likely be needed if a crisis should ever occur.
Finally, sharing information about ransomware experiences, even when it is uncomfortable or potentially embarrassing, can be key to the “herd immunity” that can keep other governments safe. Although there is currently no legal requirement in the United States to report ransomware attacks, those reports are important to understand the technical nature of attacks to both find perpetrators and help others protect themselves. While some governments are beginning to consider reporting requirements—Texas, for example, is considering a law requiring ransomware reporting— government leaders at all levels should consider devising and practicing some form of voluntary reporting procedure.36 It will be important for local governments to coordinate outside of their typical state silos through the establishment of cyber monitoring and incident response services provided across jurisdictions.
These steps toward a new approach to ransomware resilience represent a significant amount of work. Government entities need to become resilient in a world where a constant threat of a cyberattack is the “new normal.” But the good news is that success is possible.
Take Lubbock County, Texas, for instance. The IT department gets calls about strange behavior on Lubbock County's 1,300 computers all the time. But one call about icons changing on a worker’s desktop in real time caught the department’s attention. It was a clear sign of an attack. By quickly isolating the affected computers, the Lubbock County IT staff was able to stop the ransomware attack before it locked down any critical systems. Lubbock County was one of 23 local governments hit by ransomware in August 2019 in Texas alone, yet it appears to be the only one that successfully stopped the hackers.37 Though hardly revolutionary, its actions show how training and resources—and a bit of luck—can thwart hackers who have been hobbling US cities and counties.
Ransomware is a hard problem for governments. It springs from a variety of sources and demands an entirely new approach if governments are to free themselves from the difficult dilemma of paying versus not paying ransom. The good news is that a clear vision and a few concrete actions can help secure government systems and the valuable services they provide to all citizens.