What the Ransomware Attack Debate is Missing

The impact of ransomware attacks against state and local governments continues to make headlines.  High profile attacks against Atlanta, Baltimore, and now Rivera Beach and Lake City in Florida expose the challenges governors, mayors, and local leaders confront in deciding whether to pay a ransom to cybercriminals to regain control of their data.  Arguments have been made that no government official should pay a ransom (Atlanta), that the federal government is to blame for allowing cyber attack tools to be stolen and released on the internet (Baltimore), and that paying a ransom is the only option (Riviera Beach).  All sides on this debate have important points with supporters in the cybersecurity industry, but their arguments miss the key issue:  our state and local governments are not resourced properly to defend their networks.  A better and smarter approach is needed and the answer is NOT what The Washington Post editorial board offered last week: legislation to outlaw ransomware payments.

There is not a state or local government in the United States that is fully funded to defend their IT networks against cyber attacks.  Like many private sector enterprises, state and local governments make trade-offs with their limited IT budgets between competing priorities, knowing they can’t cover every cyber requirement.  While there are many reasons behind this approach, such as insufficient staffing and training, the key issues are awareness of the threat and the funding to support building security and resiliency into the systems.

The most recent survey by Deloitte and the National Association of State Information Officers (NASCIO) makes clear that budget is the top challenge facing state governments on cybersecurity – a challenge that hasn’t changed since the first survey was conducted in 2010.  Unfortunately, what has changed is a threat environment that is increasingly complex, where the ability to exploit vulnerabilities is growing and the sophistication required to conduct such attacks is decreasing.  As a result, our state and local governments fall even further behind in the race to defend their digital networks.

There is a very real question about what the federal government’s role should be in helping state and local governments improve their cybersecurity.  We know what the answer would be in the physical world, but we are still falling short in the digital world.  What is now needed is a recognition by Congress that protecting our nation’s digital infrastructure is a national and economic security priority that is on par with defending our physical infrastructure.  While we have become dependent on the internet for so many government services, we have not provided our state and local governments with the capabilities to make these services resilient in the face of persistent cyber attack.

The recently introduced State Cyber Resiliency Act by Senators Mark Warner (D-VA_ and Cory Gardner (R-CO) would establish a grant program for state and local governments that need help in paying for digital support.  It is a good first step, but more is required.   It’s not enough to just allocate money toward the problem; the federal government needs to establish an active coordination and remediation program that is supported by the Department of Homeland Security (DHS) and the National Security Agency (NSA) for state and local governments.

The proposed Act should be expanded to provide a program for the federal government to provide direct support to state and local governments to remediate those vulnerabilities that NSA and DHS deem critical, particularly in cases where state and local governments can’t do it themselves.  The program would also assist states and local governments in the most important first steps toward cyber resiliency:  map the networks they own, understand what is on them, and provide assistance to better secure them.  This approach would allow the federal government to help our state and local governments fix their cyber potholes quickly and effectively.

Whether or not the vulnerabilities come from exploitations created by nation-states, criminal organizations, or others is missing the point; the threat environment will only get worse and our state and local governments will continue to fall further behind unless Congress helps now.  Atlanta, Baltimore, and Riviera Beach are the most recent examples of the dire situation our state and local governments face in addressing cyber threats.

Cybersecurity is one of the few issues where there is bipartisan support.  Congress should strengthen and pass a fully funded State Cyber Resiliency Act as a needed first step in making our state and local government networks more prepared and resilient.