Confronting Ransomware: Advice for State/Local Government and Legislators
Media coverage of ransomware-impacted counties and cities has focused on whether the ransom was paid, known or suspected causes, and cost/recovery efforts. But there should be one more area of focus: small, local governments are especially vulnerable to ransomware cyberattacks because they often lack financial resources and IT expertise.1 Two-thirds of America’s 3,069 counties are considered rural2 and fall into this category. Given this plethora of targets for attackers, several questions need to be answered: To whom can governors, county officials and mayors turn for assistance? What state and federal cybersecurity resources exist? As state legislative sessions start up, what policies should lawmakers consider to encourage cyber best practice adoption?
Before an Attack – Resources to Guide Action
Prevention of a cyber-event is the first step in securing data and networks, but many jurisdictions struggle with where to start. Two well-known resources can help guide this first step: the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Center for Internet Security (CIS) Top 20 Controls.3 Of the two, CIS’s Top 20 Controls may be “easier” to implement because of its simple list-style, pre-prioritized format. CIS breaks down 20 action items, prioritizes by importance, and categorizes as “basic,” “foundational,” or “organizational.” Adopting the first five of the seven basic controls can prevent 85 percent of attacks; adopting all 20 can prevent upwards of 97 percent of attacks.4
The National Association of State Chief Information Officers also provides a detailed, step-by-step guide to cyber disruption response planning which helps organizations consider all the necessary components to a well-prepared response in the event of a cyberattack.
Existing Resources: Federal and State
Both federal and state governments are naturally looked to for assistance prior to a cyber-event and in its aftermath. The U.S. Department of Homeland Security (DHS) recently unveiled its Cyber Essentials program aimed at small businesses and governments that may not have full-time cybersecurity professionals or lack other cybersecurity resources. Cyber Essentials offers both guiding principles and specific actions for IT professionals and other leaders to put into action.
The National Guard has been a resource for recovery in several well-known ransomware incidents and their role in assisting state and local governments is expected to grow.5 The National Guard was called upon in Texas, Louisiana6 and other states to help respond to cyberattacks in 2019.
In addition, some state governments have formed civilian volunteer groups. One example is the Michigan Cyber Civilian Corps which aims to provide aid to government, education and business organizations in the event of a critical cyber incident.7 In Ohio, the Ohio Cyber Reserve will soon begin training volunteers to respond to potential cyberattacks within the state.8
Sound Policy Helps Cities and Counties be More Cyber-Secure
Looking ahead, state policymakers should consider policy proposals that encourage cyber best practices. All states now have data breach notification laws that promote secure data practices. Several states have laws that specifically criminalize ransomware or computer extortion, and others have defined and criminalized computer crimes such as computer trespass.9 However, due to the newness of these laws, prosecution of these crimes is “nearly nonexistent.”10 In the absence of legal interpretation, policymakers should take an active role in oversight of government agencies that are responsible for data security.
One security concept for jurisdictions to consider is information security continuous monitoring (ISCM), a set of recommendations from NIST that logically incorporates basic hygiene principles like those referenced in CIS’s Top 20 Controls. At its core, an ISCM strategy emphasizes the importance of maintaining continuous awareness of IT assets, networks, vulnerabilities, threat information and mission/business impacts.11 Many of the ISCM basics can be automated, which lessens the need for cybersecurity personnel that state and local governments already lack.
In Texas, there has been movement to put the ISCM concept into practice in both state and local government. In 2019, the Texas House passed legislation directing state agencies to implement ISCM and the City of Austin, Texas released an RFI12 regarding DHS’s Continuous Diagnostics and Mitigation (CDM) program and its potential application in city government.13 As it has at the federal level, legislative guidance can be a strong motivator for cyber best practices and can prevent worst-case outcomes of malicious cyberattacks, including ransomware.
State and local governments are not powerless when it comes to their cyber fate, but security is a shared responsibility requiring technical expertise, adequate resources and proactive policies. State and local governments are encouraged to utilize existing resources to mature technical practices and further strengthen their cyber position with policy proposals that move them into a more secure cyber future.
 LexisNexis, Will Government Ransomware Outbreak Spur More Legislation?, September, 6, 2019.
 National Association of Counties, Rural Action Caucus.
 Travis Smith, A Quick Overview of the 20 Center for Internet Security (CIS) Controls, August 22, 2018.
 Scott Ikeda, U.S. National Guard’s Evolving Mission Includes Assisting Local Governments Experiencing Cyber Attacks, November 18, 2019.
 National Guard Bureau, Guard cyber teams called in to get schools, agencies back online, August 22, 2019.
 Manny Fernandez, David E. Sanger, and Marina Trahan Martinez, Ransomware Attacks Are Testing Resolve of Cities Across America, August 23, 2019.
 Manny Fernandez, David E. Sanger, and Marina Trahan Martinez, Ransomware Attacks Are Testing Resolve of Cities Across America, August 23, 2019
 National Institute of Standards and Technology, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, September 2011, page 16.
 City of Austin, Request for Information: IT Asset Mgmt. Automated Discovery & ServiceNow Interface, September 18, 2019.