The House passed legislation last week to ensure that federal cybersecurity experts assist their state and local government counterparts in protecting networks from devastating attacks like those that have crippled cities in Alabama, Michigan, Oklahoma and elsewhere.
The legislation would codify support and assistance that the Cybersecurity and Infrastructure Security Agency already offers to state and local governments. The agency provides security tools, helps states draft policies and procedures, conducts cybersecurity exercises and shares threat information through collaborative channels.
The bill had already passed the Senate, and President Joe Biden is expected to sign it.
“The states cannot do this on their own,” said Doug Robinson, executive director of the National Association of State Chief Information Officers, a group that represents top state tech officials. “They don’t have the capacity. … They are doing as much as they can within their own jurisdictions.”
Criminals using ransomware have in recent years attacked and disabled computer networks in major American cities, including Baltimore, Atlanta and Tulsa, as well as at several school systems overseen by states and local governments.
U.S. cities and school districts have paid hundreds of millions of dollars in ransom payments to regain control of their networks and have incurred costs from unplanned closures and other lost services.
Criminals typically get into computer networks because users’ poor security practices give them access or because of weaknesses in the software.
Sen. Gary Peters, D-Mich., chairman of the Senate Homeland Security and Governmental Affairs Committee, who sponsored the Senate bill, said in a statement that the legislation would “strengthen coordination between all levels of government and give local officials in Michigan and across the country additional tools and resources to combat cyber-attacks.”
Ransomware attacks “can prevent access to essential services, compromise sensitive and personal information, and disrupt our daily lives and livelihoods,” Peters said.
Sen. Rob Portman, R-Ohio, who co-sponsored the legislation, said in a statement that “state and local governments need some additional help or access to expertise to address these threats” that can be provided by federal agencies.
Costs far beyond ransom payments
In 2021, 162 school districts in 38 states suffered 166 cyberattacks that were publicly disclosed, according to a recent report by K12 Security Information Exchange, a nonprofit group that shares information on cyberthreats to schools.
“Ransomware attacks against schools during 2021 commonly resulted in school closures with un-budgeted remediation and recovery costs ranging from hundreds of thousands to many millions of dollars,” the group said in a release accompanying the report.
Cities and local governments suffer costs far in excess of any ransoms they pay, according to the 2021 Combating Ransomware report by the Ransomware Task Force, an initiative organized by the Institute for Security and Technology.
“Reported ransomware payments do not cover the costs associated with service downtime and recovery,” the report said. “Total remediation costs are typically several times the ransom payment and are often large enough to cripple many small businesses.”
Federal assistance in the form of information sharing, training, policies and procedures is vital for states to safeguard networks, said Robinson.
It’s not enough for states to have good security systems covering computer networks operated by the executive and legislative branches, but they need to ensure that networks operated by all the cities, towns, counties and municipalities within a state are equally secure, Robinson said.
In addition to local governments and K-12 school systems, criminals have repeatedly targeted health care institutions. Attacks on all three “represent an overwhelming majority of successful ransomware attacks,” Robinson said.
In addition to security assistance, information sharing and training, states also are awaiting financial assistance from Washington to boost their cybersecurity efforts, Robinson said.
The $1.2 trillion infrastructure spending bill enacted last year included $1 billion in grants over four years to state, local, tribal and territorial governments. The Federal Emergency Management Agency on the advice of CISA, the lead federal cybersecurity entity, will administer the money.
The law mandates that 80 percent of the money that states receive through the grant program must go to local governments such as counties, cities and towns.
CISA guidelines awaited
CISA has yet to announce guidelines on how states can apply for the grant money, Robinson said.
The grants, which would translate to about $250 million annually for all states, “is quite frankly, not a lot” of money to address all of the states’ needs, Robinson said.
But the first tranche of money would help state chief information officers work with local partners to assess the vulnerability of computer networks operated by counties, cities and schools and draw up basic cyber hygiene protocols and controls, Robinson said.
“Cybercriminals continue to target state, local, tribal, and territorial governments and exploit vulnerabilities that [these] partners simply do not have the resources to address,” CISA spokesman Scott McConnell said in a statement. “The grant provided in the infrastructure bill will provide a much-needed boost in resources that [these] partners can use to increase the security and resilience of their networks, and CISA looks forward to working with our partners to implement this important program.”
Counties and localities lacking expertise are unlikely to have fully assessed all the software they use and establish which ones have the latest security measures and which ones have unpatched weaknesses that could be exploited by attackers.
With baseline security protocols in place, states would have to grapple with more complex questions such as the safety and security of off-the-shelf, third-party software that many county and local governments depend on to run day-to-day operations, Robinson said.
The security of the software-supply chain has become an area of increasing focus for security experts after the SolarWinds attack that began in 2019.
Russian state-backed hackers are said to have implanted malware in the network of a software developer that was one of the vendors to SolarWinds. When SolarWinds shipped a software update to all of its customers, the embedded malware also found its way to those users.
Biden issued an executive order in May 2021 that called for a so-called software bill of materials that would help organizations and government entities figure out all the third-party components embedded in their software and assess those suppliers’ security protocols.
The order called on the National Institute of Standards and Technology to develop guidelines for such a bill of materials.
Even the federal government “has some challenges” in gaining a comprehensive view of all the software that agencies use, “and they have got immense resources,” Robinson said. “I think that’s going to be a challenge in the future for states.”