Now some state lawmakers want them to adopt a policy on hackers usually reserved for terrorist organizations: refuse to negotiate.
A bill moving through the House of Representatives would ban local governments from paying attackers in ransomware cases, a growing form of hacking that uses malware intended to extort money or other ransom by encrypting files on a victim’s computer or network.
The attacks have hit cities across the state. When a Riviera Beach police employee opened an email in 2019, it led to a shutdown of the city’s email, phones, police records and even the library. Although the FBI recommended against it, the city paid 65 bitcoins, worth about $600,000, to recover the records.
Broward County’s school district, the sixth-largest in the nation, was hit last year. The hackers demanded $40 million. When the county offered $500,000, hackers from the Russia-based Conti malware group leaked nearly 27,000 accounting files and personal data on students and employees.
“We have to ask, should we allow taxpayer dollars to be financiers of terrorist organizations to our foreign adversaries?” bill sponsor Rep. Mike Giallombardo, R-Cape Coral, said Thursday. “If we continue to enable this, we’re creating the market.”
The idea to refuse to negotiate is part of a larger plan lawmakers are considering to address the state’s cybersecurity shortfalls as threats have skyrocketed during the pandemic.
Giallombardo’s bill, which passed its first committee unanimously Thursday, would require state and local governments to report incidents to a new State Watch Office and require state and local employees to undergo annual cybersecurity training.
The state Senate is not advancing similar legislation, but it is considering outsourcing the state’s data center and assigning 25 new positions to the state’s chief information officer, Jamie Grant. Grant, a former lawmaker with little experience in information technology, has overseen a state technology office that has lost a number of cybersecurity experts and struggled to spend $30 million in cybersecurity funding from the Legislature last year.
The House wants to increase that to $50 million this year, plus devote $30 million in grants to help local governments navigate cyber attacks and $30 million to help them train employees.
Other states have adopted laws banning cybersecurity payments, although experts are mixed on whether it’s a good strategy. The FBI recommends not paying and notes that attackers don’t always hold up their end of the bargain when they are paid.
No one spoke against the House’s plan, but state lawmakers said they’ve heard from city officials who feel they have to pay the ransoms to retrieve critical data.
Giallombardo said the goal is to prevent them from needing to pay in the first place by requiring them to adopt cybersecurity standards that include data backups and offering money and assistance for training and response to attacks.
“When you can train the clerk at the front of the desk, at the front office, not to click those links, that ... reduces your risk tremendously,” Giallombardo said.
Ransomware attacks have been effective against local governments, which have thin budgets and hardware and software that can be badly out of date. Three months before it was attacked, for example, Riviera Beach officials agreed to spend $800,000 to improve a computer security system so outdated the company that made it no longer supported it. The upgrades didn’t prevent the attack because they weren’t installed in time, according to the Palm Beach Post.
Florida’s state agencies have also not been immune from attacks.
Since 2020, the state’s top regulatory agency was taken offline by a cyber attack, data on thousands of applicants for children’s health insurance was exposed by a state vendor and Social Security numbers and bank information on more than 58,000 unemployment applicants were stolen.
Almost every aspect of state government is dependent on technology, but Florida has had longstanding struggles with coordination and oversight of its technology projects and has faced public failures in recent years.
The state is now on its fourth iteration of a state technology office in two decades. For years, it was one of the only states in the nation without a chief information officer. Most of the chief information officers it appointed had limited backgrounds in technology.
©2022 Miami Herald. Distributed by Tribune Content Agency, LLC.
