The assumption was that the group, called Emergency Support Function 17, would be activated infrequently, responding to cyber attacks sporadically, amid a growing threat from hackers around the globe.
Instead, the officials have found themselves responding to cyber attacks more or less nonstop for the past four years. And the costs to the state and local government agencies have spiraled over that time, state data shows.
"It hasn't stopped," said Dustin Glover, chief cyber officer for the Division of Administration.
Since it was put together in 2019, the group has responded to more than 130 attacks on state and local governments, organizations operating critical infrastructure and others, according to officials on the task force.
It has become increasingly expensive, too.
In the fiscal year ending in mid-2020, the state paid $2.3 million to respond to cyber attacks at state agencies, school boards and the city of New Orleans. The next year, costs rose to $9.5 million. In fiscal year 2022, costs hit $14.4 million.
In the fiscal year that ended this month, the state spent $20.6 million — or nine times what it spent three years earlier, according to the Division of Administration.
THREATS MORE SOPHISTICATED
The rising costs reflect an increasingly persistent threat facing emergency response officials in Louisiana and around the country. Local governments reimburse the state for the costs they incur responding to the attacks, mostly personnel and hardware.
Jacques Berry, spokesperson for the division of administration, said the state has yet to pay a ransom because of a cyber attack.
The increasing number — and sophistication — of cyber attacks has caused state officials to pivot from simply reacting to them to trying to prepare on the front end, with hopes of thwarting future attacks and saving taxpayer money in the long run.
It's no small task. A report released by the Louisiana Cybersecurity Planning Committee last fall found many local governments, law enforcement, libraries, court systems, school districts and others were "unknowingly using end-of-life equipment and software," didn't have solid firewalls, used old anti-virus software, gave administrative controls to all users or had other glaring problems that left them vulnerable. The report said the team had responded to incidents in every one of the state's 64 parishes since 2019.
The effort is also not bulletproof. Despite the efforts of the state to bolster its own defenses, millions of Louisianans recently had their Social Security numbers and other personal information compromised by a hack of MOVEit, a contractor that managed data for the state Office of Motor Vehicles. The hack resulted in data breaches at organizations around the world.
Andrew Wolfe, an assistant professor at Loyola University who studies cybersecurity, said he believes the increasing number of attacks is largely the result of greater detection. He also noted that the rise in cryptocurrency in recent years has made it easier for hackers to make money from ransomware attacks on school boards and the like.
Wolfe said the state's spending on bolstering government systems is "overdue," and said most states are now proactively investing in defenses, something few did a decade ago.
He said the recent attack on MOVEit highlighted the difficulties in securing every part of a computer system, which often involves a host of different software, contractors and subcontractors.
"What we really want is for an ordinary system to be relatively safe from common attacks that are out there," Wolfe said. "We're not there yet. I don't think we're in a good position. But I see things improving."
Glover, of the Division of Administration, said the rising costs are likely the result of more attacks and increasing sophistication, as well as a greater ability to detect when an attack is happening. He said the only certainty is that cyber attacks will continue.
The cyber response works in a similar way to hurricanes. Local governments and organizations dealing with critical infrastructure ask the Governor's Office of Homeland Security and Emergency Preparedness for assistance, and the agency then coordinates the response by tapping the various agencies, including Glover's department, State Police and the Louisiana National Guard.
Officials don't reveal which entities they assist, but audits and news reports show the Orleans Parish Juvenile Court, the city of New Orleans, Northwestern State University, the Port of New Orleans and others have been hit with cyber attacks in recent years. It's unclear which received aid from the state.
A SHIFT TO PROACTIVITY
A GOHSEP presentation from 2021 says that through August of that year, the office had responded to 24 cyber attacks against critical infrastructure, including four to the chemical industry, three to emergency services and one to a financial services organization, among others. The presentation said there was an estimated $600 million financial loss to the targets, and noted that hospitals are particularly vulnerable because the critical nature of the work makes it more likely they'll pay a ransom.
Casey Tingle, the head of GOHSEP, said the $600 million was a "rough estimate" of the damage to critical infrastructure — largely managed by the private sector. Given the rate of attacks, he said, the costs would likely be higher today.
A recent IBM report estimated the average cost of a cyber attack globally is $4.4 million, a 15% increase from three years ago.
Governments are seen as lucrative targets because people tend to trust government email addresses and are more likely to click malicious links from them, officials say.
Tingle said his agency got $3.3 million in federal grant dollars for cyber defense in the last year, and will soon apply for more. The hope is to bolster systems on the front and prevent attacks. Projects for the first year involve establishing an assessment program to review computer systems and deploying detection and response software at local governments.
The good news is that officials think the efforts will pay off.
"I do think a fair number of these could have been protected or mitigated with relatively straightforward protective measures," Tingle said.
The Legislature has also agreed to put more money to cyber preparedness. In the recently passed budget, $22.5 million was added to GOHSEP for cybersecurity software and staffing contracts; $3.8 million was allocated to the Board of Regents, which oversees colleges; $5 million was sent to ports for cyber and drone security and $900,000 was sent to State Police.
That's on top of millions more allocated in 2022 and 2020 for cyber response.
Starting a year ago, the ESF-17 group began training local governments and organizations to beef up their defenses. And Glover said 250 local governments have signed onto a program to get help with it.
"It's quite apparent right now we cannot continue to stay in this posture," Glover said. "We're in a reaction posture. We want to prevent as many catastrophic cyber events as possible."
©2023 The Advocate, Distributed by Tribune Content Agency, LLC.
