IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Preparation, Buy-In Are Essential to Ransomware Response

Preparing against ransomware means getting response plans and contracts in place early, drilling, making — and monitoring — critical backups and, of course, convincing leadership to fund it all, experts say.

cybersecurity-pandemic.jpg
States and cities cannot ignore the ever-growing threat of ransomware attacks, but marshaling an effective strategy and winning backing from decision-makers in the rest of government can seem like a tall order.

Ransomware attacks force government services offline and may expose sensitive information. Governments cannot simply rely on cyber insurance to help them pay for recovery, but instead need to ready strong defenses that can reduce the likelihood of attacks succeeding or causing damage in the first place, advised Palo Alto Networks field strategist Fadi Fadhil during a recent Louisiana Virtual Digital Government Summit,* convened by Government Technology and the Center for Digital Government.

“Getting cyber insurance is like getting car insurance … Your car insurance may pay you reimbursement, but it's not going to bring your arm back,” Fadhil said, explaining that, similarly, no insurance plan would be able to restore residents’ trust in government should it be damaged by seeing agencies fall to a cyber attack.

But what do good ransomware defenses look like?


TABLETOP EXERCISES



States and municipalities need to have clearly established plans at the ready for if and when a ransomware attack hits, panelists said during the summit. That includes ensuring that all personnel know what their responsibilities are and who they need to notify, Fadhil said.

Michael Light serves state and local governments on the U.S. Gulf Coast as a cybersecurity strategist for AT&T, and said he has been “somewhat engaged” with roughly 20 breaches. He advised that officials who expect to turn to third-party help in an emergency make sure to line up their private-sector partnerships well in advance of the incident, rather than trying to sort it out on the fly. That means getting agreements signed and consultants committed to being called upon.

“Particularly if you’re dealing with larger potential vendors as partners, then the contractual process delays results,” Light said. “And speed is everything when it comes to containing malware.”

But the panelists also emphasized that plans cannot just stay on paper. Preparing personnel to function well in a cyber emergency requires practice, and speakers underscored the importance of running tabletop exercises.

Fadhil formerly served as the CIO for the city of Minneapolis during a 2020 cyber attack claimed by hacktivist group Anonymous, where he said that kind of drilling proved critical to being able to coordinate response.

“Man, that 3 a.m. phone call when it happened,” Fadhil said. “We were so happy we had our tabletop exercises. Everyone knew what to do; everyone knew who to report to, what action to take, what was the sequence of events.”


READYING BACKUPS



States and localities looking to get back up and running fast need to identify the data and functions that are essential to their operations and back them up, so these systems can be restored if needed.

Eric Romero, director of information services for the city of Baton Rouge and parish of East Baton Rouge, advocated prioritizing the systems that the government as a whole relies on, not just those important to one department.

“Even though a system may be mission-critical to a single department how critical is it to the city-parish’s entire response or functioning?” Romero said.

Even finding out what information agencies hold and where can be hard, however. Romero said his department has some responsibility for defending data across various agencies but doesn’t always have control or a clear line of sight into their practices. That limits his team’s abilities to detect and shore up cyber weaknesses – such as identifying departments that still use old-school methods like Excel documents for tracking mission-critical information and moving them onto better methods.

“Unfortunately, in most cases we just stumble across these, and then we can remediate that,” Romero said.

Simply creating backups isn’t enough, either. Light and Romero both noted that there is a risk of malware infecting these files, meaning that any attempts to use them to restore government systems post-attack would just reload malware back into the environment. IT staff therefore need to regularly check backups to ensure they remain clean.

Governments are also confronting the reality that it can take painfully long to restore systems from backups, because of the sheer amount of data agencies now use.

“As we keep getting more and more data, it takes longer and longer to backup, and getting all the backups done in the backup window has become a challenge,” Romero said.


GETTING EXECUTIVE BUY-IN



Government IT teams need to secure the funding and political support to make improvements to their cybersecurity efforts and keep defenses as strong as possible. But opening minds and purse strings is an art that often requires cyber staff to translate their goals into terms that help the rest of government quickly understand the importance.

That means asking for funding to fuel specific goals that speak to the local context, rather than simply pointing to general industry trends to justify a budget request, Light said.

“You’re competing [for funding] against a person who's unhappy because they've got a hole in front of their house in the street, or a water system that needs to be enhanced,” Light said. The cyber funding request needs to feel just as clear-cut and pressing.

Arguments for funding anti-ransomware projects can underscore the costs of recovery from an attack as well as potential revenue and productivity loss, should the incident interrupt systems used to collect fees or which employees need to do their jobs, speakers said.

Fadhil also underscored less tangible repercussions, such as damaged relationships. Downed systems could interrupt payments to staff and vendors, and residents who see their government fall to cyber attack may stop trusting agencies’ ability to protect constituents’ digital data. If residents become unwilling to trust online services, governments may need to incur the costs of providing more in-person alternatives, he said.

IT teams looking to boost their government’s cyber defenses may find it daunting to consider the sheer amount of initiatives they want to do. But Fadhil said it’s key to remember that personnel don’t need to solve everything at once — any progress, after all, is still progress.

“My advice is: start,” Fadhil said.

*The Louisiana Virtual Digital Government Summit was hosted by Government Technology.
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.