“We have to face the reality that we’re not currently developing the best practices necessary to protect the state’s data and confidential information,” the Southlake Republican said at a committee hearing in April. “By teaching our employees and contractors how to safeguard the delicate information they handle daily, we can take a solid step forward in minimizing the state’s cybersecurity risk.”
While Texas will require most state and municipal employees to receive cybersecurity training by June 2020, in recent years local governments have emerged as a favorite prey for ransomware attacks by which hackers block access to a computer system until a ransom is paid.
The attack last week “drives home for me the sense that this has been very lucrative or else people wouldn’t continue to target these local governments,” said Josephine Wolff, assistant professor of cybersecurity policy at Tufts University.
The Texas Department of Information Resources, which is investigating with the help of the Federal Bureau of Investigations and Department of Homeland Security, believes the attacks came from a single person or a group in a coordinated effort. The threats can be delivered in the form of an infected emailed link or attachment, or through a vulnerability in software that has already been installed on a computer.
With an investigation ongoing, the information resources department has declined to release the names of the affected cities, and would not provide details about the method of attack, the demands or whether any ransoms had been paid, citing security reasons. Houston and Bexar County officials have said they were not among those impacted.
The federal government does not track ransomware attacks nationwide, so it’s difficult to determine exactly how many have occurred or their financial impact. Wolff said the attacks have become more prevalent since 2013. Hospitals have been major targets in the past, but more recent attacks have trended toward local governments; both are enticing because they depend heavily on the availability of their computer systems’ data, she said.
The Federal Bureau of Investigations received nearly 1,500 complaints about ransomware last year; however, it acknowledges that’s likely a significant undercount in part because many companies would prefer to keep the incidents out of the public eye.
Local governments targeted include the city of Baltimore, which earlier this year refused to give in to a demand for about $76,000 in difficult-to-trace payments via bitcoin; the city’s budget office estimates the attack will cost about $18.2 million in losses and restoration expenses.
Several Florida cities in June paid hundreds of thousands of dollars to hackers who encrypted records, disabled their email systems and blocked their ability to pay employees and vendors via direct deposit.
Attackers are rarely caught, though federal prosecutors last year indicted two Iranian men for attacks on more than 200 victims, including the cities of Atlanta and Newark, N.J., that netted them more than $6 million and cost the affected governments and companies more than $30 million.
The decision over whether to pay a ransom is often complicated, said Elliott Sprehe, spokesman for the Texas information resources department. The state, as well as the FBI, recommends against doing so in part because it doesn’t necessarily guarantee the return of the information, but the decision is ultimately up to the affected entities.
Wolff said that while paying a ransom can seem like a quick and easy fix — especially as cybersecurity insurance companies that offer to pay them become increasingly popular — it also only encourages continued attacks.
“It really hurts the overall goal because as long as this is a profit business model, we’re going to continue to see people do it,” she said. “Part of what is creating this ongoing ecosystem of profits (is) for attackers to know it’s being built into everyone’s cost of business.”
Tuesday afternoon, the information resources department announced that “a number” of the affected government agencies in Texas were back online, and that overall more than 25 percent of them had “transitioned from response and assessment to remediation and recovery.” The department offered no further details.
So far, only two Texas cities — the Panhandle city of Borger and Dallas suburb of Keene — have publicly admitted they were among the 22 agencies that were attacked. They made their situations public as they explain to residents via Facebook posts why their systems are down and what kind of workarounds they’ve set up in the meantime.
Phone systems were down in Keene on Friday, and the city put out messages on Facebook letting residents know that it could not process credit card payments or access account information and even assuring them that “our drinking water is safe.”
The City of Borger has been able to restore certain systems using backups and has salvaged certain parts of the network because of forward-thinking organization of their networks that isolated 911 and radio systems, its emergency operations center and other essential services from the attack, said spokeswoman Marisa Montoya.
But other regular city business is at a standstill. With its business and financial system offline, the city can’t accept most credit card payments, and it’s had to waive late fees for utility and other payments while promising residents no services will be turned off.
“It’s certainly been challenging, but it’s eye-opening,” Montoya said, adding she was grateful for the quick response of the city’s information technology team. “It could have been worse. Had we not had some of the procedures and protocols we had in place, it could have been a different situation.”
Montoya said the city does own cybersecurity insurance, but she did not know the coverage limit. The city offers some employees cybersecurity training, she said, but not all.
The statewide cybersecurity training bill passed in the spring and was signed into law, requiring most municipal and state government employees to be trained by June 2020. Capriglione said it was an extension of previous efforts to strengthen the state’s protections against such attacks. The information resources department is in the process of certifying training programs now, and state and local employees, as well as state contractors, will have to complete them by June 14, 2020.
“While we don’t yet know who or what are responsible for these attacks, what we do know is the better trained our employees are, the less susceptible we will be in the future, and the faster we will be able to recover,” Capriglione said.
The Associated Press contributed to this report.
©2019 the Houston Chronicle. Distributed by Tribune Content Agency, LLC.
