Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Ransomware Attack a 'Big Wake-Up Call' for Cities, States

The massive cyberattack that has infected computers in at least 150 countries this past week hasn’t had a major impact on the federal government.

By Jenni Bergal

 

The massive cyberattack that has infected computers in at least 150 countries this past week hasn’t had a major impact on the federal government. But it has struck at least one county and several universities and prompted some state and local agencies to scramble to beef up their protections against the virus.

 

In the Chicago area, the virus showed up on computers in some Cook County government offices. MIT and several other universities reported that some of their computers also had been compromised. In Connecticut, the state court system briefly shut down some of its computers to update anti-virus software. And in Michigan, state officials quickly began installing extra protection on servers, work stations and public kiosks.

 

State IT officials say they often don’t have enough money to effectively fight sophisticated cyber threats. And the scale of this one has made them even more concerned.

 

“This is a big wake-up call because it is cyber disruption,” said Doug Robinson, executive director of the National Association of State Chief Information Officers (NASCIO). “States and local government need to address this because it’s a serious threat. We have urged states to take action immediately.”

 

Cybercriminals launched the fast-moving virus, dubbed “WannaCry,” last Friday. So far, it has infected more than 300,000 machines in countries from Russia to Brazil. Its victims have included Britain’s National Health Service, universities in China and Germany’s train system.

 

The attackers used “ransomware,” malicious software that hijacks computer systems, encrypts data and locks machines, holding them hostage until victims pay a ransom or restore the data on their own. Hackers demanded $300 to $600 in payments in bitcoin, digital currency that is transferred all over the internet, which makes payments difficult to trace.

 

WannaCry spread across computers that run on Microsoft’s Windows operating systems. While Microsoft issued a patch, or security update, in March to protect against the virus, many systems that used older versions the company no longer supported remained vulnerable. Microsoft released special patches for the older versions after the cyberattack.

 

Cybersecurity experts say they’re not sure why more computer systems in the U.S. haven’t been infected. But they caution that state and local governments still could be affected.

 

“We’ve been getting a lot of emails from them wanting to know what they should do,” said Brian Calkin, a vice president of the Multi-State Information Sharing and Analysis Center, a federally funded group that tracks cybersecurity issues for states and local governments. “Our advice is to apply patches and keep your antivirus software up to date. Who knows what will happen?”

 

A Growing Threat

Hackers using ransomware increasingly have been attacking local governments, hospitals and police departments across the U.S. City and county governments, along with local school districts, have seen an “exponential rise” in threats in the last two years, said Srini Subramanian, a state cybersecurity specialist at the consulting firm Deloitte & Touche LLP. Victims have ranged from small police departments in Maine to a large hospital in Los Angeles.

 

Even if government officials decide to pay hundreds or thousands of dollars in ransom, their computer networks and communications are often crippled for a day or more by the viruses. And if they don’t pay, it can sometimes take days or even weeks to get their systems back up and running. In the meantime, public services for residents, schoolchildren and even hospital patients may be affected.

 

While federal officials say the WannaCry ransomware attack apparently has only raised about $70,000 in ransom and the infection rate has been lower in the U.S. than in many other parts of the world, they caution that the crisis may not be over, as the malware morphs into other forms that could threaten more networks.

 

Some state and local officials say they aren’t taking any chances.

 

In Connecticut, the judicial branch this week performed “preventive maintenance” on its computer system at courthouses statewide, said spokeswoman Rhonda Stearley-Hebert. She said some parts of the system had to be shut down briefly, including at New Haven Superior Court, where cases were delayed for two hours Monday as staffers installed a software update.

 

In Auburn, Massachusetts, Information Technology Director Mike Marino said his office installed anti-ransomware software this week on every computer on the network, including those at the municipal building, senior center, library and fire stations.

 

Auburn’s school department was hit by a ransomware attack about a year and a half ago, and Marino said he doesn’t want town offices to go through that kind of situation. “Just the work required to get things back up and running is so time intensive,” he said. “Plus, any files that aren’t able to be backed up are just lost.”

 

Michigan took emergency steps to upgrade its network with the latest patch as soon as officials learned of the global cyberattack, said Rajiv Das, the state’s chief security officer. As of Thursday, all the work was completed other than at some employees’ desktops and kiosks used by the public.

 

“Right now, we are watching very carefully. This is definitely not the end,” Das said. “If you ask me, I’m worried. That’s why my team is on guard.”

 

In Cook County, WannaCry was discovered on “a small number of systems,” according to spokesman Frank Shuftan. He said as of Thursday, almost everything had been restored and staffers were making additional security improvements, but he would not give any more details, citing security reasons.

 

Cybersecurity Challenges

For IT chiefs at the state and local government level, the failure to protect computers is often a matter of dollars or indifference, said Dan Lohrmann, chief security officer for Security Mentor, a national security training firm that works with states.

 

“Some agencies may have the funding to do updates; some may not. Some may be interested in doing it; some may not,” he said. “In many cases, it’s very decentralized. So it’s more like herding cats.”

 

While cybersecurity has become the top priority for state IT officials, funding is often inadequate, according to a 2016 survey of top IT security officers from 48 states by NASCIO and Deloitte. The report found that in most states, spending on cybersecurity was only a fraction of the overall IT budget, ranging from zero to 2 percent.

 

And while most elected and appointed state officials said they are very or extremely confident that IT security officials are well-prepared for cyber threats, the report found that only about a quarter of the security officials responsible for dealing with the threats were very or extremely confident that adequate measures are in place to protect the data.

 

NASCIO’s Robinson said a global, organized cyber threat like WannaCry shows how important it is for those measures to be in place.

 

“I don’t think it’s over. There’s the chance they will regroup and do another targeted attack,” he said. “States need to patch their operating systems when the patches are released. They need to work to strengthen their firewalls and back up their computers. They need to be ready.”

Caroline Cournoyer is GOVERNING's senior web editor.
Special Projects
Sponsored Stories
Sponsored
Workplace safety is in the spotlight as government leaders adapt to a prolonged pandemic.
Sponsored
While government employees, students and the general public had to wait in line for hours in the beginning of the pandemic, at-home test kits make it easy to diagnose for the novel coronavirus in less than 30 minutes.
Sponsored
Governments around the nation are working to design the best vaccine policies that keep both their employees and their residents safe. Although the latest data shows a variety of polarizing perspectives, there are clear emerging best practices that leading governments are following to put trust first: creating policies that are flexible and provide a range of options, and being in tune with the needs and sentiments of their employees so that they are able to be dynamic and accommodate the rapidly changing situation.
Sponsored
Service delivery and the individual experience within health and human services (HHS) is often very siloed and fragmented.
Sponsored
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Sponsored
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Sponsored
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
Sponsored
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?
Sponsored
As more state and local jurisdictions have placed a priority on creating sustainable and resilient communities, many have set strong targets to reduce the energy use and greenhouse gases (GHGs) associated with commercial and residential buildings.