The presentation came on the heels of lawmakers introducing a bill requiring municipalities to develop their own cybersecurity policies.
House Bill 283 is a response to wave of cyber-attacks aimed at relatively low-level government agencies. The bill’s co-sponsor, GOP state Rep. Haraz Ghanbari explained in April last year, the state auditor reported at least 23 cyberattacks against government offices in the last 12 months.
“In Licking County,” Ghanbari added, “just one attack resulted in the theft of more than $700,000.”
The measure directs local governments to review their systems and identity risks and detection strategies. The also have to develop training programs and create plans for repair, and response and in the event of an attack.
Ghanbari’s co-sponsor, fellow Republican state Rep. Adam Mathews, said locals would have to inform state safety officials within seven days and the state auditor within 30. “This will ensure prompt and accurate information is relayed to the proper authorities involved in the response,” he said.
The proposal also puts added pressure on local response to ransomware attacks. Under the proposal, Matthews said, municipal governments would be prohibited from paying a ransom unless it “formally and out in the open” approved legislation to that effect.
“This requirement bolsters transparency and ensures constituents are both aware of the incident’s occurrence and have an opportunity to provide feedback on the best use of their taxpayer dollars,” he said.
Threat Potential
Thomas MacLellan from the cybersecurity firm Palo Alto Networks, told lawmakers that governments, agencies and businesses aren’t defending against a random hacker. “Ransomware is now a business,” he said. “It is a business where they actually have help desks.”
And just as the sophistication of attacks has grown, so has the speed. “In 2021, it took about nine days to exfiltrate data,” he said of bad actors removing information. “In the latest attacks now leveraging artificial intelligence, it literally only takes hours.”
Beyond these kinds of ransom attacks, where an actor holds critical data or access hostage in exchange for money, MacLellan described several other threats, including attackers exploiting industrial control systems. “Those are the things, the switches that turn on things that are connected to the internet,” MacLellan said, “that turn on bridges and dams and traffic lights and hospital systems.”
In terms of preparing for attacks, he suggested state lawmakers get a security firm on retainer. “You need a bat phone,” MacLellan said, “to be able to pick up and say, we need some help, because we are overwhelmed, we’ve been hit by something.”
He also argued the state needs to be aggressive about understanding and monitoring its exposure — what MacLellan termed “attack surface management.” A computer, router or other piece of hardware running out-of-date software could be a vulnerability, he said, and organizations need to make sure to find and fix those problems.
MacLellan added that some states have begun developing joint security operations, effectively a state-run cybersecurity team to protect state and local governments in the event of an attack. He repeatedly argued the biggest challenge in cybersecurity is workforce; centralizing talent could allow for greater reach and impact.
Why Not Centralize?
State Reps. Ismail Mohamed, a Democrat, and Ron Ferguson, a Republican, asked HB 283’s sponsors about a statewide approach to cybersecurity planning. “Why isn’t there a centralized place,” Mohamed asked, “instead of requiring each subdivision to have their own cyber program?”
Ghanbari and Matthews said they would leave the finer points up to local governments to maintain local control and allow greater flexibility.
Highlighting a well-publicized cyberattack against Columbus last year, Democratic state Rep. Christine Cockley asked about the cost prevention compared to the cost of response and recovery. She noted the city has faced significant costs investigating what happened and providing safeguards for people impacted by the breach.
MacLellan acknowledged he didn’t have hard and fast numbers to offer, but said “when you begin to look at the cost of remediation versus the cost of actually putting together a good system, the delta is pretty significant.”
This story was published by Ohio Capital Journal. Read the original here.
