After his local library had to shut down due to a ransomware attack, Indiana State Representative Mike Karickhoff realized that the state did not know much about the frequency of these security holes.
Spurred on by similar crimes in Indiana last year, he decided to draft a bill requiring all public agencies to report cyber attacks to the state.
“It’s like neighborhood watch,” said Karickhoff, a Republican. “If your subdivision starts having burglaries, you tell everyone in the area that you have these burglaries. This is how the alarm bells are ringing.
His measure was passed unanimously by both houses and Republican Gov. Eric Holcomb signed it into law in April.
“It wasn’t a red or blue thing,” Karickhoff said. “Everyone understood that it could quickly hurt a lot and that it’s nobody’s fault that they take safety precautions and they still fall short. “
Despite the magnitude of the problem, most states do not have such legal requirements, so they cannot always warn other agencies that may be affected or help strengthen their defenses. But that is starting to change.
This year, North Dakota also enacted a law requiring government entities to report all cyber attacks, including ransomware (in which computer systems are hacked until agencies pay a ransom) to the state. or restore them themselves). West Virginia has done the same, but its law specifies that these must be “qualified” cybersecurity incidents, such as those that significantly affect an agency’s ability to conduct business.
And in Washington state, lawmakers passed a measure that requires all state agencies to report a major cybersecurity incident to the state office of cybersecurity.
“It’s a novelty. You realize that this reporting is very beneficial in understanding what is going on, ”said Pam Greenberg, senior researcher at the National Conference of State Legislatures. “It’s a growing recognition of the problem and doing something about it. “
STATELINE STORY July 23, 2021: States weigh down ransomware bans
All 50 states already have security breach notification laws that require companies to report a data breach to consumers whose personal information has been compromised, according to Greenberg. Many states also require government entities to do the same and report such violations to the attorney general’s office or the state’s information technology office.
But ransomware and other cyber attacks don’t always involve the disclosure of personal information, she stressed, so there may not be a need to report them.
Ransomware attacks can be devastating and costly. In Baltimore, for example, hackers crippled thousands of computers in 2019, demanding a ransom, which city officials refused to pay. It ended up costing the city at least $ 18 million, a combination of lost or delayed revenue and expenditure on system restoration.
Indiana cybersecurity officials say the state’s new reporting law has worked well since it came into effect on July 1. So far, the state’s technology office has received 73 reports from governments, according to Tad Stahl, director of the Indiana Information Sharing and Analysis Center. Five involved ransomware, 36 involved compromised emails, and the rest were other types of cyber attacks.
The law requires each government entity to designate a contact person responsible for reporting a cyber attack and informing the state IT office who that person is. So far, around 500 people have signed up, Stahl said.
“This is extremely useful information to know, both for what it confirms you suspect and for what you didn’t know,” Stahl said.
In North Dakota, Michael Gregg, chief information security officer for the state’s IT department, said the new reporting law that came into effect in August will help strengthen relations between the State and local government.
“The big problem is that it gives us another way to go out and communicate with these entities and better partner with them and provide them with the resources that they may not have,” he said. said Gregg. “We can also go back and determine the lessons that have been learned. “
At least one other state has led the way: In North Carolina, cybercriminals have struck nearly two dozen local governments, school districts, and public colleges with ransomware attacks since early 2020.
North Carolina cybersecurity officials only know, and who was affected and how, because a 2019 state law requires all public agencies to report such incidents to the state.
Lack of data
No one has complete data showing how many state and local governments are victims of ransomware attacks.
“When we go up to Capitol Hill, we are asked all the time, ‘What are the numbers? “It’s hard to say because no one keeps statistics and sometimes they go unreported,” said Meredith Ward, director of policy and research at the National Association of State Chief Information Officers.
In the group’s annual survey last month, state information officials overwhelmingly singled out ransomware as their top cybersecurity concern.
If reports were required in all 50 states, it would allow state cybersecurity officials to provide residents with training assistance and other resources, Ward said.
“Cyber security is a team sport at all levels,” she said. “We tend to have these silos in government, and cybersecurity is one of those issues where it can’t be the norm. It’s too big a problem, too big a risk.
STATELINE STORY September 22, 2020: Cybercriminals strike schools in the midst of a pandemic
Sometimes agencies that have been victimized don’t disclose breaches because their online insurance company tells them not to, she said. And sometimes they’re just ashamed.
“There seems to be some embarrassment that they were caught with their pants down,” said Alan Shark, executive director of the Public Technology Institute, a Washington, DC-based nonprofit that provides advisory services. to local information technology managers.
“Governments love to talk about transparency and open government, but there’s this knee-jerk reaction to hold back as much as you can because they’re worried it will tarnish their image and people won’t feel confident about the leadership of the government. ‘organization. “
Shark said he was “puzzled” as to why states did not require all government entities to report these incidents.
“Mandatory reporting could lead to better training and better safety oversight and the state could provide more proactive measures to help. It is obvious.
Shark reported a major ransomware attack in Texas in 2019, when nearly two dozen cities were targeted around the same time. Texas state officials formed teams to help these governments, which were unaware of the other attacks, and helped restore their systems.
“I think all public institutions including K-12, public hospitals and mosquito districts should report ransomware,” Shark said. “The implications are huge across the board, and this should be addressed. “
Local governments can bristle at being forced to send such information to the state, experts say.
“It can be a very delicate subject because of autonomy in states and localities. Walk on your toes, ”said Ward, of the IT Executives Group. “Some local governments think this can be seen as opening that door. If I have to let you know, what happens next? It’s a Big Brother type mentality.
In Indiana, James Haley, the chief information officer for the city of Fort Wayne, called the new mandatory reporting law “reasonable.” He said it’s similar to the type of reporting his office would do anyway to notify local officials and senior executives of a cyber incident.
“I think the information collected could be useful if the people who collect it summarize and distribute it effectively,” Haley wrote in an email to Stateline.
Kent Kroft, chief information officer for the Tippecanoe County Government in Lafayette, Indiana, acknowledged that many local IT officials across the state were concerned about Big Brother when they first learned of the proposed legislation. times.
“There was a clear concern that it was too heavy, that the IT department would come and tell you how to do things,” Kroft said. “Being in IT we still have this paranoia anyway. “
But after much discussion among county chiefs, state officials and lawmakers, Kroft said it had become clear that it was a good idea for the state to be able to understand what was going on with the cyber attacks, whether other entities should be alerted and how state officials could offer assistance to communities, if they needed it.
But that’s not all you need to do when it comes to cybersecurity, he added.
“There is a long way to go to educate elected officials of the state on the importance of this and devote funds to it,” he said.
Photo: State officials Amanda Crawford, right, and Nancy Rainosek, left, stand inside the Texas Department of Information Resources command center in July. After a ransomware attack in Texas in 2019, state officials formed teams to help communities that were unaware of similar attacks happening at the same time. Chuck Burton The Associated Press.
Source: Stateline, an initiative of The Pew Charitable Trusts. The original article can be found here.