Cybercriminals are often faceless, so imagining what motivates them can be hard for agencies. But cybercriminals are, at best, opportunists and, at worst, predators.
Emergencies such as the COVID-19 pandemic attract cybercriminals because agencies that are already overwhelmed by external circumstances are ripe for the picking, Texas Chief Information Security Office (CISO) Nancy Rainosek said. In an interview with GovLoop, Rainosek explains how agencies can navigate treacherous paths such as COVID-19 or ransomware.
This interview was lightly edited for length and clarity.
How do state and local agencies’ budgets, citizens and workforces affect how they handle ransomware?
Many government organizations, particularly at the local level serving smaller portions of the population, are often challenged on how they spend their limited resources. This limits their ability to keep systems current and have the IT personnel on staff to adequately handle ransomware events. Organizations often outsource their IT to a managed service provider that is responsible for their systems’ availability and backups. This is what happened in August 2019 in Texas. One managed service provider was impacted, and the ransomware spread through their remote management software, which led to 23 organizations being impacted all at once.
What impact can major problems such as the coronavirus pandemic have on state and local agencies’ abilities to fight ransomware?
It can have several impacts. Now, more than ever, hospitals need to have working equipment to save the many lives impacted by this pandemic. Ransomware is not just something that attacks computers; it can attack medical devices as well. Hospitals are highly automated, from patient records to essential medical devices. I cannot imagine what it is like working in a hospital right now, and to introduce malware to impact their ability to serve their patients only complicates things and prevents hospitals from treating at-risk patients.
Telework also increases the attack surface and introduces new levels of risk, because people are using home networks, which may have unknown vulnerabilities.
Finally, a situation such as this pandemic causes fear and increases people’s desire for information about the current situation. This creates a situation in which people will be more easily duped into clicking on a link to retrieve information, only to be infected.
How should state and local agencies respond if ransomware strikes their networks?
First, disconnect impacted machines from the internet and their networks. If they can leave machines disconnected but not powered off, there may be evidence in the memory on those machines that law enforcement can use to try to catch the cybercriminal.
Secondly, contact law enforcement. This is a crime and we recommend contacting the local FBI office.
Next, have someone who is experienced in incident response lead the effort to bring systems back to normal. We never recommend paying the ransom. When someone pays a ransom to retrieve their files, they are funding these criminals to perform further attacks and develop more sophisticated tools.
Lastly, I would not have someone immediately log into a backup system to retrieve files. If you have ransomware crawling through your network, you need to be very careful to protect your backups so that they do not get encrypted when you log into the backup system.
What do you want readers’ main takeaway to be?
Ransomware is real and can have a major impact on how governments perform their business, and therefore how citizens perform business. People often think cybersecurity is not a main part of their mission. If you can’t issue marriage licenses, enable property sales or arrest criminals, you can’t perform your mission. Technology is important and involves investment to make sure it is implemented properly and is secured so it works effectively and keeps criminals out.