More money is needed to tackle the problem, especially as states deal with an unprecedented economic crisis caused by the pandemic. It's unclear whether Congress will foot the bill.
States, municipalities and critical infrastructure have borne the brunt of the ransomware, which historically has not been treated as a national security risk by federal policymakers until very recently.
Rob Knake, former Director of Cybersecurity Policy on the National Security Council under the Obama administration, said there was a perception that allowing cyber criminals to hit the lowest hanging fruit – ill protected municipalities, hospitals, companies and other institutions -- would provide incentives to drive better investment and security behavior from others.
"It really wasn't at the same level as say, Chinese espionage or Russian election interference. Those are the topics that the national security community had been focused on," said Knake at a May 4 webcast hosted by the Council on Foreign Relations.
Other than guidance about cyber hygiene, "we really haven't seen strong leadership coming from Congress or coming from the White House or for that matter the Department of Homeland Security," Knake said.
The financial pressures facing cities and states because of the coronavirus has changed this equation.
A number of lawmakers on Capitol Hill are pushing to include a dedicated pot of federal funding in future COVID-19 relief bills that states and localities can draw from to bolster protections. One such bill would set aside $400 million per year for states to tackle ransomware and other cyber threats.
Matt Pincus, Director of Government Affairs at the National Association of State Chief Information Officers, told FCW engagement from Congress and other policymakers around the issue has improved substantially following the high-profile ransomware attack on the City of Baltimore last year. However, one-size-fits-all solutions are hard to come by, as each state has their own policy on how employees should use personal devices, patch their systems and how to conduct telework safely.
"I would say that all the additional responsibilities of state IT [officials] since the pandemic began have exacerbated the amount of responsibility they have in the cybersecurity world," Pincus said in an interview.
NASCIO helped craft the $400 million funding proposal and has lobbied for lawmakers to include it in future coronavirus relief bills. One of the top asks the non-profit has heard from State IT leaders is the need for more training to school their employees on how to avoid phishing lures and other tactics that provide an initial foothold to ransomware actors. Pincus said multi-factor authentication, endpoint security, software patching tools and remote security assessments were also flagged as cybersecurity needs.
Referencing the Obama administration's "Cash for Clunkers" vehicle reimbursement program, Knake suggested Congress should approve a "Cash for COBOL" program to fund the replacement of outdated systems and code.
Adam Meyers, Vice President of Intelligence for cybersecurity firm CrowdStrike called ransomware "the single biggest threat that we've seen to enterprises today."
Over the past 18-24 months, cyber criminals have drifted away from other types of crime like bank fraud and wire fraud have transitioned their operations to ransomware and have increasingly targeted large entities that have an operational necessity to be up and running at all times. They leverage exposed services like Remote Desk Protocol or deliver banking Trojans and other malware spambots, all in service of an increasingly large payday.
"Ransomware actors have I think realized there's a cash cow in targeting many of these organizations, particularly when you get down to the state and local governments that may not necessarily have the cyber resources to protect themselves adequately…they're able to use that to their advantage to get these organizations to pay," said Meyers.
The Cyberspace Solarium report highlights confusion about accountability over ransomware is one of the major blind spots facing U.S. cybersecurity.
"Who is responsible for setting priorities (and providing funding) when it is necessary to 'turn the lights back on' following a major cyberattack… How do local hospitals, water treatment facilities, and municipal offices ask the federal government for assistance during a sustained ransomware campaign?" the report asks.
Pincus said NASCIO has historically gotten pushback from the Hill about subsidizing cybersecurity for state and local governments. His hope is that the COVID-19 pandemic has demonstrated that these entities are often on the front lines of processing benefits passed by lawmakers to deal with the crisis.
"The federal government charges the states to administer hundreds of federal programs…even funding that's in the CARES Act," he said. "If you want unemployment insurance to be distributed amongst citizens, you need to make sure that you have systems that are capable of doing it."
Rep. Dutch Ruppersberger (D-Md.) has successfully pushed for more federal funding to states and localities for their cybersecurity needs in the past and was one of four members who requested House leadership include regular grant funding in a future stimulus bill. A spokesperson for Ruppersberger's office told FCW they have not heard back from House leadership since sending the letter in mid-April.
"I think the challenge is going to be convincing members of the connection between the pandemic and ransomware," the aide said, noting that emphasizing how greater reliance on digital services by many states and municipalities during the lockdown offers one such avenue. "I think it's going to be a messaging battle."
A spokesperson for the House Homeland Security Committee said members are still pushing House leaders to include the bill in future spending packages.
One thing most agree on: all parties should do everything they can to avoid paying the ransom. Pincus said NASCIO's message to states is the same as those offered by the Cybersecurity and Infrastructure Security and other federal agencies: don't pay.
Knake said organizations today are paying a price for past decisions made by organizations who failed to heed that advice.
Criminal groups have "built these organizations starting from that $50 ransomware from your grandmother's computer, taking that money and reinvesting it in their capability and so what we're seeing today is the result of that," Knake said. "We have grown these criminal enterprises, we have paid their R&D budgets and now they are targeting us and we are in very bad shape."