At any given moment, there are between 190-200 countries in the world. For now, nine countries have nuclear capabilities (although Israel will neither confirm nor deny). According to the Arms Control Association, there are about 14,500 nuclear warheads. Russia and the United States have 90 percent of the total arsenal. MAD — mutually assured destruction — has kept Russia and the U.S. from obliterating each other. Unfortunately, there’s a new kind of arms race that is threatening to upset the balance of power — in cyberspace.
Ransomware had democratized the proliferation of cyber weapons. No longer confined to state actors, this malware is being used indiscriminately against any vulnerable target. And the target of choice for now seems to be the public sector; state and local governments who still remain unprepared to repel an attack. Atlanta should have been a clarion call. It appears it may be falling on deaf ears.
{mosads}Government now holds the distinction of being less secure than the health care industry. The “2017 U.S. State and Federal Government Cybersecurity Report” from SecurityScorecard ranked government 15th in security out of 18 major industries. Health care came in at 12th. Two areas that could help government repel ransomware attacks are two areas where they come in near the bottom.
The first is called patching. Software has vulnerabilities. When they are discovered, the developer of the software will create a patch to fix problem. Applied quickly, this will deny attackers the ability to exploit the known vulnerability. Government ranks a miserable 16th in patching, ahead of only the construction and pharmaceutical industries. Atlanta knew they should have patched, and didn’t. It could have saved them nearly $10 million and counting.
The second is called endpoint security. With the explosion of BYOD (Bring Your Own device), combined with a more mobile workforce, that are more devices than ever connecting to the government network. This complexity in securing the network favors the attacker. More devices equal more opportunities to find a route inside. Government ranks next to last.
And it’s about to get worse. In 2016, only 13 percent of public sector entities were a victim of ransomware. In 2017 it jumped to 31 percent, and in 2018 is expected to hit 38 percent. With 50 states, 3,200 counties, and about 19,000 cities that’s going to be a lot of politicians talking about how they take cybersecurity seriously — now.
In my previous article on the Atlanta ransomware attack, I wrote:
“Emergencies rarely make appointments. But in Atlanta’s case, warning shots were fired many times and ignored. As early as nine months before the crippling attack. And yet, the attackers met little to no resistance.”
Government organizations that fail to prepare for the next assault should be investigated for waste, fraud and abuse. It’s more than taxpayer money; it’s irreplaceable government records.
Speaking of money, the business model for ransomware is simple: It’s all about the money; bitcoin, to be precise. Criminal gangs have become so adept at infecting systems at scale, they have even set up customer service centers that will walk a victim through the process of setting up a bitcoin account and funding it with the ransom.
There’s a lot of money being spent on information technology (IT) in city and county governments. According to a 2017 report from Government Technology, which I worked for in the past, cities spend north of $30 billion and counties round $22 billion. Yet most agencies spend less than 5 percent of their IT budget solving cybersecurity problems.
This lack of spending has only fueled the growth of ransomware and services associated with storing, selling, and monetizing the ill-gotten data. There is RaaS, or Ransomware as a Service. If you don’t know a lot about launching a ransomware attack, have no fear. You can pay to have one launched, and split the proceeds.
A Dark Web market has popped up to help launder bitcoin. Criminals trusting other criminals isn’t exactly new, but the marketplace is a novel approach. For the skittish cybercriminals who don’t want to deal directly with their victims, Ran$umBin was created to fill a void in the market.
Ran$umBin lets the criminal “upload stolen data which contains user credentials, credit data, stolen identities and any other kind of cyber-loot and on the other hand it lets the victims pay for the removal of those stolen data from the Dark Web, where any cyber criminal can buy the stolen data.” It’s the law of supply and demand. If you supply enough fear, victims will demand an easy way to get their data back.
Think your data is safer in the cloud? Some experts think there will be a cloud data center-focused strain of ransomware soon. Another target is the small-to-medium businesses. They take advantage of moving their files to the cloud, but will generally not have backups or know how to recover from an attack. It’s tough to hire a top-tier security whiz when you’re a main street business.
Ransomware is a growing business. At least $1 billion and growing. The number of attacks can be overwhelming. In Texas, the state IT agency blocks “billions of instances of malicious traffic a year, with an average of 3 billion monthly intrusion attempts at last check.” And the actual experts are frustrated. State chief information officers and chief information security officers have been raising their collective hands, trying to get attention from the politicians who control the budget. About 40 percent say the frequency of attacks is increasing, even on an hourly basis.
It’s not a fair fight. But we have to toughen up our defenses and make sure the bad guys get at least a bloody nose when attacking state and local government. We’ll leave global thermonuclear war for later. That appears to be easier to defend against.
Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. Previously Morgan was a senior advisor in the U.S. State Department Antiterrorism Assistance Program and senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.