Why the public sector is an easy target for ransomware

Security experts discuss how local and state governments can fight back

We’re on track for 2023 to be a record breaking year for ransomware attacks targeting the U.S. public sector.

These attacks, which includes both traditional encrypt-and-extort and newer data theft-only attacks, know the public sector is an easy target: It’s no secret that local governments have small IT budgets and limited cybersecurity resources. At the same time, these entities often hold data that is extremely valuable, be it housing information or student and patient records.

“When add to that the lack of funding that they have for security, they make an easy target,” said Allan Liska, threat intelligence analyst at Recorded Future, said during a panel at TechCrunch Disrupt on Thursday. This panel looked at what the public sector can do to fight back against ransomware attacks — and how the U.S. government can help.

Fighting back is no easy task. MK Palmore, former FBI agent and director in Google Cloud’s Office of the CISO, said that while public sector organizations are rapidly expanding their digital footprints, many are adding a huge amount of complexity to their environments that often only a small number of security practitioners are responsible for protecting.

“That challenge can be relatively insurmountable,” said Palmore, speaking on stage.

This challenge is made even more difficult by the supply-chain risk posed to public sector organizations, many of which rely heavily on third-party tools and outside contractors.

“Organizations have to do due diligence, which gets to be pretty challenging due to issues like limited workforce and the unwillingness of organizations to adopt tools that would allow this to be automated,” said Liska. “You also have to think about your data supply chain, which we saw in particular with the MOVEit breach. Understanding where and how your data is being stored, who has your data, and so on is an additional challenge.”

What first steps should public sectors implement to overcome these challenges to successfully fend off ransomware attacks? According to both Liska and Palmore, moving away from a Windows environment.

“I’ve never seen a mass ransomware attack and an all Mac network,” said Liska. Palmore added that “there have been zero documented instances of ransomware being able to proliferate against a Chromebook.”

Organizations also need to make sure they are not adding unnecessary tools to their environment, according to Liska. “I think that’s something that we as security vendors have failed our customers; our answer to every problem has been to create a tool, so you wind up with a hundred different tools in your organization.”

Ultimately, however, it’s key that public sector organizations don’t take on these challenges alone. The U.S. federal government has made strides in its fight back against ransomware in recent months, with the launch of the K12 cyber resiliency effort and the announcement of more security funding for state governments.

The feds also helped to tackle the wider ransomware problem with a number of successful takedowns, such as Qakbot, and sanctions against ransomware operators from some of the most notorious gangs.

Liska said that while largely symbolic due to the fact that most of these operators are based in Russia and cannot be extradited to the U.S., these sanctions do act as a deterrent. “It doesn’t necessarily stop the attack and it doesn’t stop the data from being sold or used for malicious purposes, but it does make it less profitable to be a ransomware actor,” he said.

Palmore said that while the U.S. has made strides, more can be done to help cash and talent-strapped public sector entities. “Public private partnerships have proven to historically help solve really intractable problems like the one that we’re facing with ransomware, so there needs to be a lot more cooperation from private sector entities participating with government.”

“When I was in government, 32 years worth of time, we always felt like we could just hire to solve problems, but we’re in an environment where we can’t count on just bringing additional personnel resources to the table. Technology is going to play a key role, government is going to play a key role — it’s an all hands on deck effort,” said Palmore.

Source