Local governments are most vulnerable to ransomware attacks, experts say
Chief of Operations Matthew Lewis speaks during a news conference as Suffolk County Police Commissioner Rodney Harrison looks on outside police headquarters in Yaphank on Sept.19. Police at the time announced additional steps they were taking to battle the Sept. 8 cyberattack on Suffolk County government. Credit: James Carbone
ALBANY — The Sept. 8 cyberattack on Suffolk County government highlights how vulnerable local governments are to the growing threat of ransomware attacks, which can freeze government computers and data, threaten residents' privacy and credit, and disrupt services, experts said.
Yet despite years of warnings, local governments in general have been unwilling, incapable or unable to afford to fully defend themselves against a threat that demands extraordinary resources and expertise, experts said.
The response in New York State is exacerbated in part because local governments aren’t required to report when they are attacked, which may mask the true extent of the problem and hamper efforts to avoid future attacks, they said.
“Ransomware is the existential threat of our time, and we have to find a way for local governments to understand that,” said State Sen. Diane Savino (D-Staten Island).
Local governments are now second only to academia as targets of ransomware, according to the FBI.
"Underfunded public sector organizations’ understaffed and outdated systems often put them in the position to pay ransoms simply to get the data back,” the FBI stated in a warning to governments this year.
“Local governments were the least able to prevent encryption and recover from backups and had the second-highest rate of paying the ransom compared to other critical infrastructure sectors,” the FBI report stated.
Local governments said they live that reality.
“Every day, local governments across the state face cyberattacks that can result in hundreds of thousands of dollars in damages and put critical local services — like public health and safety — in jeopardy,” said Stephen Acquario, executive director of the New York State Association of Counties.
In Suffolk, officials said some residents' "personal information" were accessed and urged them to closely monitor their bank accounts and credit reports. The hackers provided evidence of their success by releasing some documents it obtained, such as speeding tickets and court records that included individuals' names. The hackers are seeking an unspecified "small reward" for identifying vulnerabilities in the county system.
There are many reasons for that vulnerability to local governments and their residents, according to experts in and out of government.
“Governments are very good targets for ransomware actors in that they know the security tools they have are going to be easier to attack than a major corporation,” said Thomas J. Holt, a criminal justice professor at Michigan State University who researches hacking and ransomware. “They understand that these entities are willing to pay … they need to provide services immediately.”
Holt said victims can be reluctant to report they were successfully attacked out of fear of the public reaction and that disclosure would make their systems look vulnerable. The state Department of Financial Services cites a 2021 national study that found 80% of victims that paid ransoms were hit again.
"Ransomware as a threat is not going anywhere,” Holt said. "It’s a question these days of when — not if — you get hit."
Ransomware is inserted into computer systems in the public and private sectors through measures that include emails, phishing emails and ads. The increased use of remote work has made the task easier because some employees worked from home during the COVID-19 pandemic through less secure remote connections or on their personal computers, experts said.
The cost of the ransoms has grown into the millions of dollars.
Holt said that even if federal authorities can track down culprits, many of them operate out of Russia, from where suspects can’t be extradited for prosecution in the U.S.
"In general, ransomware operators are arrested in very small numbers," Holt said.
In addition, state officials note the cost of cybersecurity insurance has skyrocketed because of increased payouts.
In New York, Savino said part of the vulnerability of local governments is because counties haven't spent enough to protect themselves against the threat. She said the state should require local governments to devote more resources, in part because an attack on one local system could infect others and the state's network because the systems interact with each other.
Further, the local governments aren’t required to report they were hit by ransomware, according to the state Division of Homeland Security and Emergency Services.
That was a concern as far back as 2019 in a report by state Comptroller Thomas DiNapoli. The report said that while state agencies must, by law, notify New York’s Cyber Incident Response Team of such cyberattacks, local governments don't have to. The report stated: “Such a requirement could help increase awareness of cyber incidents among local governments and standardize responses.”
School districts already are required to report attacks to the state Education Department, and Long Island schools reported 29 incidents of ransomware, computer hacks and other cyber incidents over the last three years.
Savino has proposed legislation to require local governments to report cyberattacks as well as prohibiting paying ransoms to the hackers, but it has languished in committee so far.
Another bill, introduced in 2020, would have created a $5 million fund to help local governments upgrade their cybersecurity against ransomware and other attacks, while also prohibiting use of public funds to pay ransomware perpetrators. The sponsor, Sen. Phil Boyle (R-Bay Shore), called it a carrot-and-stick approach to force action to defend against cybercrime.
“Ransomware attacks have been occurring for decades while New York State and our county have been very slow to protect themselves,” Boyle said. “I think residents would be outraged to learn that millions of dollars of their taxpayer money may be required to pay ransoms to some shadowy hacking group, probably run by a teenager in another country.”
That bill remains in committee.
The Hochul administration has announced several measures this year to combat ransomware in local governments.
On July 21, Hochul announced the state would allocate $30 million for a shared-services program to help counties with cybersecurity, including tools to defend against ransomware.
The administration and the State Legislature are providing free services to counties, including software, the expertise of a growing staff of cybercrime experts from Homeland Security, training, testing of local systems, and “tabletop exercises” of simulated attacks. Local officials will have the option of sharing information with the state’s Cyber Incident Response Team — experts from several state agencies which was created in 2017 — and the Joint Security Operations Center in Brooklyn. The Joint Security Operations Center is first dealing with New York City, Albany, Syracuse, Buffalo, Rochester and Yonkers.
“Ransomware is big business, and it’s been around for a long time,” said Michael Balboni, former state homeland security adviser and president of Redland Strategies, whose services include emergency and crisis prevention and management. “These are international cybercriminals making tremendous amounts of money on this … these are not kids in their basement hacking.”
Despite the growing threat, Balboni and others in the field said local governments have been slow to respond partly because municipalities need to reckon with the vast spending on resources for new computer systems, programs and expertise.
“What happens here is that as much as ransomware is in the news, nobody thinks it’s going to happen to them,” Balboni said.
Michael Gormley has worked for Newsday since 2013, covering state government, politics and issues. He has covered Albany since 2001.
