The Washington PostDemocracy Dies in Darkness

Ransomware poses threat to vulnerable local governments

For years, hackers have been using methods as simple as phishing emails to steal data, lock computer systems and demand a ransom. Local government agencies, including school districts, city halls and police departments, are among the most vulnerable to these kinds of attacks. (Fred Tanneau/AFP/Getty Images)
Placeholder while article actions load

Ransomware is the invisible threat that’s sweeping the nation.

President Biden publicly committed to aggressive action on cybersecurity and defending American infrastructure. Recent high-profile attacks left people panic buying gas along the East Coast and debilitated hundreds of institutions around the globe.

But underneath the big attacks, in the metropolitan area surrounding the nation’s capital where security is a top priority, local government agencies such as school districts, city halls and police departments are among the most vulnerable to ransomware attacks, experts say.

In April, D.C.’s police suffered an attack, with a group posting purported department data after making demands for money. In the fall, Baltimore County Public Schools and Fairfax County Public Schools faced similar attacks, causing online classes in Baltimore County to stop for a brief time. And the Hampton Roads Sanitation District and Bristol Police Department in Virginia became victims last fall and winter.

Often strapped with small IT departments, aging computer systems and limited budgets to allocate to cybersecurity, local governments across the country make for ill-equipped and easy targets for cybercriminals.

“Where we have a soft underbelly as a community is that middle layer of what we call societal infrastructure,” said George Thomas, vice president of innovation and strategic initiatives at Connected DMV, a group representing the local academic, nonprofit, public and private sectors. “Think schools, think water utilities, think service organizations, think smaller local governments, all of that.”

Thomas said the Washington region faces unique threats given its proximity to major national security information and sources. Connected DMV’s regional cybersecurity initiative was developed to pool resources from some of the bigger agencies in the area to help smaller ones and better protect infrastructure in the region as whole.

Ransomware is not a new threat. For years, hackers have been using methods as simple as phishing emails to steal data, lock computer systems and demand a ransom. It’s often paired with a threat of releasing the data online if an agency or individual doesn’t comply.

What has changed is public concern surrounding the threat. Attacks, such as one on the Colonial Pipeline system that prompted a run on gasoline in May, brought new attention to ransomware concerns as many Americans experienced firsthand the seismic effects of these attacks.

Cybersecurity experts have warned for years about the damage such attacks could cause.

The anatomy of a ransomware attack

Beyond disrupting day-to-day functions, attacks on local governments can rack up millions of dollars in recovery costs, even when an agency doesn’t pay the ransom. And it erodes the integrity of critical systems that manage services like water, public safety, personal data and voter registration.

“Just because we can’t see [ransomware], we have this kind of perception that everybody is on their own,” Thomas said. “What we really need to be doing is figuring out how we can provide a collective umbrella to shield us from the cyber criminals and state actors that protects the individuals, but in essence, is protecting all of our society.”

In 2019, cybersecurity experts noticed a significant uptick in ransomware attacks on municipalities across the country. In 2020, at least 2,354 governments, health-care facilities and schools in the United States were affected by ransomware and in 2021 the threat remains consistent, experts say.

According to the Center for Internet Security’s Multi-State Information Sharing and Analysis Center (MS-ISAC), a federally funded organization tasked with helping to improve cybersecurity for state, local and tribal government entities, 75 ransomware attacks across the country were reported by its 11,000 members between Jan. 1 and June 4.

Brett Callow, threat analyst at Emsisoft, a cybersecurity firm, said local governments are not necessarily targeted more by ransomware groups. Rather, they’re hit as an operator of inadequate security systems caught in a wide-cast net.

“Most ransomware attacks are spray-and-pay in nature, and those hit are the ones with the weakest systems,” Callow said. “Local governments seem to have the weakest systems.”

At the state and federal levels, there are entire departments dedicated to cybersecurity. There are specific guidelines, systems and “cyber hygiene” practices aimed to limit vulnerabilities.

The District’s local government has an extensive cybersecurity plan and resources to defend against attackers, according to the city’s website.

Attackers often don’t know exactly whom they’re attacking when they go after city resources, Nina Liggett, spokeswoman for the city’s Office of the Chief Technology Officer, wrote in an email.

“Because we are in the Nation’s Capital, we are often mistaken for the federal government, yes we are, but the bad guys don’t seem to understand that,” Liggett wrote.

Mayor Muriel E. Bowser (D) added $8 million for cybersecurity efforts in the fiscal year 2022 budget.

Ransomware attacks are closing schools, delaying chemotherapy and derailing everyday life

But for smaller local governments in Maryland and Virginia, most of that protection is often missing.

Government and private cybersecurity experts agree that limited resources are the root of the problem. Local governments often have outdated computer systems. They lack personnel, or qualified personnel, to manage these types of attacks, and they don’t have the money or time to devote to cybersecurity.

“They are not, number one, thinking about security most of the time,” said Mike Watson, Virginia’s chief information security officer. “They’re doing a lot of the other basic government functions that we look at on our local level. And that cybersecurity component isn’t always something that they fully understand.”

Watson, whose office mainly services state agencies, said the Virginia Information Technologies Agency works with localities, such as Fairfax County, to help provide resources and training to improve their systems.

At a cybersecurity summit hosted July 29, leaders and experts from across the country convened in Annapolis to discuss federal, state and private-sector efforts to protect the nation’s infrastructure from cyberattacks.

In a brief discussion about the threat to local governments, Maryland Gov. Larry Hogan (R) acknowledged the lack of resources in comparison with state and federal agencies.

“We probably shouldn’t have left local government out of that conversation,” Hogan said.

Maryland Chief Information Security Officer Chip Stewart said the state tries to help local governments build stronger response plans and cyber infrastructure to protect themselves. He said it has been working especially close with school districts.

“I know that many of those school districts are working very hard to ensure that they’re not the next ones on national news,” Stewart said.

In 2020, K-12 schools emerged as an especially vulnerable group as they faced a barrage of ransomware attacks. A year of online learning opened the door to a host of new vulnerabilities.

The Cybersecurity 202: Schools are another prime ransomware target

In the fall, Baltimore County Public Schools suffered a ransomware attack that forced the school district to cancel classes for two days and racked up recovery costs in the millions. Fairfax County Public Schools, one of the largest school districts in the country, similarly fell prey to a ransomware attack that resulted in stolen data being published online. In May, the system launched its first Office of Cybersecurity to address the growing concern.

“The new team, among the many competing cybersecurity priorities, will focus on strengthening Division’s cybersecurity defenses, protecting student and staff data from unauthorized access and help build a strong cyber-aware workforce and student body,” district spokeswoman Julie Moult wrote in an email. “The office will also work proactively with large and small educational technology vendors to ensure cybersecurity is not an add-on or an afterthought as in many instances this past year delivering education was dependent on reliable and secure technology systems.”

Just how big of a threat ransomware poses to municipalities specifically remains a mystery because many attacks go unreported, experts say. Many state laws requiring reporting cyberattacks are limited to only reporting a certain threshold of data breached. If no data is taken, small agencies and companies are often off the hook from reporting.

“Knowing what is happening and how it is happening is the first step to stop it from happening,” said Callow, the threat analyst.

Experts say there’s a number of reasons agencies don’t report attacks. They say sometimes it’s financially easier to just pay the ransom. It can also be embarrassing to admit to having weak systems.

“There’s a PR element to all this,” said Thomas of Connected DMV. “Some agencies, schools, banks, especially the privates, don’t want to ever say they are vulnerable, because they think then people will not bring business to them.”

Many ransomware attacks go unreported. The FBI and Congress want to change that.

Ed Mattison, executive vice president of operations and security services at the Center for Internet Security, emphasized the importance of reporting attacks to get a better understanding of the issue. He said MS-ISAC doesn’t publicly disclose reports, so local agencies can feel more comfortable reporting.

“Number one, we need as much information as possible to understand the full scope of the problem,” Mattison said. “But number two, we also need to report so that if there is information stolen, that proper notifications are done.”

Even if attacks are reported to law enforcement, attacks on smaller agencies often fly completely under the radar and never become public.

In January, the Bristol Police Department in southwest Virginia suffered an attack. It knocked the system offline and forced staff back to pen and paper for some functions, Capt. Maynard Ratcliffe said.

“We lost quite a bit of information,” Ratcliffe said.

But the attack didn’t appear in headlines until late July — when the cyber criminals posted an auction for the data purportedly stolen from the police department.