Surviving ransomware: Advice for governmental lawyers
Realizing that governments serve many purposes for their citizens, it is often difficult to fully understand the scope of the possible vectors that are vulnerable to cyberattack. Governments must place cybersecurity on their lists of priorities for funding, often competing for attention with schools, police and public safety, sanitation, parks, roads, and water delivery. It is against this list of fundamental priorities that governments have often placed cybersecurity on the back burner.
That said, given the destructive nature of current attacks, governments across the country are re-prioritizing and devoting more resources to cybersecurity. Recent attacks in Texas, Baltimore, Florida, Colorado, Georgia and many other jurisdictions, both large and small, across the country underscore the necessity for governments to take a proactive stance toward cybersecurity awareness, training, infrastructure and funding.
Lawyers often touch all aspects of the daily operation of governments and are well positioned to be at the vanguard of cybersecurity. It is important to understand our roles as lawyers in responding to incidents as well as our role in helping our respective governments become more resilient in the face of these attacks.
Policies and procedures
As a best practice, governmental entities should have a cyber-preparedness assessment performed. This assessment will look at the entity’s current state of preparedness and identify potential vulnerabilities. A good assessment will also review the entity’s current policies and procedures, and cyber incident response plan. Because of the complexity of most governments, this assessment might be very involved. As lawyers, you should be familiar with this assessment and its outcome. Also, your direct involvement might add a layer of privilege to the process.
Needless to say, all governmental entities should have an incident response plan in place. This dictates step-by-step instructions to employees in the event of a cyberattack. All response plans should not only be thoroughly reviewed by the legal department, but the legal department should have a large role in creating the plan.
Despite all of the external threats that occur against your government’s network and IT infrastructure, employees are still the most used vector to attack an entity and are the biggest vulnerability.
Whether it is an employee clicking on a link to a malicious website, putting an infected thumb drive into a computer or becoming a victim of more advanced phishing techniques, employees provide the quickest and most expedient route to your network.
As such, you must make certain that employees only have access to the information and network areas that are needed to perform their job functions. Also, as part of the legal function, you should ensure that ongoing training for employees around cybersecurity and cyber awareness is occurring. You should strive to help create a “culture of security.”
Disaster recovery and business continuity
In many cyber events, outside resources will need to be quickly called upon and put into play. If these resources have not been identified prior to an incident, you will find yourself trying to locate the necessary resources instead of responding to the attack. Like most things, the quicker you can address the problem, the better the outcome will usually be.
To this end, governments should retain the necessary guidance and experience in order to make certain that their disaster recovery and business continuity plans take cyber-preparedness into account. Also, as a lawyer, you should be aware of and know these resources. An annual call with your external resources to discuss incident response will go a long way to having a smooth response should something actually happen. You should also consider inviting them to your table-top exercises.
In my experience, many municipalities don’t realize the scope and breadth of their systems. Whether it is call centers to assist constituents, the judicial system, delivery of water services, sanitation, public works or police and other public safety services, almost all services provided by governments are connected through IT systems. An attack on these systems has shown the ability to shut down these essential services.
Back-up, back-up, back-up
Perhaps the greatest resilience tool for a government is an adequate, safe and secure backup of its data. In the event of a major cyber or ransomware attack, the ability to quickly and safely restore data will be the difference between being down for a few hours or down for weeks (or longer). Backups should generally be housed off-site in a secure and segregated facility, either physically or virtually. As a lawyer, you should understand your entities’ back-up strategy in general terms and be aware of any contractual obligations on the vendor. As to vendors in general, you should also make sure that the procurement process as well as all contracts contemplate adequate vendor cyber security.
Lastly, we have seen backups that have been infected in attacks as well as backup plans that are not comprehensive. In the event of an attack, both will severely limit your ability to provide essential services to your constituents without interruption.
Bonding and financing public-private partnerships
Many governmental projects are financed through some type of bonding or other public finance structure. Increasingly, bondholders and rating agencies are asking about the cyber security posture of governments that are floating bonds or financing infrastructure or economic development projects. Rating agencies are well aware of the potential severe impact that a cyberattack or incident can have on the ability of a borrowing entity to repay sums owed. This increased scrutiny often shows up in the due diligence process and will only get more involved and detailed, thereby making your government’s cybersecurity posture even more important.
The role of the lawyer in response and recovery efforts
In the event of a crisis, as a lawyer you will also be at the forefront of the recovery and response efforts. Some of the tasks that you might be called upon to assist with are:
- Coordinating crisis communications, which is critically important in getting the correct messaging out internally and externally.
- Working with the various departments to ensure that constituent services are either uninterrupted or back online as soon as possible.
- Working with IT and the various departments on business continuity and response efforts.
- Daily coordination with elected officials to ensure that they are always up to speed and knowledgeable about where things stand.
- Coordinating open records and FOIA requests.
- Overseeing the standing up of manual processes across the various departments until systems can be safely brought back up.
- Coordinating efforts with the FBI, Homeland Security and the Justice Department.
- Overseeing the selection of vendors.
- Coordinating the procurement process to bring the vendors on board, which includes compliance and emergency procurements.
- Coordinating the payment of vendors and the billing process.
- Coordinating with outside counsel.
- Overseeing compliance efforts.
- Notifications to insurers and other relevant entities.
- Assisting with the coordination of the insurers to ensure that your municipality is in the best posture to be reimbursed under its cyber policies.
In the event of a breach or attack, a lawyer’s role will be multi-dimensional and critical to the response and recovery efforts.
As lawyers, we often find ourselves on the front lines in dealing with cyber-related issues and it is incumbent upon us to understand all of the issues so that we can ensure that our governments are well prepared. As it is often stated, the issue is not if something will occur but when.
Roy E. Hadley, Jr. is an attorney with Adams and Reese who serves as independent counsel on cybersecurity matters helps governmental officials and corporate boards understand and mitigate legal and operational risks and exposures to protect themselves and the companies/governments they serve. He also helps clients to respond to and recover from attacks should an event happen. He may be reached at [email protected].