Responding to ransomware: Questions government business and tech leaders should ask

When confronted with ransomware attacks that hold government data hostage, public leaders are forced to decide between paying the ransom or being without government services until they can be restored or rebuilt. At a time when COVID-19 requires a government of any size to function at the highest level, ransomware can bring public services related to utilities, law enforcement, and emergency response to a jarring halt.

Though it’s hard to say which city or town might be next, it’s nearly certain that ransomware attacks will continue to target governments around the country. Answering the following questions can provide insights into how governments, large and small, can protect themselves from these insidious attacks.

Questions for government business leaders

Are we prepared?

The first question for senior government leaders is whether you are prepared. Reverse planning can help answer this question. For example, in the event of a ransomware attack, which systems can the city not function without, and are those sufficiently protected? More than physical IT systems, being prepared is also about people. Do you have the right talent in place to thwart a ransomware attack or respond appropriately in the event of one? Do all government employees have the right training to avoid letting ransomware in?

Having an IT recovery back-up system and routinely testing it to confirm it works is also essential. Cyber wargaming exercises have become commonplace within the federal government and the commercial sector. State governments would do well to embrace these leading practices.

If attacked, can we recover, and if so, how long will it take?

The pervasiveness of ransomware attacks is often due to the increasing number of attack surfaces. Every city computer, connected police car, and employee email account are all possible access points through which ransomware can enter. So, while being prepared can potentially stave off and lessen the severity of attacks, there are simply too many entry points to assume confidently that a ransomware attack won’t make its way into a city or town’s network. This makes knowing if and how recovery occurs imperative. Understanding recovery means knowing the likelihood of success and the options available for the best chance of successfully regaining access to encrypted systems and files. It means knowing what systems the city can go without and for how long so that leaders can communicate the effective recovery to stakeholders and citizens. It also means having a decision-making process in place to evaluate whether to pay the ransom.

How do I secure funding for cyber resiliency?

Ensuring the municipality’s systems are properly resilient requires funding: training for staff, back up and security measures that need to be assessed and implemented, cyber insurance, and potentially new systems or support services. One helpful step to securing funding is to ensure budget leaders are properly educated on the risks and challenges of ransomware. Do they know how pervasive it is or how costly it can be to clean up? Partnerships with neighboring counties, cities, or at the state level can also help. While any city or town will have to budget, it’s imperative that the case is made for securing the IT systems necessary for the government to function and provide services.

These three simple questions can be difference makers for protecting governments against ransomware, but they aren’t the only questions that should be asked. Government technology leaders also have questions to ask.

Questions for government technology leaders

Do I know our network?

But really, do you know your network? Do you have a catalog of all endpoints or understand where vulnerabilities exist and why? Do you know which systems are critical, like those for emergency response, or where information is stored and where it is backed up? Do you have the right skills within your team to perform updates and administrative tasks? Knowing your network can keep IT leaders informed of their IT needs; it’s also necessary for answering the next question.

Am I confident of restoring systems from secure backup?

What may seem like a straightforward question may be less so when examined in detail. A city or town has several necessary servers, software tools, back-ups, and other IT systems, all of which may have unique requirements for protection. For example, how you protect and service an air-gapped system backup server is likely different than how you protect other IT systems. Knowing how each system needs to be defended and why is a critical second step. Deciding how to allocate limited resources depends on an honest appraisal of what is required to be confident in your ability to restore from backup.

Do I understand how to respond after an attack?

Firefighters have preplanned responses that manifest as muscle memory in the event of an emergency call. While IT admins may not have sirens to indicate they are responding, their response to a ransomware attack should be muscle memory, nonetheless. Understanding what steps to take quickly can have major implications for how bad a ransomware attack becomes; but in some cases, government leaders don’t have plans in place. The ones that do are often outdated or not specific enough, and they aren’t exercised frequently to create muscle memory.  Setting a plan in place to inform IT leaders and government employees at all levels — and routinely rehearsing it — is necessary to achieve success.

Answering these questions can seem like an academic exercise, but being unable to answer them can put a government at risk. When ransomware strikes, unprepared leaders may feel no other alternative but to pay the ransom, which not only doesn’t guarantee a return of encrypted systems, but our research indicates that it may in fact fuel further ransomware attacks. The only way to break the cycle of ransomware is for governments to be prepared.

Doug Powers is a managing director in Deloitte & Touche LLP’s Cyber Risk practice specializing in providing managed security services to help clients protect and defend their Internet of Things (IoT) and operational technology (OT) ecosystems. Contact him at dpowers@deloitte.com.