Omaha, Nebraska 2021-11-30 05:00:00 –
Indiana Rep. Mike Karickhoff realized that the state was less aware of the frequency of such security breaches after having to close a local library due to a ransomware attack.
Last year, a similar crime spurred across Indiana, and he decided to draft a bill requiring all public authorities to report cyberattacks to the state.
“It’s like a vigilant patrol,” said Republican Kalikov. “Once your parcel begins to have robbers, you speak to everyone in the area where you have these robbers. That’s how the alarm bell rings.”
His bill unanimously passed both houses, and Republican Governor Eric Holcomb signed the bill in April.
“This was neither red nor blue,” Karickhoff said. “Everyone knew that this could quickly do a lot of harm. It’s not the responsibility of anyone, even if security measures are in place or still inadequate.”
Despite the magnitude of the problem, most states do not have such statutory requirements, so it is not always possible to warn other agencies that may be attacked or strengthened. .. But it’s starting to change.
This year, North Dakota also enacted a law requiring government agencies to report all cyberattacks, including ransomware, to the state.
West Virginia did the same, but the law stipulates that it must be a “qualified” cybersecurity incident that has a substantial impact on the business performance of government agencies.
In Washington, the legislature has also passed a bill requiring all state agencies to report serious cybersecurity incidents to the state’s cybersecurity bureau.
“That’s new. We recognize that this report is very helpful in understanding what’s going on,” said Pam Greenberg, senior researcher at the National Assembly of Parliament. .. “It’s a growing awareness of the problem and we’re doing something to deal with it.”
According to Greenberg, all 50 states already have security breach notification laws that require businesses to report data breaches to consumers whose personal information has been leaked. Many states also require government agencies to do the same and report such violations to the Office of the Attorney’s Office or the State Information Technology Office.
However, she pointed out that ransomware and other cyberattacks do not necessarily involve the disclosure of personal information and may not need to be reported.
Ransomware attacks are devastating and can be costly. In Baltimore, for example, hackers disabled thousands of computers in 2019 and demanded a ransom, but city officials refused to pay it. In the end, the city cost at least $ 18 million. This is a combination of revenue loss or delay and system restore costs.
Indiana’s cybersecurity authorities say it has been working well since the state’s new reporting law came into force on July 1. Five were related to ransomware, 36 were related to compromised email, and the rest were other types of cyberattacks.
The law requires all government agencies to appoint a contact person to report cyber attacks and notify the state IT office of who that person is. So far, about 500 people have registered, Stahl said.
“It’s very useful information to know both what confirms you doubt and what you didn’t know,” Stahl said.
In North Dakota, Michael Gregg, chief information security officer for the state’s IT department, said the new reporting law, which came into force in August, will help strengthen relations between the state and local governments.
“The important thing is to get out and communicate with these entities, partner better with them, and give us another way to provide resources that they may not have. “Greg said. “You can also go back and understand what lessons you have learned.”
At least one other state paved the way: In North Carolina, cybercriminals have attacked nearly 20 local governments, school districts, and public universities with ransomware attacks since early 2020.
North Carolina cybersecurity authorities only know who and how they were attacked, as 2019 state law requires all public authorities to report such incidents to the state. ..
Lack of data
No one has complete data showing the number of states and municipalities affected by the ransomware attack.
“When we go to Capitol Hill, we are always asked,” What are the numbers? ” It’s hard to say because no one holds the statistics and sometimes they aren’t reported. “
In last month’s Group’s annual survey, the state’s chief information officer overwhelmingly cited ransomware as one of cybersecurity’s biggest concerns. If reporting is needed in all 50 states, state cybersecurity personnel will be able to help locals with training and other resources, Ward said.
“Cybersecurity is an all-hands-on-deck team sport,” she said. “We tend to have these silos in government, and cybersecurity is one of the issues that can’t continue to be the norm. The problem is too big and the risk is too big.”
From time to time, the victims said they wouldn’t reveal the breach because the cyber insurance company told them not to do so. And sometimes they are just embarrassing.
Alan Shark, Executive Director of the Public Technology Institute, a non-profit organization that provides consulting services to local government information technology executives, said:
“The government loves to talk about transparency and open government, but there is a kneeling reaction to refrain as much as possible because they fear that this may hurt their image and make people feel uneasy about the leadership of the organization. . “
Mr Shark said he was “confused” about why the state did not require all government agencies to report.
“Obligatory reporting can lead to better security training and monitoring, and the state may provide more proactive measures to assist. This is easy.”
Shark pointed out that there was a major ransomware attack in Texas in 2019. At this time, 20 cities were targeted at about the same time. Texas authorities have developed a team to help governments unaware of other attacks and helped restore the system.
“I think all public agencies, including K-12, public hospitals and mosquito districts, need to report ransomware,” Shark said. “The impact is huge overall and we need to deal with it.”
A nifty topic
According to experts, local governments may suffer from being forced to send such information to the state.
“Because of state and local autonomy, this can be a very tricky problem. Step on your toes,” said a group of IT professionals. “Some local governments think it can be considered to open that door. If you have to report it to you, what happens next? That’s a big brother-type idea. . “
In Indiana, Fort Wayne City Chief Information Officer James Haley called the new mandatory reporting method “reasonable.”
He said it was similar to the type of report his office would do anyway to inform local elected officials and senior staff of the cyber incident.
“I think the information collected will help the people who collect it to effectively summarize and distribute it,” Haley wrote in an email to Stateline.
Kentcroft, chief information officer for the Tippecanoe County Government in Lafayette, Indiana, said many local IT leaders across the state were worried about Big Brother when they first learned of the proposed bill. I admitted.
“There was a clear concern that it might be too heavy. State IT will come and teach you how to do things,” said Croft. “When I’m involved in IT, I always have that delusion.”
But after much debate among county leaders, state officials, and legislators, Croft needs to warn other entities about what’s happening in cyberattacks. He said it turned out to be a good idea for the state to know how state officials could do it. Provide support to the community as needed. But when it comes to cybersecurity, that’s not enough, he added.
“There is a long way to go to educate elected state officials about the importance of this and put some money behind it,” he said.
This article was created by Stateline, the Pew Charitable Trust initiative. Other Stateline articles can be found at pewtrusts.org/stateline.
Lawmakers: How Common Are Ransomware Attacks? Source link Lawmakers: How Common Are Ransomware Attacks?