Login

***harlan4096*** · 13 December 19, 11:17

Quote:

This report was originally scheduled to be published on January 1st, 2020. We have, however, decided to release it immediately due to a recent incident in which a ransomware attack may have resulted in a municipal government’s data falling into the hands of cybercriminals. We believe this development elevates the ransomware threat to crisis level and that governments must act immediately to improve their security and mitigate risks. If they do not, it is likely that similar incidents will also result in the extremely sensitive information which governments hold being stolen and leaked. We hope that releasing this report early will help kickstart discussions and enable solutions to be found sooner rather than later. Those solutions are desperately needed. The numbers contained in the report will be updated in the New Year and, unfortunately, will almost certainly be greater than the numbers currently stated.

What happened?

In 2019, the U.S. was hit by an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 948 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion. The impacted organizations included:

* 103 federal, state and municipal governments and agencies.
* 759 healthcare providers.
* 86 universities, colleges and school districts, with operations at up to 1,224 individual schools potentially affected.

The incidents were not simply expensive inconveniences; the disruption they caused put people’s health, safety and lives at risk.

* Emergency patients had to be redirected to other hospitals.
* Medical records were inaccessible and, in some cases, permanently lost.
* Surgical procedures were canceled, tests were postponed and admissions halted.
* 911 services were interrupted.
* Dispatch centres had to rely on printed maps and paper logs to keep track of emergency responders in the field.
* Police were locked out of background check systems and unable to access details about criminal histories or active warrants.
* Surveillance systems went offline.
* Badge scanners and building access systems ceased to work.
* Jail doors could not be remotely opened.
* Schools could not access data about students’ medications or allergies.

Quote:“The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020. Governments and the health and education sectors must do better. ” — Fabian Wosar, CTO, Emsisoft.

Other effects of the incidents included:

* Property transactions were halted.
* Utility bills could not be issued.
* Grants to nonprofits were delayed by months.
* Websites went offline.
* Online payment portals were inaccessible.
* Email and phone systems ceased to work.
* Driver’s licenses could not be issued or renewed.
* Payments to vendors were delayed.
* Schools closed.
* Students’ grades were lost.
* Tax payment deadlines had to be extended.

This report examines the cost and the causes of the incidents, discusses the courses of action that should be taken and breaks down the numbers by sector.

What was the cost?

Due to the lack of publicly available data, it is not possible to accurately estimate the cost of these incidents. Perhaps the best indication of the potential cost comes from a statement made by Winnebago County’s Chief Information Officer, Gus Gentner, in September: “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover.”

We cannot comment on the accuracy of that statement but, if correct, the combined cost of 2019’s ransomware incidents could be in excess of $7.5 billion. While we believe this overstates the actual costs – a small school district’s recovery expenses are unlikely to run to seven figures – it nonetheless provides an indication of the enormous financial impact of these incidents.

It should be noted that these incidents also had a broader economic impact. For example, in some instances, companies were unable to obtain the necessary permits and documentation to carry out certain work, disrupting and delaying their operations. Estimating these costs is beyond the scope of this report.

Why did it happen?

Ransomware incidents increased sharply in 2019 due to organizations’ existing security weaknesses and the development of increasingly sophisticated attack mechanisms specifically designed to exploit those weaknesses. Combined, these factors created a near-perfect storm. In previous years, organizations with substandard security often escaped unpunished; in 2019, far more were made to pay the price, both figuratively and literally.

A report issued by the State Auditor of Mississippi in October 2019 stated there was a “disregard for cybersecurity in state government,” that “many state entities are operating like state and federal cybersecurity laws do not apply to them,” and identified problems including:

* Not having a security policy plan or disaster recovery plan in place.
* Not performing legally mandated risk assessments.
* Not encrypting sensitive information.

The report also stated that “Over half of the respondents were less than 75 percent compliant with the Enterprise Security Program.” The program establishes minimum security requirements and compliance is required by law.

It should be noted that only a minority of states conduct statewide audits and, despite the multiple serious deficiencies that Mississippi’s audit identified, it was nonetheless one of the states least affected by ransomware in 2019. This gives rise to an obvious question: would audits in other states reveal that their security is even worse?

A 2019 University of Maryland, Baltimore County research report based on data from a nationwide survey of cybersecurity in U.S. local governments stated that “Serious barriers to their practice of cybersecurity include a lack of cybersecurity preparedness within these governments and funding for it,” and that “Local governments as a whole do a poor job of managing their cybersecurity.” The issues identified included:

* Just over one-third did not know how frequently security incidents occurred, and nearly two-thirds did not know how often their systems were breached.
* Only minorities of local governments reported having a very good or excellent ability to detect, prevent, and recover from events that could adversely affect their systems.
* Fewer than half of respondents said that they cataloged or counted attacks.
...

Login
Username/Email:
Password:	Lost Password?
	Remember me