Written by Benjamin Freed

As ransomware incidents against state and local governments continue to pile up, officials would likely leap at increased federal assistance for their cybersecurity needs, witnesses at a House Homeland Security Committee hearing said Tuesday.

Cyberattacks can be costly to local governments, whether they replace and rebuild compromised computer systems or pay off a ransom demand, as Riviera City, Florida, did last week when it forked over $600,000 to hackers who successfully infected the 35,000-person municipality with ransomware. In many cases, local governments are simply unprepared to repel sophisticated malware capable of encrypting files and deactivating digital government services.

And major cities can be just as vulnerable as the small ones, as Atlanta Mayor Keisha Lance Bottoms said when she recounted the March 2018 ransomware attack against her city, which disabled government functions ranging from court scheduling to utility-bill payments to police dashboard-camera footage.

“It’s important for federal funding to trickle down to our cities like Atlanta and smaller cities to allow us to be able to buy insurance and build stronger systems,” Bottoms told the panel. “When we experienced our cyberattack, it was clear we were not prepared. We had not made the necessary investments. We were putting patches on gaping holes.”

Before the Atlanta attack, the city’s information technology agency had been faulted in an audit for running nearly 100 servers on version of Windows that Microsoft had stopped supporting years earlier. During the hearing Wednesday, Bottoms said her administration’s refusal to pay a ransom of roughly $51,000 was partly attributable to the city’s need for an upgrade.

“The reason we did not pay is because we knew we needed to build a safer, stronger system,” she said. To date, Bottoms continued, Atlanta has spent $7.2 million recovering from the March 2018, and will likely spend much more — estimates have gone as high as $17 million. The cost of a ransomware attack last month against Baltimore could eventually top $18 million, officials there have said.

Short supply

No new funding was proposed at the hearing, but multiple committee members said they plan to file legislation soon that would expand federal support for state and local cybersecurity efforts.

“As any city official who has recovered from one of these cyber disruptions can tell you, the aftermath can have a hefty price tag,” said Rep. Cedric Richmond, D-La., who chairs the Homeland panel’s cybersecurity subcommittee. “This is a drain on taxpayer dollars, time, and labor — all of which are in short supply at the state and local levels.”

But federal aid to state and local governments explicitly for cybersecurity is in short supply compared to other assistance programs. Frank J. Cilluffo, the director of Auburn University’s McCrary Institute for Critical Infrastructure Protection and Cyber Systems, said just 4 percent of funds distributed by the Homeland Security Grant Program is directed toward bolstering cybersecurity, while most go toward counterterrorism and natural-disaster preparedness and response.

Richmond said he is working on a “comprehensive package” to give state and local governments more information security resources. So did the subcommittee’s ranking member, New York Republican John Katko, who said he plans to introduce a bill creating two new grant programs focused on protecting critical network architecture and training staff on responding to cyberattacks. The Senate Homeland Security Committee recently passed a bill aimed at boosting state and local cybersecurity, but Katko’s office told StateScoop his bill is unrelated.

Local investment also needed

Still, additional federal money is only one component of shoring up state and local governments’ security needs, the panelists at Tuesday’s hearing said.

“Simply throwing money at the problem is not the answer,” Cilluffo said.

And Thomas Duffy, the senior vice president of the nonprofit Center for Internet Security, which operates the Multi-State Information Sharing and Analysis Center, said any new cybersecurity grants should prioritize support for partnerships between state and local governments, which he said can be “force multipliers” that reach smaller communities with limited IT resources of their own.

“Our success or failure will be determined by our ability to work together at all levels of government,” he said.

But House members also said the federal government cannot pay for new cybersecurity initiatives entirely on its own.

“One of my concerns is that federal investments will supplant, rather than complement state and local funding,” said Jim Langevin, D-R.I. “How can we better ensure cybersecurity is a priority for leadership in state and local governments?”

Cilluffo said federal grants should require states to put up matching funds. Doing so, he said, would help states bring up the overall percentage of their IT budgets that they commit toward cybersecurity from the 1 to 2 percent average that was reported last year by the National Association of State Chief Information Officers. Bottoms concurred.

“The way we seek matching funds for transportation projects, I think that would be a great opportunity for cities,” she said. “It would also encourage us to invest more on our end.”

‘A 180’ in Atlanta

Following the hearing, Bottoms told StateScoop that Atlanta’s experience has been instructive to other cities experiencing ransomware attacks and that she and her chief information officer, Gary Brantley, have consulted their counterparts elsewhere on what steps to take to mitigate the financial toll.

“You don’t ever anticipate it happens, but when it does it’s a substantial, immediate hit to your budget,” Bottoms said.

She also said cities should not hesitate to bring in outside help when the internal IT staff is overwhelmed. “It’s sort of like trying to triage yourself,” she said.” You may not appreciate your vulnerabilities because they’re yours. You need a third party to help assess and call in on your state and local partners as well.”

In the 15 months since Atlanta’s ransomware incident, Bottoms said the city has completed a migration to a cloud platform that replaced the servers compromised in the attack. “We’ve done a 180,” she said.

But it’s still been a costly process that other local governments might not be able to afford, Bottoms warned, raising the need for more federal attention.

“It is very encouraging just to have [Congress’] interest in cities and ways they can assist,” she said. “We’re seeing that as more and more entities are being attacked, we’re very vulnerable and we just don’t have the resources to put into our cyber infrastructure the way we do our sidewalks and roads.”