GAO: Feds Struggle to Collaborate When Ransomware Hits Local Governments

When ransomware hits local governments, authorities usually appeal to the federal government.

But while federal agencies provide key support to state, local and tribal governments affected by ransomware, their misalignment in some cases has hampered response efforts, according to a report released by the Government Accountability Office (GAO) this week.

In one example highlighted in the report, an entity affected by a nation-state cyberattack called the FBI’s 24-hour incident response number, but the call “went to voicemail immediately.” and the agency never responded. The lack of response from the FBI — which is the agency responsible for investigating and assisting attacks on nation states — hampered the locality’s ability to analyze the attack, the GAO found.

The watchdog recommended on Tuesday that the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Secret Service work to better communicate their responsibilities with each other and with local governments that need their help.

These local governments have reported more than 2,800 ransomware incidents to the Multi-State Information Sharing and Analysis Center (MS-ISAC) – a free security cooperative run in partnership with CISA and the Center for Internet Security – from January 2017 to March 2021, according to the report.

But finding help can be tricky.

CISA, the FBI, and the Secret Service “have not demonstrated that they have agreed to a decision-making process when collaborating on ransomware assistance,” the report said, adding that this led to confusion and inconsistency. “Furthermore, once another federal agency is involved, the decision-making process between the two agencies remains unclear due to the lack of agreed-upon incident handling procedures.”

The GAO concluded that the three agencies “failed to address aspects of six of seven key interagency collaboration practices in their ransomware assistance to state, local, tribal, and territorial governments.”

The watchdog agency conducted interviews with representatives of 6 national organizations related to the functioning of state and local governments and 13 state, local, tribal and territorial governments as part of the survey. All national organizations and 11 governments “reported difficulty identifying federal prevention and response services that were available” for ransomware attacks.

The CISA, FBI, and Secret Service all collect and share intelligence on ransomware threats facing local governments. In the event of an incident, CISA and MS-ISAC “provide technical assistance such as forensic analysis of the attack and recommended mitigation measures,” while the FBI and Secret Service “primarily collect evidence to conduct criminal investigations and attribute attacks,” according to the GAO. report.

But not every local government victimized by ransomware knows how to access this help, or even that it exists.

For example, “two public school districts that suffered a ransomware attack said they were unaware of the resources made available to them by the federal government,” according to the report.

Technical support

Despite these communication and collaboration issues, federal agencies provide significant technical support to local governments facing ransomware attacks, especially for smaller agencies with little in-house expertise.

In one case described in the report, a county with a single IT staff member lost control of its emergency services due to a ransomware attack, forcing it to redirect communications to a neighboring county.

“MS-ISAC assistance shortened downtime and enabled the county to respond without paying the ransom or a contractor for recovery services,” the report notes.

In another incident involving ransomware affecting a county’s emergency services, local personnel were able to respond quickly with advance training and guidance from CISA. The county then turned to the agency for help, and CISA “assisted the county in terminating the connection to isolate the attack, quickly analyzing the forensic data, and providing a full report within hours of the day of the incident,” according to the GAO.

“The report is generally positive and, perhaps, more positive than such a report would have been several years ago,” Brett Callow, a threat analyst at Emsisoft who tracks ransomware, told The Record. “Having said that, it certainly looks like there is room for improvement and I hope the agencies act accordingly,” he added.

In a letter responding to the appended report, the Department of Homeland Security — home to CISA and the Secret Service — accepted the GAO’s recommendation to improve collaboration between the three agencies. A Justice Department representative agreed with the GAO’s recommendation for the FBI via email, according to the report.

Andrea (they/them) is a senior policy correspondent at The Record and a longtime cybersecurity reporter who cut her teeth covering technology policy ThinkProgress (RIP) and then The Washington Post from 2013 to 2016, before doing investigative research on public records at the project on Government Surveillance and American Surveillance. Their work has also appeared on Slate, Politico, The Daily Beast, Ars Technica, Protocol and other outlets. Peterson also produces independent creative projects under his Plain Great Productions brand and can generally be found online as kansasalps.

Comments are closed.