Ransomware has steadily become one of the most pervasive cyberattacks in the world. And while high-profile global meltdowns like 2017’s NotPetya strain garner the most attention, localized attacks have devastating consequences as well. Look no further than the cities of Atlanta and Baltimore, whose online operations ground to a halt after ransomware takeovers. Or more recently, Alabama’s DCH Health Systems, which had to turn away all but the most critical patients from its three hospitals after hackers seized control of their networks.
The attacks affect communities both large and small. In fact, victims often aren’t even specifically targeted. Hackers have increasingly focused on so-called managed service providers, companies that remotely handle IT infrastructure for a wide range of customers, to get the highest return on their investment. Successfully compromise one MSP, and you can hit nearly two-dozen local Texas governments, as one recent example proved.
It’s the kind of large-scale problem that would benefit from a large-scale solution. Yet despite the clear and pervasive danger, Congress seems stumped.
“There’s a gap between the focus and resources here in Washington and what happens in a town of 200,000 people,” representative Jim Himes (D-Connecticut) tells WIRED.
While Himes, a member of the House Intelligence Committee, is concerned about the rise in these brazen attacks, he also sees fundamental limitations in the federal government’s ability to help stop hyper-local attacks.
“There’s only so much the federal government can do to encourage municipalities to patch their software and update their equipment, that sort of thing,” Himes says.
“There’s an urgency and an immediacy.”
Senator Richard Blumenthal
Last month the Senate passed a bill that would force the Department of Homeland Security to set up “cyber hunt” and “cyber incident response” units, including bringing in experts from the private sector, to help ward off attacks or to help respond after an entity is hit. But even one of that bill’s main sponsors, senator Maggie Hassan (D-New Hampshire), is now calling for the Government Accountability Office to conduct a top-to-bottom review of the federal government’s programs aimed at helping localities and entities crippled by these ransomware attacks.
“The federal government must do more to help state and local governments prevent and respond to cyberattacks, and this report will give us a key tool to identify how the federal government is doing in this task, and what more can be done,” Hassan said in a statement accompanying the release of her letter to the GAO.
The letter itself reveals the mysterious depth of this growing problem: Congress and the agencies tasked with protecting American’s security are basically clueless when it comes to even understanding the scope of the problem.
While Congress still lacks a tangible plan to help mitigate the impact, some members at least seem to be increasingly aware of the issue.
When WIRED broached the topic of recent ransomware attacks against Connecticut school districts back on July 16, neither of that state’s senators really knew about the problem that had gripped their own constituents. But when asked again recently, senator Richard Blumenthal (D-Connecticut) acknowledged the stakes of the growing problem.
“I’m beginning to hear it very loudly and clearly from officials that they are feeling isolated, alone, [and] incapable of responding,” Blumenthal said last month.
The senator’s newly acquired knowledge on the topic may stem from the spike in high-profile ransomware attacks that have struck communities in Arizona, Oklahoma, Virginia, New York and Texas, just to name a few.
“Ransomware is one of the growing threats to cybersecurity, and the federal government ought to be doing everything possible to assist towns and cities,” Blumenthal said. “There’s an urgency and an immediacy.”
Blumenthal’s now calling for the federal government to provide states with technical expertise on ways to defensively combat these attacks, outlines of a potential strategy to respond to such an attack. (Even seemingly straightforward questions like whether to pay the ransom or hold out remain divisive.) Blumenthal has also called for moving taxpayer dollars from Washington to localities so they can secure and harden their systems. The Pentagon may be fortified against foreign cyberintrusion, but local school districts and municipalities now face sophisticated attacks from hackers or foreign entities that many policymakers view as an attack on America itself.