Ransomware has steadily become one of the most pervasive cyberattacks in the world. And while high-profile global meltdowns like 2017’s NotPetya strain garner the most attention, localized attacks have devastating consequences as well. Look no further than the cities of Atlanta and Baltimore, whose online operations ground to a halt after ransomware takeovers. Or more recently, Alabama’s DCH Health Systems, which had to turn away all but the most critical patients from its three hospitals after hackers seized control of their networks.
The attacks affect communities both large and small. In fact, victims often aren’t even specifically targeted. Hackers have increasingly focused on so-called managed service providers, companies that remotely handle IT infrastructure for a wide range of customers, to get the highest return on their investment. Successfully compromise one MSP, and you can hit nearly two-dozen local Texas governments, as one recent example proved.
It’s the kind of large-scale problem that would benefit from a large-scale solution. Yet despite the clear and pervasive danger, Congress seems stumped.
“There’s a gap between the focus and resources here in Washington and what happens in a town of 200,000 people,” representative Jim Himes (D-Connecticut) tells WIRED.
While Himes, a member of the House Intelligence Committee, is concerned about the rise in these brazen attacks, he also sees fundamental limitations in the federal government’s ability to help stop hyper-local attacks.
“There’s only so much the federal government can do to encourage municipalities to patch their software and update their equipment, that sort of thing,” Himes says.
Last month the Senate passed a bill that would force the Department of Homeland Security to set up “cyber hunt” and “cyber incident response” units, including bringing in experts from the private sector, to help ward off attacks or to help respond after an entity is hit. But even one of that bill’s main sponsors, senator Maggie Hassan (D-New Hampshire), is now calling for the Government Accountability Office to conduct a top-to-bottom review of the federal government’s programs aimed at helping localities and entities crippled by these ransomware attacks.
“The federal government must do more to help state and local governments prevent and respond to cyberattacks, and this report will give us a key tool to identify how the federal government is doing in this task, and what more can be done,” Hassan said in a statement accompanying the release of her letter to the GAO.
The letter itself reveals the mysterious depth of this growing problem: Congress and the agencies tasked with protecting American’s security are basically clueless when it comes to even understanding the scope of the problem.
While Congress still lacks a tangible plan to help mitigate the impact, some members at least seem to be increasingly aware of the issue.
When WIRED broached the topic of recent ransomware attacks against Connecticut school districts back on July 16, neither of that state’s senators really knew about the problem that had gripped their own constituents. But when asked again recently, senator Richard Blumenthal (D-Connecticut) acknowledged the stakes of the growing problem.
“I’m beginning to hear it very loudly and clearly from officials that they are feeling isolated, alone, [and] incapable of responding,” Blumenthal said last month.
The senator’s newly acquired knowledge on the topic may stem from the spike in high-profile ransomware attacks that have struck communities in Arizona, Oklahoma, Virginia, New York and Texas, just to name a few.
“Ransomware is one of the growing threats to cybersecurity, and the federal government ought to be doing everything possible to assist towns and cities,” Blumenthal said. “There’s an urgency and an immediacy.”
Blumenthal’s now calling for the federal government to provide states with technical expertise on ways to defensively combat these attacks, outlines of a potential strategy to respond to such an attack. (Even seemingly straightforward questions like whether to pay the ransom or hold out remain divisive.) Blumenthal has also called for moving taxpayer dollars from Washington to localities so they can secure and harden their systems. The Pentagon may be fortified against foreign cyberintrusion, but local school districts and municipalities now face sophisticated attacks from hackers or foreign entities that many policymakers view as an attack on America itself.
But it’s not an easy issue for lawmakers of all stripes, especially when hackers have an economically crippling cannon pointed at the infrastructure girding up these locals. And cybersecurity is pricey, which is why the federal consensus seems to be to assist localities as opposed to centralizing the protections these towns, school districts, and even hospitals seem to need.
“Right now we have to make sure that we have a system and to help train and support all our local municipalities, but the federal government doesn’t have enough money to step in every time there’s a ransomware [attack],” representative Dutch Ruppersberger (D-Maryland) told WIRED.
He argues—even if the actors are foreign states—the burden isn’t national, merely local.
“Eventually they’re going to add more money into their technology programs to exist—that’s a part of doing business—and will be,” Ruppersberger said. “But we have to train them to make sure they have the right people, so when this comes we can help them.”
But the localities, school districts, and hospitals that have been hit hardest by ransomware attacks have been crying out for federal help. Currently the Department of Homeland Security issues warnings and offers advice, like keeping systems backed up and installing software to help prevent an intrusion. But local officials or even hospital administrators often lack either the awareness or the resources to implement those suggestions. Once an entity is hit, the FBI provides resources, like helping trace the attack or even trying to recover whatever data is recoverable—which often isn’t that much—but at that point it can be too late.
That’s why some federal lawmakers are trying to spur federal agencies to provide more assistance and even direction, before ransomware claims even more victims that could have avoided that fate with a little extra help.
- WIRED25: Stories of people who are racing to save us
- Massive, AI-powered robots are 3D-printing entire rockets
- Ripper—the inside story of the egregiously bad videogame
- USB-C has finally come into its own
- Planting tiny spy chips in hardware can cost as little as $200
- 👁 Prepare for the deepfake era of video; plus, check out the latest news on AI
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones.
