It’s not easy being a geek.
Your local government information technology professional may not be sleeping well every night.
Together, these men and women form an embattled army, forever trying to keep at bay canny and invisible cyber criminals and their ever-changing tricks.
“The wolf is always at the door,” Roanoke County IT Director Bill Hunter said. “If you block one thing, they’re coming after you with another.”
These days, the wolf is a kidnapper, looking to take your city, county or town government hostage. Not the people, but the data — your data.
Local governments — from major cities to tiny hamlets — are the newest targets of an older form of cyberattack: ransomware. Hackers sneak malware into a network and seize control of a government’s computer network and encrypt it and all its data, locking the system’s owners out of it — until they pay a ransom.
And the price is going up.
Hackers are targeting local governments because limited resources make them more vulnerable than corporations, they hold rich troves of data, including on taxpayers, and now that most governments carry insurance policies covering cyberattacks, they have deep pockets, too.
Governments from Baltimore and Atlanta to the tiny city of Lake City, Florida, population 12,000, have suffered ransomware attacks in recent months, according to reports in media, including in the New York Times.
The ransoms have increased, and governments are sometimes paying them — to the tune of hundreds of thousands of dollars. Lake City’s insurer turned over more than $460,000 in cryptocurrency.
It’s become the latest buzz among the government IT set — and insurers who cover governments for such attacks.
“We are low-hanging fruit for any significant cybersecurity threat or cybersecurity actor,” said John Harrison, Franklin County IT director.
The Roanoke Times contacted 13 city, county and town governments and school systems in the Roanoke and New River valleys for this story. Some, such as Roanoke and Pulaski County, declined to answer any questions about their cybersecurity and infrastructure or insurance coverage for fear they might make themselves a target for hackers.
“We don’t want this to be some kind of throw down the gauntlet,” Roanoke Schools Superintendent Rita Bishop said. “We don’t want them [the hackers] to try to see who’s better.”
While none said they’d suffered a significant ransomware attack, all said they remain constantly vigilant against new and evolving threats.
Yet no system is foolproof, Hunter acknowledged. “That’s the stuff that keeps me awake at night.”
Seeking richer targets
Ransomware has been around for three or four years, according to David Raymond, director of Virginia Cyber Range, a cybersecurity education group. But initially it targeted individuals, locking up their computers and demanding a few hundred dollars.
The mode of attack was enabled by the creation of cryptocurrencies such as bitcoin, which allow almost untraceable money transfers, to pay the ransom, Raymond said.
The problem was, so few people had the means to pay a ransom via bitcoin, and many individual users were willing to just give up their data and move on, he said.
So the hackers moved on to richer targets, such as health care systems and others that had precious data, money and the technical expertise to pay using a cryptocurrency.
Raymond said he figured governments would become a target as soon as a profit motive developed. They hold data on all of their taxpayers and employees. He thinks cyber risk insurance could be a catalyst in the recent spate of attacks.
“It’s pretty difficult to secure a city,” Raymond said.
“Sadly the piece that’s lacking is the staff and executive management awareness of the importance of cybersecurity,” said Harrison , Franklin County IT director. Government IT staffs are typically too small and underfunded, yet trying to compete to draw talent away from private sector jobs that pay more, he said.
When it comes down to where to spend taxpayers’ money, Raymond said, needs that are visible to taxpayers sometimes win the day.
“People aren’t going to see the cyber system isn’t protected whereas people do see the potholes in the road,” he said.
Raymond described some security protocols governments should follow: segmenting networks so if a hackers breach one part of the system, they can’t get to the other parts. Backing up their data off-site so that if there’s an attack, they still have access to what’s been encrypted and can restore their system. And training staff not to fall for tricks like “phishing” emails that entice someone on the network to click a seemingly harmless link that really just allows the hackers access to the government’s network.
Every government official who responded to questions for this described a robust cybersecurity effort, including the measures Raymond described, and ongoing assessment and training of staff to protect their data.
“It permeates the thinking around here at least once a day,” said Bishop, Roanoke Schools superintendent.
But the assaults they must fend off are constant.
Daily assaults
In one week alone, Roanoke County’s firewalls flagged more than 10,000 suspicious attempts to interact with their systems.
None of those got through. “But not for a lack of trying,” said Hunter, the IT director there.
“Montgomery County successfully prevents constant attacks that hit our firewall daily,” said spokeswoman Jennifer Harris.
Firewalls, spam filters, segmented networks and frequent and redundant backups are commonplace among governments interviewed, as was use of outside vendors for security and reviews by agencies to make sure protections are up to snuff.
Botetourt County last year was reviewed by the Virginia National Guard cybersecurity unit. Franklin and Montgomery counties both work with the federal Department of Homeland Security. Franklin also partners with the Center for Internet Security, and Montgomery County’s aim is to meet standards from the National Institute of Standards and Technology.
Technology can only go so far, though, and the real vulnerability often proves to be not the network, but the people who use it. Phishing attacks are the means by which ransomware typically penetrates networks.
Experts call it one aspect of social engineering — schemes to trick people into revealing their data.
So staff training is a large part of a government’s defense system.
A common method is penetration testing. Staffers are sent benign fishing emails to see if they’ll click an unsafe link and expose their network.
In Botetourt, the National Guard team walked around the office like civilians and asked employees for information to see if they’ll share it.
IT leaders in the Roanoke and New River valleys were generally comfortable their networks are protected, but cautioned against being too comfortable and failing to stay up to date with what hackers are up to.
“You never know what sort of zero-day vulnerability is going to be disclosed tomorrow,” said Patrick Morton, technology manager for Salem, “and, suddenly, you’re vulnerable again.”
An escalating concern
In October 2017, a malware attack shut down email, phone and computer networks in the Roanoke City Public Schools system for several days.
“We never lost student data,” Bishop said. “It was much more of a mass inconvenience, a really big pain, but we got through it.”
Last fall, a phishing attack on the town of Christiansburg compromised email accounts with some personally identifiable information of members of the public, causing the city to offer free credit monitoring to 909 people.
But to date, those are the most serious cyberattacks reported by area governments.
Ransomware attacks in particular were almost unheard of.
Roanoke County experienced two narrow ransomware attacks. Both were years ago, and only a limited number of files on individual accounts were affected.
VaCORP insures 550 governments, authorities and the like in Virginia, and cyber insurance is a basic part of their coverage now. But administrator Chris Carey said since 2015 they’ve handled just 17 claims in that area, and paid a total of less than $300,000 in claims. None dealt with ransomware. Most were for wire transfer fraud.
In the same period, VaCORP handled 15,000 workers compensation claims and 9,000 automobile claims, and paid out $60 million.
Cyber issues aren’t really “moving the needle for us,” Carey said, but it is enough to be on their radar.
“I’ve been told to get a bitcoin wallet so that I can pay a ransom,” he said.
VaCORP’s policies come with a standard $500,000 of coverage. Clients can add more, with premiums based on the size of the locality. Franklin County, for example, carries $5 million in cyber risk liability coverage at a cost of $15,000 per year.
To date, Carey said, fewer than half of VaCORP’s policy holders have bought additional coverage.
But Carey sees a rise in the potential for cyber claims on the horizon, and is working with cybersecurity experts to develop a survey of their clients to help them identify ways to improve their defenses, and also help VaCORP figure out how to price its coverage appropriately.
With so few claims, he said, it’s hard to know if the premiums are where they should be — especially if the company has to start paying ransoms that run up to a half million dollars.
Fundamentally, cyber risk insurance must work like any other coverge, Carey said. A local government can invest in better security for itself, and keep a lower premium. But if it doesn’t, the premium is going to go up, and moreso if there are claims.
While it’s prudent for local governments to be insured, there’s also the reality that insurance may actually invite the attacks because there’s money to be had.
Insurance “would definitely make this more lucrative to hackers trying to leverage money out of cities,” said Raymond, with Virginia Cyber Range.
Carey said there’s also an unresolved question of sovereign immunity — the facet of law that often holds government harmless from lawsuits when its actions hurt citizens.
If a government compromises your data, and you’re hurt financially by it, is the government obligated to compensate you? Carey said that question is untested in Virginia courts.
Asked if they would pay ransom, government officials around here said it would depend on the specific circumstances and would involve law enforcement. None strictly ruled it out.
‘A business decision’
Raymond said it’s a calculation of how much the ransom is compared to the government’s ability to restore it’s own data and at what cost.
“There’s lots of talk around, ‘Don’t pay off the terrorists,’ basically,” Raymond said, but he’s not going to judge any government for doing the math. “It’s a business decision.”
Some governments said there’s no guarantee paying a ransom gets your data back.
“How would you know that they were out of your system?” Hunter, of Roanoke County, asked. “There’s all kinds of bad stuff that can be put in there.”
Raymond said the hackers have an incentive to do what they say they’ll do.
“These guys aren’t stupid, right? And their customer service is quite good,” he said. “If you pay the ransom, you’re going to get your stuff back, because if you don’t, the next people aren’t as likely to pay.”
And while ransomware is the hot concern now, it’s new, and may give way to something else.
“It used to be viruses,” noted Harris, the Franklin County IT director. Viruses are still around, “but you don’t see people running down the hallway with their hair on fire screaming ‘We’ve got a virus.’ Now it’s, ‘Oh my god, what happens if ransomware comes?’ ”
All governments can do is guard against the greatest risks the best they can with the resources they have, he said. And there are going to be holes.
“So it’s a never ending game of assessing risk and managing your resources to try to mitigate the most prominent risk,” he said.
“Today the most prominent risk is ransomware, strictly because that is the most common attack vector today. That may not be the most common attack vector next week.”
Staff writers Andrew Adkins, Casey Fabris, Alison Graham, Alicia Petska, Yann Ranaivo and Sam Wall contributed to this report.