The word “ransomware” has become synonymous with the healthcare industry, but government ransomware attacks are a growing threat.

Over the past year, the healthcare industry has been battered by an epidemic of ransomware attacks. The problem has become so ubiquitous that it is making their way into works of fiction: A ransomware attack on a hospital in a major city is the focus of an upcoming episode of the NBC drama Chicago Med. However, a new study by security ratings firm BitSight reveals that the number-one target for ransomware is the education industry, followed by the government sector. In fact, BitSight reports, government ransomware attacks have tripled over the past 12 months.

Among the high-profile government ransomware attacks that have grabbed headlines over the past few months:

• In January, hackers installed ransomware on a police closed-circuit surveillance camera network in Washington, D.C., disabling 70% of the cameras only eight days prior to President Donald Trump’s inauguration.
• In March, ransomware disabled the IT network used by the Pennsylvania State Democratic Caucus, locking 16 senators and their staff out of the system and throwing the caucus’ website offline.
• In late January, several local government offices in Ohio were hit by ransomware, including a county police force and 911 center, forcing the 911 center to operate in manual mode and lengthening emergency response times.
• A new twist on government ransomware has recently been targeting public sector organizations in the Middle East; instead of being instructed to pay a ransom to unlock their networks, victims are being extorted to post inflammatory public statements against various political figures.

Why the Public Sector is Being Targeted

Government agencies are attractive ransomware targets for many of the same reasons medical facilities and schools are. Their networks store and process reams of highly sensitive data; public sector employees suffer from the same lack of security training and awareness that plague the private sector; and an inability to access a government network could put people’s lives at stake, as in the case of the 911 center in Ohio.

Government bureaucracy exacerbates the problems. While it may not be easy for IT personnel at a private-sector corporation to convince the C-suite they must invest in cyber security improvements – just ask anyone who worked at Yahoo! – nailing down an appropriate security budget can be even more difficult at a government agency. Not only must public-sector IT employees argue their case to their bosses, but also, the general public, the taxpayers whose money will be used to fund these improvements, have to be convinced. As the Pew Research Center recently found, very few Americans have even a fundamental grasp of cyber security risks and best practices, creating a situation where elected figures are asking their constituents to fund services they do not fully understand and may not see a need for. The government machine also tends to move very slowly; public sector agencies have always been notorious for being years behind the private sector in adopting new technologies.

Not surprisingly, BitSight ranks the government sector second-to-last in its security ratings.

Cyber Security is Not a Partisan Issue

There are some bright spots in the fight against government ransomware and other cyber attacks against the private sector. Virginia Governor Terry McAuliffe (D) has made cyber security the focal point of his chairmanship of the National Governors Association. The association’s winter meeting in February put a heavy emphasis on the need for state and federal governments to work together to improve their cyber security postures.

Government ransomware attacks are not a partisan issue, and there is no such thing as an agency that is “too small” to be victimized. A series of small cyber attacks could be employed by terrorists to create confusion and distraction as part of a much larger real-world terrorist attack. Attacks against the public sector, whether a federal government agency or a local police department, are everyone’s problem. Waiting until an attack happens and attempting to clean up the mess doesn’t work in the private sector, and it certainly doesn’t work when critical infrastructure such as a 911 system is hampered or disabled. Government agencies of all sizes must take the ransomware threat seriously and employ proactive cyber security measures to prevent their systems from being victimized.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.