[BreachExchange] Florida lawmakers want a ‘no negotiation’ policy with ransomware attackers

[Terrell Byrd]

https://www.tampabay.com/news/florida-politics/2022/02/03/florida-lawmakers-want-a-no-negotiation-policy-with-ransomware-attackers/

TALLAHASSEE — Florida’s cities and counties have paid out millions of
dollars to hackers who infiltrate their systems and hold critical data
hostage.

Now some state lawmakers want them to adopt a policy on hackers usually
reserved for terrorist organizations: refuse to negotiate.

A bill moving through the House of Representatives would ban local
governments from paying attackers in ransomware cases, a growing form of
hacking that uses malware intended to extort money or other ransom by
encrypting files on a victim’s computer or network.

The attacks have hit cities across the state. When a Riviera Beach police
employee opened an email in 2019, it led to a shutdown of the city’s email,
phones, police records, even the library. Although the FBI recommended
against it, the city paid 65 bitcoins, worth about $600,000, to recover the
records.

Broward County’s school district, the sixth-largest in the nation, was hit
last year. The hackers demanded $40 million. When the county offered
$500,000, hackers from the Russia-based Conti malware group leaked nearly
27,000 accounting files and personal data on students and employees.

“We have to ask, should we allow taxpayer dollars to be financiers of
terrorist organizations to our foreign adversaries?” bill sponsor Rep. Mike
Giallombardo, R-Cape Coral, said Thursday. “If we continue to enable this,
we’re creating the market.”

The idea to refuse to negotiate is part of a larger plan lawmakers are
considering to address the state’s cybersecurity shortfalls as threats have
skyrocketed during the pandemic.

Giallombardo’s bill, which passed in its first committee unanimously
Thursday, would require state and local governments to report incidents to
a new State Watch Office and require state and local employees to undergo
annual cybersecurity training.

The state Senate is not advancing similar legislation, but it is
considering outsourcing the state’s data center and assigning 25 new
positions to the state’s chief information officer, Jamie Grant. Grant, a
former lawmaker with little experience in information technology, has
overseen a state technology office that has lost a number of cybersecurity
experts and struggled to spend $30 million in cybersecurity funding from
the Legislature last year.

The House wants to increase that to $50 million this year, plus devote $30
million in grants to help local governments navigate cyberattacks and $30
million to help them train employees.

Other states have adopted laws banning cybersecurity payments, although
experts are mixed on whether it’s a good strategy. The FBI recommends not
paying and notes that attackers don’t always hold up their end of the
bargain when they are paid.

No one spoke against the House’s plan, but state lawmakers said they’ve
heard from city officials who feel they have to pay the ransoms to retrieve
critical data.

Giallombardo said the goal is to prevent them from needing to pay in the
first place, by requiring them to adopt cybersecurity standards that
include data backups and offering money and assistance for training and
response to attacks.

“When you can train the clerk at the front of the desk, at the front
office, not to click those links, that ... reduces your risk tremendously,”
Giallombardo said.

Ransomware attacks have been effective against local governments, which
have thin budgets and hardware and software that can be badly out of date.
Three months before it was attacked, for example, Riviera Beach officials
agreed to spend $800,000 to improve a computer security system so outdated
the company that made it no longer supported it. The upgrades didn’t
prevent the attack because they weren’t installed in time, according to the
Palm Beach Post.

Florida’s state agencies also have not been immune from attacks.

Since 2020, the state’s top regulatory agency was taken offline by a
cyberattack, data on thousands of applicants for children’s health
insurance was exposed by a state vendor, and Social Security numbers and
bank information on more than 58,000 unemployment applicants was stolen.

Almost every aspect of state government is dependent on technology, but
Florida has had longstanding struggles with coordination and oversight of
its technology projects and has faced public failures in recent years.

The state is now on its fourth iteration of a state technology office in
two decades. For years, it was one of the only states in the nation without
a chief information officer. Most of the chief information officers it
appointed had limited backgrounds in technology.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220204/26b60908/attachment.html>