GAO: Feds struggle to collaborate when ransomware strikes local governments

When ransomware strikes local governments, officials usually call in the feds. 

But while federal agencies provide key support to state, local, and tribal governments hit with ransomware, their misalignment in some cases has hindered response efforts, according to a report released by the Government Accountability Office (GAO) this week. 

In one example highlighted in the report, an entity hit by a nation-state cyberattack called the FBI’s 24-hour incident response number, but the call “went immediately to voicemail” and the agency never responded. The lack of response from the FBI — which is the agency responsible for investigating and assisting with nation-state attacks — hindered the locality’s capacity to analyze the attack, GAO found.

The watchdog agency recommended on Tuesday that the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Secret Service work to better communicate their responsibilities with each other and local governments who need their help. 

Such local governments reported more than 2,800 ransomware incidents to the Multi-State Information Sharing and Analysis Center (MS-ISAC) — a no-cost security cooperative run in partnership with CISA and the Center for Internet Security — from January 2017 through March 2021, per the report.

But figuring out how to get help can be complicated. 

CISA, FBI, and the Secret Service “have not demonstrated that they jointly agreed on a process for making decisions when collaborating on ransomware assistance,” the report said, adding this led to confusion and inconsistency. “Further, once another federal agency is involved, the decision making process between the two agencies remains unclear due to the lack of agreed upon incident handling procedures.”

GAO concluded that the three agencies “have not addressed aspects of six of seven key practices for interagency collaboration in their ransomware assistance to state, local, tribal, and territorial government.” 

The watchdog agency conducted interviews with representatives from 6 national organizations related to state and local government operation and 13 state, local, tribal, and territorial governments as part of the investigation. All of the national organizations and 11 of the governments “reported difficulties identifying the federal prevention and response services that were available” for ransomware attacks. 

CISA, FBI, and Secret Service all collect and share information about ransomware threats facing local governments. In the event of an incident, CISA and MS-ISAC “provide technical assistance such as forensic analysis of the attack and recommended mitigations,” while the FBI and Secret Service “primarily collect evidence to conduct criminal investigations and attribute attacks,” per the GAO report. 

But not every local government victimized by ransomware knows how to access that help, or that it even exists. 

For example, “two public school districts that experienced a ransomware attack stated that they were not aware of resources available to them from the federal government,” according to the report. 

Technical back-up 

Despite these communication and collaboration problems, federal agencies provide important technical support to local governments facing ransomware attacks — especially for small agencies with little in-house expertise. 

In one instance described in the report, a county with a single IT staffer lost control of its emergency services due to a ransomware attack, forcing it to reroute communications to a neighboring county.

“MS-ISAC’s assistance shortened the downtime and allowed the county to respond without paying the ransom or a contractor for recovery services,” the report noted. 

In another incident involving ransomware affecting a county’s emergency services, local staff were able to respond quickly thanks to previous training and tips from CISA. The county then turned to the agency for assistance, and CISA “helped the county terminate the connection to isolate the attack, quickly analyzed the forensic data, and provided a complete report within several hours the day of the incident,” per GAO.

“The report is generally positive and, perhaps, more positive than such a report would’ve been several years ago,” Brett Callow, a threat analyst at Emsisoft who follows ransomware told The Record. “That said, it certainly seems there’s room for some improvement and hopefully the agencies will act on that,” he added.

In a letter responding to the report included as an appendix, the Department of Homeland Security — which houses CISA and the Secret Service — agreed with GAO’s recommendation that it improve collaboration among the three agencies. A representative from the Justice Department concurred with GAO’s recommendation for the FBI via email, per the report.