The ransomware attacks that pose a risk to life and health
Investigators weren’t able to get information on the history of police calls to the home of a mass killing suspect due to a ransomware attack that knocked Dallas government computers down, law enforcement officials told Rebecca Lopez of news channel WFAA in a story this weekend.
Police and fire leaders in the same city, meanwhile, said that response times had slowed. Officers are relying on backup plans like resorting to using pen and paper during system outages, Kelli Smith reported for the Dallas Morning News. That comes amid assurances from a city leader that “key public safety functions continue as usual.”
The cyberattack on the Dallas government illustrates ransomware’s potential, if not actual, risks to public health and safety. Some details about the Dallas cyberattack are still unknown; a city official is expected to discuss the hack when he appears before a Dallas City Council panel today.< The economic impacts of ransomware have long been established as concrete. This weekend brought the two-year anniversary of the attack on Colonial Pipeline, which prompted a fuel panic on the East Coast.
But ransomware attacks on government agencies and hospitals present the danger of a more physical kind of harm.
“All of these things create a very obvious potential for lives to be lost,” Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, told me.
The state of the attacks
While there has been a reported slowdown in ransomware attacks from 2021 to 2022, overall attacks on U.S. hospitals doubled between 2016 and 2021, according to one study. Emsisoft has tracked nearly 200 ransomware attacks on the public sector since the start of last year.
Attacks on local government agencies and hospital systems are among the most worrying in the current battle against ransomware, Megan Stifel, a co-chair of the joint public-private Ransomware Task Force, told me last week.
And federal officials say many ransomware attacks go unreported, so the accuracy of any tallies are lacking. A bill signed into law last year would require critical infrastructure owners and operators to report to the federal government when they suffer major cyber incidents or make ransomware payments. The law’s definition of covered entities required to report would include critical government facilities owned by state, local and federal governments, but the Cybersecurity and Infrastructure and Security Agency is still writing the regulations that fill out more details.
And while there’s evidence that ransomware victims are growing less willing to pay to unlock their systems, some still do. San Bernardino County, Calif., officials acknowledged last week that the county paid ransomware operators $1.1 million to free up sheriff’s department computers. A county spokesperson, David Wert, told KCAL News that “insurance covers most of the payment.”
The fact that ransomware gangs are still getting paid is “why these attacks keep on happening,” Callow said.
“All of these incidents, whether involving health care, police or other emergency services, do put lives at risk,” Callow said. “If lives haven’t already been lost because of ransomware attacks, it’s inevitably only a matter of time until they will be.”
There’s more in there about the effect of ransomware attacks on police and hospitals, so go read the rest. This is the sort of thing for which there ought to be a large pile of federal money made available, to local and state governments, to school districts, to hospitals, to utilities and waste management sites, all for the purpose of upgrading their cybersecurity capabilities. Mostly because a lot of these entities are overworked and under-resourced, they often make easy and enticing targets for ransomware gangs. The potential harms are great, and we’re just not doing enough to mitigate them.
More than just money is needed, of course – you need people who know how to implement the software and manage the systems and deal with alerts and incidents and so forth. Believe me, it’s a big undertaking and we need a lot more people doing this kind of work. Which raises a whole ‘nother set of issues, about school curricula and how we bring women and people of color and other under-represented groups into this profession and them keep them there, as well as immigration because we’re going to need to import some of these people, but all that is beyond my scope here. Point is, you ought to check and see how your city or county or school district is doing with its cybersecurity. Better to ask now than find out the hard way later.