To pay or not to pay: That's the essential dilemma for governments faced with ransomware attacks. Deloitte's Tim Li and Doug Powers tell host Tanya Ott how the public sector can face the looming threats.
“It’s a challenging thing. Evil is still alive. People want to extort. They’ve been in the cyber world and it’s robbery, but it’s against our civilization. Cyber exploitation of ransomware, similar to crime … you never get it down to zero. You just try to manage it and reduce, right?”
—Doug Powers, managing director, Risk and Financial Advisory, Deloitte & Touche LLP
Tanya Ott: Bad actors are out there, looking to hold state and local governments hostage by taking down their IT. But there are ways to protect against it, and we’ll talk about it today on the Press Room.
Explore the Government & public services collection
Learn about Deloitte's services
Go straight to smart. Get the Deloitte Insights app
Tanya: I’m Tanya Ott. Back in March of 2018, I was living and working in Atlanta when we started getting word that something was just not right in the city government. Residents couldn’t pay their water bills or traffic tickets online.1 The computers were down. Turns out, hackers had taken over the system and demanded $51,000 in Bitcoins as ransom.2 The city refused to pay and it cost nearly $17 million to eventually get their systems back up. When they did, they found some of the data—including years of police dashcam video—was permanently lost.3
My guests today have followed these and other less publicized attacks very closely. Tim Li leads cyber and strategic risk services business for the government and public services industry at Deloitte & Touche LLP.
Tim Li: Essentially leading all of our cyber strategic services within the federal government, state and local government, and higher institutions.
Tanya: Doug Powers is also in that division and his specialty is threat intelligence. Before joining Deloitte five years ago, Doug was a Navy information warfare officer. I asked Doug to explain how a ransom attack on a city works.
Doug: This idea has been around for a very long time, maybe way back in the days 20 years ago with floppy disks and little basic emails. But now they’re so complex. You could get ransomware on your cell phone from a text. [It’s] anything with a payload that you could click on—they trick you into clicking it or going to a link and it runs some malicious software which usually encrypts. That’s the key part. There’s some encryption that locks up your data so you can’t use it, and then levies the ransom and says we’re not going to decrypt it until you pay. Typically that pay is untraceable, they’ll try to do it in some kind of electronic currency such as Bitcoin or the like. That can be done at scale toward governments or commercial companies, and that’s where they make their money. Some of these ransoms can be very large.
Tanya: When this happens, when someone clicks on, say, that malicious email or an attachment or something like that, it can be compromised in a lot of different ways. For instance, in some cities, they may lose lots of legal files or dash-mounted-camera video from police cars or they may just lose access to it. But it could also be [that] the files are not there anymore.
Doug: Data is kind of your new currency, the crown jewels to an organization, a local government, city or state. That data needs to be backed up and protected and secured. When this gets encrypted and you can’t access it, or worse, permanently corrupted, a lot can be lost. It could be evidence. It could be financial data. It’s extremely disruptive to a business. It’s a form of extortion.
Tanya: In some cities, for instance, people who need to go online and apply for permits or other things like that are not able to get in for weeks before something might be resolved.
Tim: How a citizen engages with government, that’s been rapidly changed because of the ubiquity of connectivity now. Now that actually plays against organizations as well, because the ability for malware, in this case ransomware, to be infected across that entire ecosystem becomes very prevalent as well.
Tanya: What I think I hear you saying, Tim, is that there are a lot more entry points. If you’re, say, a large city, you’ve got thousands of employees. They may have company cell phones. They have company laptops. There are lots of ways that they could accidentally click on something which allows the extortionists, to use your term, Doug, basically to get access to them.
Tim: Those are just the personal devices you’re talking about, right, laptops, mobile devices, etc. Let’s not forget, with connectivity in cities, you got streetlights, you got police vehicles that are now connected. All of these items could be infected with ransomware and compromised and then those events disrupt the government’s ability to provide services. That’s the real problem we face with the proliferation of ransomware.
Doug: The point you made about many entry points, the internet of things—sure, some things were designed to connect to the internet, but there is so much older, operational technology, where they may have power, but they were never designed to be connected to the internet. Now things are connected—in some cases just to monitor, but in other cases to control and manipulate them. Those entry points are just exponential. You have critical systems.
Tanya: Can you give me an example, a concrete example, of one of those things that weren’t initially intended to be interacting in a really robust way with the internet are now connected and could be vulnerable?
Doug: We’ve got everything. Critical infrastructure. Even public water systems, electric systems. Power can be manipulated — maybe turned off or just deceived, where you could do something as simple and [seemingly] harmless as messing with someone’s billing information, because the dependencies are tied to power measurements and usage. Or it could be bridges and tunnels and dams or trains and metro systems, subway systems. It could go on and on.
Tanya: That’s a pretty scary prospect, actually, if you’re talking about public utilities and transportation potentially being hacked in that way.
Doug: We use the term smartphone, but the same thing is used for smart buildings and smart cities. It’s enabling internet connectivity: IT, internet technology, or information technology to OT, operational technology. That IT-OT bridge [is] where those entry points expound and many are very vulnerable because security is not built in. So it’s a heyday for the exploiters and the extortionists.
Tanya: Actually, that gives me a vision of an internet-connected building where the HVAC system and everything else is tied to IT or IoT devices. Someone could theoretically—and you guys are the experts—hold that hostage in, say, [in] a southern location, and turn off the air conditioning in the middle of July or something like that. And you can’t get it back until you pay us with Bitcoins.
Tim: That is a very real example and viable. We are going to see more and more of those instances where malicious actors will be creative and think about what is most vulnerable to an entity, an organization. When you think about ransomware, the question always becomes, do you pay or not? Right. Usually those [organizations] find ransoms being at a point where it becomes a nuisance for an entity and paying is easier than the compromise of being able to recover the services. There’s always that balance to consider and malicious actors will try to target those items where it’s just easier to pay than rather think through other alternatives.
Tanya: I want to get to the ransom part of this equation in just a moment. But first, one other thing that I imagine could be a problem in many municipalities, whether it’s local or even state government, is simply the staffing in the technology department and the budgets that are attached to that? Because, we know sometimes funding for positions and funding for technology can be a real issue in municipal government.
Doug: Definitely. You’ve got governments that tend to work procurement at a much slower pace, and for this high-demand talent and highly technical talent, they tend to not have the salaries [of private entities]. They’re really competing for this talent pool, and budgets are publicly monitored and under lots of scrutiny. So fighting with that part-time or with a limited team, they seem to always be behind.
Tanya: Because they’re fighting the world. The attack could come from anywhere, from any multitude of bad actors out there.
Doug: That’s right. It’s so asynchronous. You can reach from anywhere around the world. It’s not just someone in your neighborhood.
Tanya: So these are some of the reasons why governments are particularly vulnerable. In the current situation that we’re in, how has coronavirus affected the frequency of and government response to ransom attacks.
Tim: In the current pandemic situation, resources have been taken away in order to support other areas, in order to enable citizen services. A lot of the challenges that we’ve just talked about from an IT budget perspective, more and more money is being put into these new citizen services that need to be carried out. As we increase remote workforce, we add new services for citizens because they can’t walk up for certain services. That’s changed the dynamic and that’s required even more budget and resourcing for some of these other areas that are probably taking away from the ability to continue to protect an organization, to provide some of the right cyber hygiene capabilities that would help them mitigate the potential for a ransomware-type attack.
Tanya: We mentioned the actual ransom part of that ransomware. And the big question for governments is do you pay or not? What are the pros and cons of that? Paying is not a guarantee that you’re going to get your data back, though.
Tim: It certainly isn’t. Less than half of those that have paid the ransom actually are able to get their data back.
Tim: Yeah. And even in those cases when they’re able to get their data back, it doesn’t always mean you’re able to fully recover your operations to where you were before. It’s a very interesting question. It’s a simple thing to say, hey, maybe it’s a low enough cost that you might as well pay, but that’s a short-term solution with no necessary guarantees.
Tanya: So you might actually pay the ransom and you might not get your stuff back in a way that you can use or even back at all. The other argument is that paying leads to more attacks. That’s the idea behind governments not paying ransom for their citizens who are kidnapped overseas. Do we have evidence that paying more leads to more attacks?
Doug: Well, it’s an incentive. You think about these attackers, these ransomware exploiters, they’re really operating under a kind of a capitalist model where they’re looking to make a profit. So there’s a little bit of honor among thieves that if somebody pays you, then you really need to decrypt that for them. And you can see them on some dark web forums where they [say], “That’s a bad ransomware actor because he didn’t unlock the ransomware and that hurts the profession,” you know, as corrupt as it is. So paying [the ransom] and it not working may disincentivize. But if someone pays it—say it’s down at $500,000 per computer, it’s only a handful or a million. If they have insurance—and they can’t keep going to that well often—some cyber insurance policies do cover maybe that first amount. There’s a big debate about whether that should be insured or not. Because if you pay that—and some large cities, without mentioning names, some paid up to $18 to $20 million in recovery and the ransomware might have only been a few million. So was it worth that?
Tanya: If they had paid the ransom, it’d be a couple million. But because they didn’t, everything they had to do after that in order to get operations back up to speed could be 10 times that or more.
Tanya: And that has actually happened?
Doug: Oh absolutely. Many cities have chosen not to pay and then they spend that much in recovery and some didn’t even have insurance.
Tim: The interesting thing about insurance is there’s a whole lot of different policies and actually, not every organization really understands these different policies and some of the responsibilities that you have as an organization to uphold those policies. In most cases, and the policies continue to get refined, there are things that they’re protected for from a ransomware perspective. We have seen some cities where they have only needed to pay a deductible—which, in essence, made that insurance policy very valuable. But there have been other cases where we’ve seen that someone thought that they had an insurance policy as a fallback plan to be able to rely on, but maybe there is a fine print in the policy that said, these are the certain things that you’re expected to do as a recipient of this policy in order for your policy to be effective. In some cases, they were not able to make the appropriate claim because they may have violated some parts of those terms. So there’s definitely some variability. I would caution folks to truly understand, what does your insurance policy state? How does your deductible gets actioned? Because those are things that are really important to know.
Tanya: I read about a smaller city where their deductible on their policy was $10,000 or something really, really small like that. But I wondered, what strings does that come with? Will the company only do that once and then after that the policy has changed if you haven’t fixed your system in a way that’s approved by the insurance company?
Tim: Exactly, and I think Doug alluded to that earlier. You may be able to make a claim the first time, but the next time, if there’s evidence that maybe there are things that you didn’t do as an organization to protect yourself, to maintain basic cyber hygiene, your next policy will be quite a bit more expensive.
Tanya: Does the insurance policy perhaps give some governments a false sense of security?
Tim: It absolutely does, especially when you don’t know the details of your policy and you make an assumption that you can always just pay the deductible and that deductible maybe on a lower threshold than the ransomware amount. Of course, insurance should definitely be part of your mitigation strategy against ransomware, but it shouldn’t be the only thing.
Tanya: Where does this leave the government? What’s the government to do in this situation where an attack could be coming from anywhere?
Tim: You need to understand, what is your operating environment? What does it entail? We talked about some of those new connected devices that are going online. What are you worried about? What are those devices that could be infected with malware or ransomware attacks? Are you confident if you had backups, could you recover from them? Could you go through an entire reconstitution process and successfully be up and running in full operations very quickly? And frankly, how do you respond to these attacks? Do these folks have the right muscle memory? So they’re not just going through it the first time, have they war-gamed through their plans of how they might respond so that they can do so swiftly, efficiently, and with conviction in terms of some of the decisions that they’re making? I think there are a lot of the questions that leaders should be asking to support preparedness for potential ransomware attack.
Doug: Really, it’s about building [a system] well, smartly. Did it just grow over time and we’re adding things without security, or have we really compartmentalized it and really looked at what’s most valuable? You brought up data in the beginning. Are those most valuable technologies protected, and are there backups? Are they resilient and operating well? People are a big part of it. [Scammers] are targeting technology, but actually these ransomware attackers are exploiting people and behavior. Are people trained to know when something’s suspicious, to not click on it, to have good hygiene on the systems? Have they maintained their systems well?
Tanya: Doug, do we have a sense of how many governments actually train all of their employees, in the way that you’re talking about—cyber hygiene to the point where they’re just incredibly rigorous about this?
Doug: I don’t have exact numbers. I just know that it’s a requirement. There are standards now that have existed for nearly a decade. Even in the last three to five years, specifically about phishing, most governments have some basic cyber training. [But with] work from home now with COVID, those entry points have expanded. They’re testing their work-from-home employees with this training. And there’s a lot of computer-based training that’s out there and it’s usually done on an annual basis.
Tanya: The reason I ask about that is because I have a daughter who is in college and she’s interning for the summer at a major southern bank. And one of the things that they did was send phishing-like emails to all of the interns to see who clicked on them and who didn’t. Then they would follow up with more education about the phishing. Which I thought was very interesting, especially since I’ve worked for state universities for a couple of decades and have never had that kind of training. In the positions that I’ve been in, even in management positions, the training largely consisted of somebody sending an email saying, hey, phishing is a thing. This is what looks suspicious, so don’t click on these things. And that’s kind of it.
Doug: I know several organizations where it’s not as bad as the wall of shame if you click on a phishing email, but it can earn you some extra training, you go to remedial level if you are the frequent offender.
Tanya: I understand artificial intelligence can help with the response. Explain that.
Tim: The capability of using analytics to predict behaviors and then take autonomous action, that’s really important because there are certain things that could be leading indicators and or insights of a potential ransomware event or other issues like [cyber] hygiene. You may have leading indicators that you are more at risk for ransomware attack and then subsequently have the capability to be predictive and automatically respond in these cases. That’s a huge value of being able to use artificial intelligence in this situation, when it takes away from some of the human intervention that’s required. There’s not enough humans able to do some of these things, so being able to capitalize on some of these AI capabilities is really important.
Tanya: Just to clarify, does that mean that AI is trained to be looking for maybe people testing the water or testing the edge of your security system?
Tim: AI is being used to detect potential incidents, but also being used to help with automating some of the decision-making capabilities in terms of things you might do to take a leading indicator of a potential incident and to close down ports or do other things that may help automate activity that doesn’t require human intervention in those cases.
Tanya: An if/then scenario: If AI is seeing this, then they take that action. Doug, you are pretty passionate about the role of AI in helping respond well to these types of incidents. Talk about that a little bit.
Doug: Absolutely, because it supports some of the earlier concerns or helps address those that we talked about. One area is really the fight for talent, the shortage, especially in the government space. You don’t have to pay a machine. Once you’ve got high confidence that this is really suspicious and we don’t want this to occur, you can do things quickly, efficiently and at massive scale, things that a human couldn’t do.
Tanya: I’m wondering how much governments share information with each other around these attacks. Is it possible to build sort of like a herd immunity, because you know how operators are attacking other people and how they’ve responded, what’s been successful and what’s not been successful?
Doug: Sharing happens, [but] there are pros and cons to it. Sometimes it’s sharing something that already happened in most cases. There are some unfortunate consequences that go against sharing when you introduce legal aspects, insurance, and standards and regulations. So there is a healthy tension at times, but people are well intended at the analysts’ level to share. If you add AI to this, and if you could anonymize that, that would be the way to do it so you could expedite churn.
Tanya: Talk to me a little bit about that. When you say add AI to that, are you talking about AI talking to other AI?
Doug: If there are indicators—not just, hey, this happened to me last week or even yesterday—[that] could be shared within minutes, [for example] suspicious behavior in the financial industry that may tie to a government, [you would be] crossing public and private, commercial and public. A machine is not offended by sharing that information. It’s just, hey, here’s what to look for.
Tim: What’s even more interesting, as you think about the concept of sharing, is sometimes it’s not even about sharing actual things that have happened. It may be leading indicators that may mean nothing to someone, but when you are sharing that information and you’re able to correlate with other things that another entity might be seeing, it actually shows something through that correlation. We tend to think sharing has to be, “I definitely know this exploit or this vulnerability.” Sometimes just sharing something that might be a little bit different for someone else may actually be the view that they need to see that they may be vulnerable to something as well. This whole concept of how the ecosystem can flex and help each other becomes really important, which you started alluding to with herd immunity. I love that concept in this place, because as we think about the problem—with ransomware we have this vicious cycle. If it’s easy to do, the attackers will keep on propagating it and the proliferation will be very great. At some point, we have to bend the curve and we need this herd immunity that exists through ecosystems, so if it’s harder to accomplish through one entity and then the next, that’s going to be harder for the entire ecosystem as well.
Tanya: What on the horizon in this area?
Doug: I think the threat is growing. Governments are particularly vulnerable because of the reasons we shared about talent and legacy technology. And as Tim brought up earlier, the entry points to operational technology and smart buildings and smart systems are extremely vulnerable. It’s not just, hey, a computer’s corrupted and someone’s not going to get paid, but we’re moving into the threat to safety in the physical world. Laws around this, regulations around this, are still catching up. The internet of things has been around for over a decade. They’re expanding to everything from your watch to your toaster, your refrigerator to traffic lights. Everything is connected. Are they built well with security? Are people held accountable for truly operating with security in mind, not just monitoring the consequences for those that violate that? And how do we respond? Are we aware of what’s vulnerable? Are our governments building into their response systems how to respond to, let’s say, something catastrophic to a water system or to electrical power? And who responds? Is that the cyber police in the town? The fire department? Who is going to respond? How are they going to respond? And when?
It’s a challenging thing. Evil is still alive. People want to extort. They'’ve been in the cyber world and it’s robbery, but it’s against our civilization. Cyber exploitation of ransomware, similar to crime … you never get it down to zero. You just try to manage it and reduce, right?
Tanya: Doug, Tim, thank you so much. It’s a fascinating topic. And I know that you helped me understand it a little bit better. And I’m sure our audience as well.
Doug and Tim: Thank you Tanya. Really enjoyed it.
Tanya: Tim Li leads Deloitte’s cyber and strategic risk services business for the government and public services industry. Doug Powers is also in that division. His specialty is threat intelligence. They’ve written a really interesting paper about the ransomware attacks on state and local governments. It includes several more case studies, as well as strategies for combatting all those bad actors out there. You can find that paper and a lot more at deloitte.com/insights.
I also want to direct you to our new podcast feed for Insights In Depth. Right now, we’re talking about Tech Trends, and we touched on the issues that ransomware raises when we talked about ethical technology:
Scott Buchholz: Connectivity is a wonderful thing because it enables us to do things that we never could before. And sort of the flip side of that is it enables other people to do things that we probably don't want them doing.
Find out how thinking about ethical technology may be able to protect you from bad actors. You can find that podcast and more through Insights In Depth.
This podcast is produced by Deloitte. The views and opinions expressed by podcast speakers and guests are solely their own and do not reflect the opinions of Deloitte. This podcast provides general information only and is not intended to constitute advice or services of any kind. For additional information about Deloitte, go to Deloitte.com/about.