Viewing offline content

Limited functionality available

Dismiss
United States
  • Services

    What's New

    • Register for Dbriefs webcasts

    • Unlimited Reality™

      Metaverse solutions that drive value

    • Sustainability, Climate & Equity

      Cultivating a sustainable and prosperous future

    • Tax

      • Tax Operate
      • Tax Legislation
      • Tax Technology Consulting
      • Mobility and Payroll
      • Legal Business Services
      • Tax Services
    • Consulting

      • Core Business Operations
      • Customer & Marketing
      • Enterprise Technology & Performance
      • Human Capital
      • Strategy & Analytics
    • Audit & Assurance

      • Audit Innovation
      • Accounting Standards
      • Accounting Events & Transactions
    • Deloitte Private

    • M&A and Restructuring

    • Risk & Financial Advisory

      • Accounting & Internal Controls
      • Cyber & Strategic Risk
      • Regulatory & Legal
      • Transactions and M&A
    • AI & Analytics

    • Cloud

    • Diversity, Equity & Inclusion

  • Industries

    What's New

    • The Ripple Effect

      Real-world client stories of purpose and impact

    • Register for Dbriefs webcasts

    • Industry Outlooks

      Key opportunities, trends, and challenges

    • Consumer

      • Automotive
      • Consumer Products
      • Retail, Wholesale & Distribution
      • Transportation, Hospitality & Services
    • Energy, Resources & Industrials

      • Industrial Products & Construction
      • Power, Utilities & Renewables
      • Energy & Chemicals
      • Mining & Metals
    • Financial Services

      • Banking & Capital Markets
      • Insurance
      • Investment Management
      • Real Estate
    • Government & Public Services

      • Defense, Security & Justice
      • Federal health
      • Civil
      • State & Local
      • Higher Education
    • Life Sciences & Health Care

      • Health Care
      • Life Sciences
    • Technology, Media & Telecommunications

      • Technology
      • Telecommunications, Media & Entertainment
  • Insights

    Deloitte Insights

    What's New

    • Deloitte Insights Magazine

      Explore the latest issue now

    • Deloitte Insights app

      Go straight to smart with daily updates on your mobile device

    • Weekly economic update

      See what's happening this week and the impact on your business

    • Strategy

      • Business Strategy & Growth
      • Digital Transformation
      • Governance & Board
      • Innovation
      • Marketing & Sales
      • Private Enterprise
    • Economy & Society

      • Economy
      • Environmental, Social, & Governance
      • Health Equity
      • Trust
      • Mobility
    • Organization

      • Operations
      • Finance & Tax
      • Risk & Regulation
      • Supply Chain
      • Smart Manufacturing
    • People

      • Leadership
      • Talent & Work
      • Diversity, Equity, & Inclusion
    • Technology

      • Data & Analytics
      • Emerging Technologies
      • Technology Management
    • Industries

      • Consumer
      • Energy, Resources, & Industrials
      • Financial Services
      • Government & Public Services
      • Life Sciences & Health Care
      • Technology, Media, & Telecommunications
    • Spotlight

      • Deloitte Insights Magazine
      • Press Room Podcasts
      • Weekly Economic Update
      • COVID-19
      • Resilience
      • Top 10 reading guide
  • Careers

    What's New

    • Our Purpose

      Exceptional organizations are led by a purpose. At Deloitte, our purpose is to make an impact that matters by creating trust and confidence in a more equitable society.

    • Day in the Life: Our hybrid workplace model

      See how we connect, collaborate, and drive impact across various locations.

    • The Deloitte University Experience

      Explore Deloitte University like never before through a cinematic movie trailer and films of popular locations throughout Deloitte University.

    • Careers

      • Audit & Assurance
      • Consulting
      • Risk & Financial Advisory
      • Tax
      • Internal Services
      • US Delivery Center
    • Students

      • Undergraduate
      • Advanced Degree
      • Internships
    • Experienced Professionals

      • Additional Opportunities
      • Veterans
      • Industries
      • Executives
    • Job Search

      • Entry Level Jobs
      • Experienced Professional Jobs
      • Recruiting Tips
      • Explore Your Fit
      • Labor Condition Applications
    • Life at Deloitte

      • Life at Deloitte Blog
      • Meet Our People
      • Diversity, Equity, & Inclusion
      • Corporate Citizenship
      • Leadership Development
      • Empowered Well-Being
      • Deloitte University
    • Alumni Relations

      • Update Your Information
      • Events
      • Career Development Support
      • Marketplace Jobs Dashboard
      • Alumni Resources
  • US-EN Location: United States-English  
  • Contact us
  • US-EN Location: United States-English  
  • Contact us
    • Dashboard
    • Saved items
    • Content feed
    • Subscriptions
    • Profile/Interests
    • Account settings

Welcome back

Still not a member? Join My Deloitte

Ransoming government

by Srini Subramanian, Pete Renneker, Doug Powers, Joe Mariani, Akash Keyal, Adam Routh
  • Save for later
  • Download
  • Share
    • Share on Facebook
    • Share on Twitter
    • Share on Linkedin
    • Share by email
Deloitte Insights
  • Strategy
    Strategy
    Strategy
    • Business Strategy & Growth
    • Digital Transformation
    • Governance & Board
    • Innovation
    • Marketing & Sales
    • Private Enterprise
  • Economy & Society
    Economy & Society
    Economy & Society
    • Economy
    • Environmental, Social, & Governance
    • Health Equity
    • Trust
    • Mobility
  • Organization
    Organization
    Organization
    • Operations
    • Finance & Tax
    • Risk & Regulation
    • Supply Chain
    • Smart Manufacturing
  • People
    People
    People
    • Leadership
    • Talent & Work
    • Diversity, Equity, & Inclusion
  • Technology
    Technology
    Technology
    • Data & Analytics
    • Emerging Technologies
    • Technology Management
  • Industries
    Industries
    Industries
    • Consumer
    • Energy, Resources, & Industrials
    • Financial Services
    • Government & Public Services
    • Life Sciences & Health Care
    • Tech, Media, & Telecom
  • Spotlight
    Spotlight
    Spotlight
    • Deloitte Insights Magazine
    • Press Room Podcasts
    • Weekly Economic Update
    • COVID-19
    • Resilience
    • Top 10 reading guide
    • US-EN Location: United States-English  
    • Contact us
      • Dashboard
      • Saved items
      • Content feed
      • Subscriptions
      • Profile/Interests
      • Account settings
    18 minute read 11 March 2020

    Ransoming government What state and local governments can do to break free from ransomware attacks

    18 minute read 11 March 2020
    • Srini Subramanian United States
    • Pete Renneker United States
    • Doug Powers United States
    • Joe Mariani United States
    • Akash Keyal India
    • Adam Routh United States
    • See more See more See less
      • Joe Mariani United States
      • Akash Keyal India
      • Adam Routh United States
    • Save for later
    • Download
    • Share
      • Share on Facebook
      • Share on Twitter
      • Share on Linkedin
      • Share by email
    • The increasing sophistication of ransomware
    • Why governments seem particularly vulnerable
    • To pay or not to pay?
    • But why the big increase in ransom attacks now?
    • Finding a third way
    • Success is possible

    As malware attacks increasingly hold various governments ransom over critical data, to pay or not to pay can become an impossible dilemma. Taking simple steps to secure IT infrastructure and data can help government organizations avoid this dilemma.  

    The increasing sophistication of ransomware

    In December 1989, computer researcher Jim Bates popped a floppy disk into the disk drive and was shocked at what he saw. On a disk labeled “AIDS Information Version 2.0,” he found, hidden among files containing information on AIDS and the HIV virus, a virus of another kind: a program designed to encrypt the root directory of a computer.1 A few months before, this same disk had made its rounds at a world conference on AIDS. Any researchers unfortunate enough to insert the disk were greeted by large red screen demanding that US$189 be mailed to a post office box in Panama if they wished to use their computer again. This was the world’s first ransomware.

    Learn more

    Explore the Government & public services collection

    Learn about Deloitte’s services

    Go straight to smart. Get the Deloitte Insights app.

    While distribution and payment methods may have advanced beyond floppy disks and post office boxes, the basics of ransomware largely remain the same: Hackers gain access to a system and, once in, use malware to lock data behind complex encryption; in order to regain access to that data, victims must pay a ransom ranging from a few hundred dollars to several millions. As connected devices and digital systems proliferate at breakneck speed, government services ranging from health care to policing to public education are increasingly managed through digital networks and software.

    Governments then may find themselves vulnerable as they try to keep pace with cybersecurity developments, often on increasingly old systems. Vulnerable networks, critical citizen services, and paying ransoms can create a positive feedback loop where successful ransomware attacks can encourage more and more attacks asking for more money. In such situations, governments often face a dilemma: paying ransoms that can likely fuel more attacks and other illicit activities, or dealing with the considerable cost of losing data necessary to provide public goods and services.

    Unfortunately, there is no silver bullet for ransomware. It takes hard work, starting with first understanding what makes governments attractive targets for ransomware and then putting in place new tools, new policies, and a new approach to cybersecurity. A few governments are already protecting themselves against and recovering from ransomware attacks, setting an example for other governments. Ultimately, reversing the current trend in ransomware attacks rests on doing the basics well: building and operating networks well, and responding well to inevitable attacks.

    Why governments seem particularly vulnerable

    Along with the health care industry, governments are among the top targets for ransomware. Ransomware is a particularly powerful weapon against governments, who must provide public services and cannot afford, financially or civically, to have data compromised to the point of governance paralysis. The cost of a police department unable to serve and protect the community or a school district unable to educate the community’s children escalates quickly. As a result, government often see paying the ransoms as the only logical solution. After all, not paying the ransom and having to recoup lost data and systems can often be significantly more expensive than the ransom.

    Beyond being a desirable target, governments can also be a vulnerable one, for several reasons:

    Growing attack surface

    A successful ransomware attack typically needs three ingredients: a vulnerability, or “exploit,” in the network or system to create access, encryption to block access to the data and create the need to pay ransom, and a payment method to collect that ransom.2 With powerful algorithms and bitcoin offering easy off-the-shelf methods for encryption and payment, exploits are often the driver behind new waves of ransomware attacks.

    Governments are now providing more services to citizens through digital means than ever before. Indeed, the total number of computers used by government organizations have grown significantly. A few decades ago, there may have been a few computers in the central office of local school districts or police departments, but today every squad car has a computer, and each classroom likely has a few. Each of these computers is a potential access point for malicious malware, with the result that the potential attack surface that a government agency must protect has grown significantly without commensurate investments in cybersecurity.3

    This trend is not likely to stop either. Connected traffic cameras, ambulances, trash trucks, parking meters, and libraries (just to name a few) make up an incredibly varied, constantly growing array of endpoints, all connected to state and local government networks—and all potentially vulnerable to attack, creating a larger attack surface.4

    Outdated technology and inadequate defenses

    While new technology coming online can pose a challenge for governments, the lack of new technology can too. Many governments struggle to keep pace with the rapid pace of technology refresh cycles.5 Tight budgets limit the amount of modernization that can take place, and even if budget is available, the tech refresh process itself can strain government IT departments. Private sector networks are often designed with enough redundancy to support taking portions offline for tech refresh without suffering a loss in capability, but state and local government network operations teams rarely have that luxury. Taking a system offline to replace or upgrade it generally means some service is unavailable to citizens, making modernization a tough tradeoff for government leaders.6

    Even current-standard, updated networks require constant effort to maintain security patches and configurations, a task that even the most well-staffed, well-trained cybersecurity staff could find difficult. For state and local governments operating with older, legacy systems, keeping those systems up to date can be a daunting battle. An audit conducted in Atlanta, not long before the 2018 ransomware attack, found up to 2,000 network vulnerabilities.7 However, as the staggering costs of recovery—US$17 million in the Atlanta attack—become more widely known, government leaders may begin to see the necessity of timely maintenance and modernization.8

    As important as continuous maintenance of machines is the basic cybersecurity education and training for every civil servant, employee, contractor, or elected official who has access to government networks. It can take only one click to compromise a network, and everyone who is part of the network should understand the basics of how to protect it. But regular cybersecurity training costs time and money, and for local governments on tight budgets and with too few staff, this could seem like a near-impossible ask. The most advanced cybersecurity tools in the world cannot make up for poorly trained workers.

    The cost of being small

    However, the most significant challenge is not typically technology—it is people. New systems do not come online and legacy systems do not get patched without trained staff to do the work. Attracting and keeping the right number of trained technology staff, and cybersecurity staff specifically, is perhaps the greatest challenge for many governments.

    Cybersecurity talent is in high demand today in every sector. According to the 2017 global information security workforce study, two-thirds of its nearly 20,000 respondents indicated that their organizations lack the number of cybersecurity professionals needed for today’s threat climate.9 By 2021, 3.5 million cybersecurity jobs are expected to remain unfilled.10 With every organization looking for cyber talent from a limited pool, the bidding war for that talent can become intense. The US Department of Labor reports that the median salary for cybersecurity talent is nearly US$100,000.11

    Faced with small IT budgets, state and local governments can struggle to attract and retain the cybersecurity talent they need. A biannual NASCIO/Deloitte cybersecurity survey found that a lack of budget has been the #1 concern of state-level chief information security officers (CISOs) every year since 2010. The majority of states spend only 1 to 2 percent of their IT budgets on cybersecurity, and nearly half of states do not have a cybersecurity budget that is separate from their IT budget.12 In contrast, federal-level agencies and private sector organizations generally spend between 5 and 20 percent of their IT budgets on cybersecurity.13

    Skilled cybersecurity talent in the United States is attracted to high-wage, high-demand jobs in a few select urban areas (figure 1). The result is that most state-level IT security organizations are staffed at drastically lower levels (6–15 cyber professionals in an organization) than a comparable-sized financial organization in the private sector (more than 100).14 The problem is compounded when you consider that on average less than 15 percent of IT staff work on cybersecurity.15 So many local governments are left with, at best, one cybersecurity professional, though often that individual has to split time between cybersecurity and other IT tasks. A part-time cybersecurity effort fighting against full-time, professional attackers is never going to be a fair fight.

    Annual mean wages of US cybersecurity analysts are the highest in a few urban regions

    To pay or not to pay?

    As an attractive target, more and more governments are finding themselves in the crosshairs of ransomware attacks. While the US federal government doesn’t encourage payment of ransom, the decision government agencies face isn’t an easy one: either pay the ransom to (maybe) regain access to your systems and data while likely fueling additional criminal activities with money from the ransom, or don’t pay the ransom and absorb the almost-always greater costs of system restoration and lost revenue.

    The costs associated with restoring the system and loss of revenue when systems are down often significantly outweigh the ransom demand. For example, in May 2019, the city of Baltimore was hit with a ransomware attack demanding US$76,000, and it decided not to pay. This decision cost the city at least US$18.2 million in a combination of restoration costs and lost revenues.16 Hackers purposely keep the ransom demands lower than what it would cost to recover the systems, making paying the ransom seem to be a better economic choice for underfunded local governments.17

    Other municipalities have seen those costs and chosen another route. In June 2019, Lake City, Florida, reportedly agreed to pay ransom to hackers to regain access to its municipal computer systems two weeks after systems were disrupted. According to news reports, Lake City agreed to pay the US$460,000 ransom. Lake City also had cyber insurance that covered the payment itself, leaving the city with only a US$10,000 deductible to pay.18 But even the decision to pay is not a guaranteed path to recovery. Some malware such as NotPetya may ask for ransom even though it cannot ever decrypt the data, while some attackers may simply refuse to send a key.19 According to one survey of 1,200 cybersecurity professionals, less than half of those who paid ransom regained access to their data.20

    But why the big increase in ransom attacks now?

    All of this seems to beg the question, why does there seem to be a recent explosion of ransomware targeting state and local governments? After all, governments have had limited IT budgets and aging legacy systems for decades, and ransomware itself is not new, so what has changed?

    Impact of cyber insurance

    Certainly, the recent increase in cyber insurance plays some role. That growth has been driven by two factors. First, for many organizations, transferring cybersecurity risk to an insurer can be a cost-effective strategy in a rocky cyber world. Second, the market is proving an attractive one for insurers. While many other areas of insurance are flat, cyber insurance remains a profitable, if uncertain, segment. The loss ratio for US cyber policies was about 35 percent in 2018 compared with 62 percent across all property and casualty insurance.21 In other words, for every dollar in premiums collected from policyholders, insurers paid out roughly 35 cents in claims, making cyber insurance nearly twice as profitable as other types of insurance. However, this profitability may be largely due to the uncertainty related to the cyber insurance no-win situation in which insurers find themselves: When attacked, no organization wants to be helpless, but those that use cyber insurance policies to cover ransom payments may unintentionally be fueling the increase in ransomware attacks.

    Government-specific circumstances

    More cyber insurance policies paying out more ransoms may be part of the issue, but it cannot be the whole story. After all, the majority of cyber insurance policies are issued to commercial organizations, not to governments. So why are governments such a target right now? The answer may lie in the peculiarities of some of those policies issued to governments.

    The simple answer is that cyber insurance, poor defense, and criticality of government services are creating a positive feedback loop where attackers are asking for and getting more money more often. For example, in the second quarter of 2019, governments that chose to pay ransoms ended up paying 10 times more than their commercial counterparts.22 This appears to create a situation where, aided by cyber insurance, more vulnerable government organizations are paying more than better-protected ones. Like blood in the water, this appears to have attracted at least one organized cybercrime syndicate in Russia, which created the Ryuk ransomware strain that appears to be behind many recent attacks.23 While diverse in its targets, this syndicate appears to be specifically targeting US state and local governments and demanding nearly 10 times higher ransom than average attacks.24

    Like the chicken and the egg, it is difficult to know whether increased ransom demands are driving higher payments or higher payments are attracting larger demands, but the link between them seems clear. To help illustrate this relationship, we drew on a number of data sources to compile a database of ransomware attacks targeting public sector organizations beginning in 2013. Along with a significant increase in attacks recently, there also appears to be a clear correlation between the ransom paid and volume of attacks (figure 2).

    Ransomware attacks against governments spiked in 2019

    Therefore, while paying the ransom in a ransomware attack may seem to be an easy, short-term solution, in the long run, it may make the problem worse, encouraging attackers to continue to target governments. Incentives should be put into place to make sure that governments don’t see paying the ransom as the better, or only, option.25

    Finding a third way

    Clearly, both typical methods of response to ransomware are not sustainable. Not paying ransom can lead to massive costs and the loss of critical data and citizen services. Paying ransom may save money in the short term but may also invite more attacks in the long term. To move forward, governments should consider an approach to dealing with ransomware, built on doing three things well: building well, operating well, and responding well.

    Building well: Making governments hard targets

    The first step should be to avoid becoming a target in the first place—partly by developing smarter systems, and partly by having skilled staff to work with these systems.

    Develop a smart systems architecture

    No system can ever be completely secure. Unknown security flaws that could provide access into a system will likely always exist. However, how an organization manages its data can mitigate the consequences of any ransomware attack.26 Developing a system architecture where the most critical data is compartmentalized can make it more difficult for hackers to encrypt enough critical information to create leverage and demand a ransom. This compartmentalization is as much about function as physical connectivity. Disabling extraneous services on connected devices and putting in place policies that prohibit checking email or playing games on critical hardware can be important defensive measures.27

    Developing system backups should be the next, and possibly most important, step.28 Air-gapped backups—isolated computers or systems that don’t have connections to external links—or even tape backups can help keep critical business information insulated from ransomware attacks. The air gap decreases the likelihood that ransomware can infiltrate the backup, and in the event it does enter, the design of the vault prevents the ransomware from executing its payload (figure 3).29 Similarly, tape back-ups can help restore data without the risk of reintroducing ransomware. Regardless of method, data backups inaccessible by ransomware attacks are another way organizations can avoid falling prey to criminals who hope to hold their information hostage.

    A sample air-gapped recovery vault decreases the risk of ransomware damage

    Build a cyber-aware workforce

    The best technology and business processes in the world are useless without the skilled staff to implement them. Cybersecurity talent is in high demand, so governments must be creative about ways to attract and retain that talent, including sharing talent via rotational assignments within government, improving pay and benefits packages, or looking to the gig economy.30 For example, Michigan’s Cyber Civilian Corps not only offers new ways to attract talent, its CISO-as-a-service offering also helps to make that talent available to smaller governments that otherwise could not afford it.31

    But training and reskilling efforts cannot end with IT staff; every worker should be cyber-aware. Programs such as the Federal Cybersecurity Reskilling Academy that educates non-IT workers in cybersecurity basics can be valuable tools in creating an aware and active workforce.32

    Operate well: Minimizing risk

    Some ways in which risk can be minimized include improving basic cyber hygiene and using war-gaming to prepare for real-life attacks. State and local government leaders and their teams should know how to respond if attacked just as emergency responders know how to respond during a fire, car accident, or severe weather.

    Improve basic cyber hygiene

    The maintenance of legacy systems can be a critical vulnerability for many governments, making improved cyber hygiene important to reducing the overall risk of attack. Timely application of software patches and updates are imperative, as are regular system backups to an air-gapped recovery vault. Updates can help limit the vulnerability of a government’s systems, while the system backups could speed recovery time if the systems are attacked and avoid the need to either pay ransom or spend more in recovering the data. Improving basic cyber hygiene also means regular trainings and evaluations for all staff. While the cost of effective training programs may seem like a less-than-critical expense, it’s generally far less than the cost of a ransomware attack. It is also feasible that as rates of ransomware attacks increase, insurers may require policyholders to meet certain basic requirements, including staff trainings, in order to pay out on policies.

    War-Gaming

    Planning for a ransomware attack begins with a system audit to identify which systems, information, and people are critical to the organization’s operations and most vulnerable to ransomware. For example, a police department would cease to function if its emergency dispatch system was compromised, but it could function if the system tracking employee time sheets was compromised. With that information, governments can then test their protective measures and responses using war-gaming and simulation.

    Cyber war-gaming and simulation are valuable tools in preparing staff and ironing out kinks in processes. Rehearse with a realistic scenario so that you’re able to simulate the decisions that you might have to make. You don’t want to be forced to decide under duress. Often, only during such simulations do leaders begin to see the many details that they must master—from the logistics of transferring bitcoin to learning what exactly is covered by a cyber insurance policy. Government can use the successes and failures of the war-game to craft a playbook spelling out responsibilities and key tasks in the event of an attack to speed response. Speedy recovery depends on everyone knowing the plan and being able to execute it quickly, and for that, there is no substitute for practice.

    Responding well: Getting back to normal quickly

    Attacks can strike even the best-prepared government, so knowing how to respond and restore critical services to citizens as quickly as possible is essential.

    Deploy emerging technologies

    Finding and retaining skilled cybersecurity talent will likely remain a challenge in the near future, so deploying emerging technologies that can make the existing workforce more effective can be a significant cost advantage to governments. For example, artificial intelligence (AI) can help prevent ransomware attacks by blocking unusual downloads from links that employees unwittingly click on.33 The city of Las Vegas has used AI to detect and respond to cyber threats for three years with great success. In the words of director of innovation and technology, Michael Sherwood, “Ransomware can spread across your network rapidly, so you need tools that can prevent that from occurring. AI can autonomously take control and provide split-second reactions, which is very useful for preventing damage.”34

    Adopt an ecosystem approach to cyber

    Governments should not try to go it alone. Information-sharing bodies such as industry-specific organizations can link governments to other local governments and organizations so that they can learn from each other’s successes and failures.35 Similarly, staying in touch with external researchers, vendors, and law enforcement can help governments access new tools and technologies and create the relationships that will likely be needed if a crisis should ever occur.

    Finally, sharing information about ransomware experiences, even when it is uncomfortable or potentially embarrassing, can be key to the “herd immunity” that can keep other governments safe. Although there is currently no legal requirement in the United States to report ransomware attacks, those reports are important to understand the technical nature of attacks to both find perpetrators and help others protect themselves. While some governments are beginning to consider reporting requirements—Texas, for example, is considering a law requiring ransomware reporting— government leaders at all levels should consider devising and practicing some form of voluntary reporting procedure.36 It will be important for local governments to coordinate outside of their typical state silos through the establishment of cyber monitoring and incident response services provided across jurisdictions.

    Success is possible

    These steps toward a new approach to ransomware resilience represent a significant amount of work. Government entities need to become resilient in a world where a constant threat of a cyberattack is the “new normal.” But the good news is that success is possible.

    Take Lubbock County, Texas, for instance. The IT department gets calls about strange behavior on Lubbock County's 1,300 computers all the time. But one call about icons changing on a worker’s desktop in real time caught the department’s attention. It was a clear sign of an attack. By quickly isolating the affected computers, the Lubbock County IT staff was able to stop the ransomware attack before it locked down any critical systems. Lubbock County was one of 23 local governments hit by ransomware in August 2019 in Texas alone, yet it appears to be the only one that successfully stopped the hackers.37 Though hardly revolutionary, its actions show how training and resources—and a bit of luck—can thwart hackers who have been hobbling US cities and counties.

    Ransomware is a hard problem for governments. It springs from a variety of sources and demands an entirely new approach if governments are to free themselves from the difficult dilemma of paying versus not paying ransom. The good news is that a clear vision and a few concrete actions can help secure government systems and the valuable services they provide to all citizens.

    Acknowledgments

    The authors would like to express sincere thanks to Swift Griggs of the PARSEC Group for his novel expertise on the subject. Jeremy Erb and Murry Carter were also invaluable contributors whose insights and feedback greatly improved the quality of this report. We also owe a debt of gratitude to Pankaj Kishnani for his incredible ability to bring the data alive through graphics and visuals.

    We also must thank the dedicated team that helped bring the article to life: Aditi Rao of Deloitte Shared Services India LLP and Blythe Hurley of Deloitte Services LP.

    Cover image by: Chiara Vercesi

    Endnotes
      1. Jim Bates, “Trojan horse: AIDS information introductory diskette version 2.0,” Virus Bulletin, January 1990. View in article

      2. Swift Griggs of the PARSEC Group, interview with the authors, January 2020. View in article

      3. Srini Subramanian and Doug Robinson, 2018 Deloitte-NASCIO Cybersecurity Study—States at risk: Bold plays for change, Deloitte Insights and NASCIO, October 23, 2018. View in article

      4. Jason Crist, “Managed security services help the public sector tackle cyberthreats,” StateTech, July 18, 2019. View in article

      5. Benjamin Freed, “Ransomware attacks map chronicles a growing threat,” StateScoop, October 22, 2019. View in article

      6. Cynthia Brumfield, “Why local governments are a hot target for cyberattacks,” CSO, May 1, 2019. View in article

      7. David Gilbert, “U.S. cities are under attack from ransomware—and it’s going to get much worse,” VICE, June 18, 2019. View in article

      8. The March 2018 ransomware attack on the city of Atlanta are estimated to hit US$17 million or higher. See: Stephen Deere, “Confidential report: Atlanta’s cyber attack could cost taxpayers $17 million,” Atlanta Journal-Constitution, August 1, 2018. View in article

      9. Center for Cyber Safety and Education, 2017 Global Information Security Workforce Study: U.S. Federal Government results, 2017. View in article

      10. Tim Woodbury, “Cybersecurity in 2019: A time for bigger budgets and more talent,” Government Technology, February 8, 2019. View in article

      11. U.S. Bureau of Labor Statistics, “Occupational Outlook Handbook,” September 4, 2019. View in article

      12. Subramanian and Robinson, 2018 Deloitte-NASCIO Cybersecurity Study. View in article

      13. Barbara Filkins, IT security spending trends, SANS, February 2, 2016; Jim Eckenrode and Sam Friedman, The state of cybersecurity at financial institutions: There’s no “one-size-fits-all” approach, Deloitte Insights, May 21, 2018. View in article

      14. Subramanian and Robinson, 2018 Deloitte-NASCIO Cybersecurity Study. View in article

      15. Kaspersky, “Kaspersky lab survey reveals the financial impact of the IT security talent shortage,” press release, 2016. View in article

      16. Ian Duncan, “Baltimore estimates cost of ransomware attack at $18.2 million as government begins to restore email accounts,” Baltimore Sun, May 29, 2019. View in article

      17. Eric Stern and Andrew Lipkowitz, “Insurance coverage options before ransomware attacks,” NUPropertyCasualty360, August 22, 2019. View in article

      18. Ibid. View in article

      19. Anton Ivanov and Orkhan Mamedov, “ExPetr/Petya/NotPetya is a wiper, not ransomware,” Securelist, June 28, 2017. View in article

      20. CyberEdge Group, 2018 cyberthreat defense report, September 2017. View in article

      21. Insurance Journal, “How the U.S. cyber insurance market is performing: Aon report,” July 10, 2018. View in article

      22. Benjamin Freed, “Ransomware hits everywhere, but governments pay 10 times more,” StateScoop, July 16, 2019. View in article

      23. Alexander Hanel, “Big game hunting with Ryuk: Another lucrative targeted ransomware,” Crowdstrike Blog, January 10, 2019. View in article

      24. Benjamin Freed, “Recent ransomware surge linked to Russian criminal group,” StateScoop, September 3, 2019. View in article

      25. Renee Dudley, “The extortion economy: How insurance companies are fueling a rise in ransomware attacks,” ProPublica, August 27, 2019. View in article

      26. For more on a zero-day vulnerability, see: NortonLifeLock, “Zero-day vulnerability: What it is, and how it works,” accessed February 5, 2020. View in article

      27. Griggs, interview. View in article

      28. Ibid. View in article

      29. Deloitte, “Cyber recovery: Surviving a digital extinction–level event,” December 4, 2019. View in article

      30. William D. Eggers, John O'Leary, and Amrita Datar, The future of work in government: Navigating a shifting talent landscape, Deloitte Insights, February 28, 2019. View in article

      31. Benjamin Freed, “NASCIO and NGA promote more state-local cooperation on cybersecurity,” StateScoop, January 15, 2020. View in article

      32. President Donald J. Trump, “Executive order on America’s cybersecurity workforce,” The White House, May 2, 2019. View in article

      33. Adam Janofsky, “AI helps companies, cities fight ransomware,” WSJ Pro—Artificial Intelligence, August 14, 2019. View in article

      34. Ibid. View in article

      35. Cybersecurity and Infrastructure Security Agency, “Information sharing and analysis organizations (ISAOS),” accessed February 5, 2020. View in article

      36. John Thomas Flynn, “Local governments need year-round cyber training, ransomware protocol,” Federal News Network, October 17, 2019. View in article

      37. Talal Ansar, “How one Texas county stopped a ransomware attack,” Wall Street Journal, August 30, 2019. View in article

    Show moreShow less

    Topics in this article

    Government , Public Sector , Cyber risk , Emerging technologies , Technology , Risk management

    Deloitte Cyber

    As a recognized leader in cybersecurity consulting, Deloitte Cyber includes thousands of dedicated cyber professionals, across numerous industry sectors, who help clients better align cyber risk strategy and investments with strategic business priorities, improve threat awareness and visibility, and strengthen their ability to thrive in the face of cyber incidents. In the realm of Cyber Everywhere, the ubiquity of cyber drives the scope of our services. Deloitte Cyber advises, implements, and manages solutions in strategy, defense, and response; data security; application security; infrastructure security; and identity management.

    Learn more
    Get in touch
    Contact
    • ​Srini Subramanian
    • Principal
    • Deloitte & Touche LLP
    • Ssubramanian@deloitte.com
    • +1 717 651 6277

    Download Subscribe

    Related content

    img Trending

    Making smart cities cybersecure

    Article 3 years ago
    img Trending

    Government’s cyber challenge: Protecting sensitive data for the public good

    Article 6 years ago
    img Trending

    AI readiness for government

    Article 3 years ago
    img Trending

    The future of intelligence analysis

    Article 3 years ago

    More from the Government & public services collection

    • The realist’s guide to quantum technology and national security Article2 years ago
    • Cyber everywhere: Building cybersecurity, one vehicle at a time Article2 years ago
    • Government’s cyber challenge: Protecting sensitive data for the public good Article6 years ago
    • The revenue agency of the future Article3 years ago
    • Crafting an AI strategy for government leaders Article3 years ago
    • Government executives on AI Article3 years ago
    Srini Subramanian

    Srini Subramanian

    Principal | Deloitte Risk & Financial Advisory

    Srini is a Deloitte & Touche LLP principal in the US Government and Public Services (GPS) practice and leads the Risk & Financial Advisory practice for the SLHE Sector. Srini serves as the GPS Industry Leader for the Global Risk Advisory practice. Srini has more than 33 years of technology experience and more than 23 years of cyber risk services experience in the areas of technology and cyber strategy, innovation, digital identity, and cyber detect & respond services. As a cyber principal practicing in GPS, Srini is committed to improving cyber risk management of our government and society. Srini is a co-author of the biennial Deloitte - NASCIO Cybersecurity Study publication with the National Association of State CIOs (NASCIO) since 2010. The recent 2020 Deloitte-NASCIO Cybersecurity Study and States At Risk publication can be found at: The cybersecurity imperative in uncertain times.

    • ssubramanian@deloitte.com
    • +1 717 651 6277
    Pete Renneker

    Pete Renneker

    Managing Director | Deloitte & Touche LLP

    Pete, a managing director at Deloitte & Touche LLP, serves as the Technical Resilience leader for the Cyber Risk Services Infrastructure practice of Deloitte Risk & Financial Advisory. In this role, he helps clients improve their ability to withstand technology disruptions and cyberattacks.  Pete has served as a board director for the Disaster Recovery International Foundation, and is a frequent speaker and author, most notably in the recent Ransoming government: What state and local governments can do to break free from ransomware attacks. Pete is also a self-proclaimed BBQ pitmaster and a proud graduate of the University of Dayton.

    • prenneker@deloitte.com
    • + 1 513 833 6179
    Doug Powers

    Doug Powers

    Doug Powers is a senior executive within Deloitte’s Advisory Cyber Risk practice specializing in managed threat services to protect Internet of Things (IoT) and operational technology (OT) ecosystems. He advises our public and private industry clients to proactively visualize, reduce, and manage their global cyber risk. Prior to Deloitte, he served 25 years as an information warfare officer in the U.S. Navy. This unique career provided Powers with extensive experience in the areas of cyber threat intelligence operations, directing large scale, global cyber fusion and security operations centers, insider threat and vulnerability management, and leading cyber hunt, incident response, and forensics teams. For his capstone Navy assignment, Powers commanded Task Force 1020, as the U.S. Navy’s global cyber defense commodore, successfully leading their cyber defense forces through the largest defense operation in U.S. military history.

    • dpowers@deloitte.com
    Joe Mariani

    Joe Mariani

    Joe is a research manager with Deloitte’s Center for Government Insights. His research focuses on innovation and technology adoption for both national security organizations and commercial businesses. His previous work includes experience as a consultant to the defense and intelligence industries, high school science teacher, and Marine Corps intelligence officer.

    • jmariani@deloitte.com
    • +1 312 486 2150
    Akash Keyal

    Akash Keyal

    Assistant Manager

    Akash Keyal is an assistant manager within the Deloitte Center for Government Insights. He specializes on issues related to defense, security, and justice (DS&J) and climate change.

    • akeyal@deloitte.com
    Adam Routh

    Adam Routh

    Adam Routh is a research manager with Deloitte's Center for Government Insights and a PhD student in the Defence Studies Department at King’s College London. His research areas include emerging technologies, defense, and security, with a focus on space policy. Routh previously worked for the Defense Program at the Center for a New American Security (CNAS). Prior to CNAS, he worked in the private sector, where he facilitated training for Department of Defense components. He also served as a team leader with the US Army’s 75th Ranger Regiment.

    • adrouth@deloitte.com

    Share article highlights

    See something interesting? Simply select text and choose how to share it:

    Email a customized link that shows your highlighted text.
    Copy a customized link that shows your highlighted text.
    Copy your highlighted text.

    Ransoming government has been saved

    Ransoming government has been removed

    An Article Titled Ransoming government already exists in Saved items

    Invalid special characters found 
    Forgot password

    To stay logged in, change your functional cookie settings.

    OR

    Social login not available on Microsoft Edge browser at this time.

    Connect Accounts

    Connect your social accounts

    This is the first time you have logged in with a social network.

    You have previously logged in with a different account. To link your accounts, please re-authenticate.

    Log in with an existing social network:

    To connect with your existing account, please enter your password:

    OR

    Log in with an existing site account:

    To connect with your existing account, please enter your password:

    Forgot password

    Subscribe

    to receive more business insights, analysis, and perspectives from Deloitte Insights
    ✓ Link copied to clipboard
    • Contact us
    • Search jobs
    • Submit RFP
    • Subscribe to Deloitte Insights
    Follow Deloitte Insights:
    Global office directory US office locations
    US-EN Location: United States-English  
    About Deloitte
    • About Deloitte
    • Client stories
    • My Deloitte
    • Deloitte Insights
    • Email subscriptions
    • Press releases
    • Submit RFP
    • US office locations
    • Alumni
    • Global office directory
    • Newsroom
    • Dbriefs webcasts
    • Contact us
    Services
    • Tax
    • Consulting
    • Audit & Assurance
    • Deloitte Private
    • M&A and Restructuring
    • Risk & Financial Advisory
    • AI & Analytics
    • Cloud
    • Diversity, Equity & Inclusion
    Industries
    • Consumer
    • Energy, Resources & Industrials
    • Financial Services
    • Government & Public Services
    • Life Sciences & Health Care
    • Technology, Media & Telecommunications
    Careers
    • Careers
    • Students
    • Experienced Professionals
    • Job Search
    • Life at Deloitte
    • Alumni Relations
    • About Deloitte
    • Terms of Use
    • Privacy
    • Privacy Shield
    • Cookies
    • Cookie Settings
    • Legal Information for Job Seekers
    • Labor Condition Applications
    • Do Not Sell My Personal Information

    © 2023. See Terms of Use for more information.

    Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

    Learn more about Deloitte's work for the US Olympic Committee