Threat Intelligence Blog

Posted February 5, 2020

New year, not so new story: Government agencies are under fire from criminal hackers. But this year, the stakes are high. Two really big events are happening in 2020:

  1. The 2020 U.S. Census.
  2. A presidential election (bearing in mind that the cyber shenanigans of the last election are still very fresh in everyone’s memory).

The good news, at least on the federal level, is that the Department of Defense requested a 5% cybersecurity budget increase for fiscal year 2020.

But the unsettling truth, which has been made clear time and again in recent months, is that federal, state, and local governments are woefully underprepared to defend against modern cyberattacks.

Ransomware of Epidemic Proportions

In the last month of 2019, at least three cities were hit with devastating ransomware attacks.

First, there was Pensacola, Florida. The city’s government phones, email systems, and internet servers were rendered useless after ransomware-wielding hackers demanded $1 million in exchange for a decryptor. The city subsequently paid Deloitte $140,000 to figure out who may have been affected in the aftermath. Pensacola officials ultimately decided they would pay for identity monitoring services for 60,000 of its residents. The city did not have a cybersecurity insurance policy.

Round two took place on Dec. 16, 2019 in Galt, California, a small Sacramento suburb. The city’s email server and phone systems were knocked offline, leaving its 26,000-plus residents unable to make non-emergency calls to the city. Their 100 or so city workers relied on texting and personal email accounts for communications during this time. It’s not clear how much the incident cost the city, or how much (if any) was covered under an insurance policy.

One day later, the St. Lucie County Sheriff’s office in Florida was extorted by ransomware. As of Dec. 23, the network was still down.

And that is just in December. Other state and local governments that were affected by ransomware in 2019 include:

  • Lake City, Florida.
  • Riviera Beach, Florida.
  • Pascagoula, Mississippi.
  • Baltimore, Maryland.
  • 22 different towns in Texas.

In total, ransomware affected an estimated 103 federal, state, and local governments. This doesn’t include the 750-plus healthcare providers and 86 schools that were also touched by ransomware this year.

So why is this happening?

It could be a perfect storm of an increase in ransomware in general and the fact that many government agencies, particularly at the local and municipal levels, are simply ill-prepared to deal with these threats.

Then there’s the targeted aspect: Government agencies serve tens of thousands to millions of residents. This creates a warranted sense of urgency every time ransomware knocks important services offline, which leaves these agencies more likely to pay the ransom.

Hackers are aware of this. And, unfortunately, the overwhelming consensus among the cybersecurity community is that ransomware will be even more highly targeted in 2020.

2019 Was Tough on the Feds, Too

It’s not just state and local governments that struggled in 2019, and it wasn’t just ransomware.

In the first half of 2019, hackers breached three FBI-affiliate websites, and then uploaded documents containing personal information belonging to thousands of federal agents and police officers. About 4,000 unique records were compromised, including names, job titles, personal and government email addresses, phone numbers, and postal addresses. In this case, the breaches stemmed from apparent vulnerabilities in the affiliate sites.

A few months later, hackers used a $25 Raspberry Pi Computer to breach NASA. The perpetrator broke into the Jet Propulsion Laboratory’s main network and stole 500 megabytes of data.

Within weeks of the NASA breach being reported, the Permanent Subcommittee on Investigations of the Senate Homeland Security Committee released the results of a 10-month study about federal cybersecurity. It concluded that eight different federal agencies were putting themselves at risk by using outdated technology. For example:

  • The Department of Transportation was called out for using a 48-year-old system up until May 31, 2019.
  • The Department of Homeland Security was flagged for running Windows XP and Windows 2003, despite Microsoft no longer supporting these operating systems.
  • The Social Security Administration was branded a “persistent cybersecurity threat,” partly for using programming languages that date as far back as the 1950s.

Other troubling findings included agencies not issuing mandatory patches from their software vendors in a timely manner, and losing track of their hardware and software inventories.

This also comes at a time when many security experts are forecasting heavy numbers of nation-state attacks on critical infrastructure, in part because it’s an election year.

Where Does This Leave Us?

Clearly, there’s a lot to think about as we progress into 2020.

In many ways, the federal government has led the charge toward improved cybersecurity. We’ve seen this with the NIST Cybersecurity Framework for businesses, National Cybersecurity Awareness Month, and the recently founded Cybersecurity and Infrastructure Security Agency.

Nevertheless, the year ahead is an important one, and federal agencies will be under pressure from the media to invest in tools, technologies, and services that will holistically improve security posture.

Likewise, state and local agencies that have come under fire from rampant ransomware campaigns will need to do more than simply buy bigger cyber insurance policies.

And while we expect things to get worse before they get better, we are highly encouraged by recent cybersecurity technology advancements, some of which have originated within LookingGlass.

The only thing we know for certain is that government agencies will have their mettle tested in 2020. And if things go better this year than they did in 2019, we can all walk into 2021 with our heads held a little higher.




Additional Posts

The Year Ahead: Trends & Predictions for the 2020 Cyber Threat Landscape

On  January 16, 2020, LookingGlass hosted a webinar on trends observed in the 2019 cyber threat ...

What 2019 Taught Us About Vendor Data Breaches

Third-party data breaches have been problematic for the better part of a decade. The infamous ...