On Sunday, August 17th, the state of Nevada suffered what is described as a ‘ransomware-based cybersecurity attack’, which resulted in everything from the Nevada DMV, to the state tax collection service, to SNAP going dark. It took around a week for the services to come back up, and in the meantime Nevadans went without. As the attack is still under investigation, things are looking worse than just a weeklong outage – government officials report some Nevadans may have had their personal data compromised, although how many and to what extent is as of yet unknown. It’s not the first – other states and even individual cities have been the target of ransomware attacks, whether the attackers intend to actually ransom anything or not! Experts say this has been the trend for the last year or so.
How did this happen? Why individual states as targets? Why is a group backed by the government of Iran attacking a single water station in Pennsylvania? It seems the target of ransomware has shifted away from money and towards personal information, and maybe towards simply causing havoc.
The truth is, peripheral government systems often lag behind their private business equivalents for a number of reasons. Seeing as cybersecurity is an arms race between criminals and potential victims, the spend needs to be managed on a risk/reward basis (“how much more secure will the next 100,000$ make us?”) instead of total security, which might not be possible to achieve given a determined enough hacking group.
For extremely visible targets, like government systems, they may have to go against other entire governments trying to hack into them, plus any group who doesn’t think they’ll get caught and prosecuted; for smaller, more localized targets, like a small business, less is needed because even a slight wall to get in will make other targets more appealing. What kind of hawk would go after a hedgehog if a tasty rat is also nearby? When it comes to private businesses, this strategy works, because there are other targets. The same is not necessarily true of public services. Could the state of Pennsylvania have ever hoped to fend off a group being funded by an entire country?
Government systems have the added disadvantage of not only being a highly visible and very valuable target, but also being funded by taxpayer money, which is distinctly different from a private company which is funded by profit or loans. There is a built-in lack of agility and a set of standards designed to prevent waste and fraud, but these standards don’t keep up with the lightning-speed hacking we’re seeing emerge in the AI era. The protection a given system needs might not be available because spending has to be cleared before it can be added, and in a government’s case, it can be a tough sell for the people who have the expertise vs. the people who control the purse strings, which is sometimes the taxpayers themselves. There are many instances where taxpayers have not voted for upkeep and then suffered having to pay to fix critical structure failures, like bridges collapsing; in essence, a state government has a large ransom pool and simultaneously ‘not enough funding’ to prevent being forced to use it, if the hack team is competent enough.
If you’re worried about your business, contact us – we can get you set up with anti-malware protections.
Sources: https://www.cbsnews.com/news/cyberattack-cripples-nevada-state-systems/
