Cybersecurity, executive leadership and ransomware: To pay or not

Cybersecurity continues to rank as the No. 1 technology issue facing America’s local governments, according to the Public Technology Institute (PTI).

It’s why PTI and the Computing Technology Industry Association (CompTIA) hosted the National Symposium on Cybersecurity in Government last month in Washington, D.C. The symposium highlighted case studies and leading practices, and provided a forum for local governments and the cybersecurity industry to share how communities are balancing the need for security with the need for innovation.

We caught up with some of the local government attendees including Eddie Reyes, director of public safety communications for the Prince William County Police Department in Virginia. With over 26 years in public safety, from an entry level police officer to senior deputy chief of police at the Alexandria, Virginia, police department, to his current position, Reyes brings a plethora of experience to any discussion of law enforcement. His various roles regarding technology give special gravitas to his assessment of the cybersecurity challenges confronting local government.

Eddie Reyes, Prince William County Police Department
Eddie Reyes, director of public safety communications for the Prince William County Police Department in Virginia

“I focused my entire career on the technology aspects of law enforcement. As a police officer, I had the first video camera in a car and then when I retired I was deploying body worn camera programs for the police department,” he said.

Elevating cybersecurity awareness with leadership

I asked Reyes about the somewhat contradictory issue surrounding cybersecurity: By all surveys, it’s the primary concern for government IT officials, but getting the attention of executive leadership and appropriate funding can be a challenge. I explained that as California chief information officer back in the late 1990’s leading up to the Year 2000 issue, we had a similar problem. Where we were going to get the money for the mitigation efforts? I convinced the governor that a moratorium on new IT project funding was necessary until an agency’s Y2K mitigation efforts had been completed. And so we stopped funding new projects. I asked Reyes if that is something that they’re considering doing at the local government to find the funds that are necessary to address the cybersecurity challenges.

Reyes responded that while that’s something woefully needed, “Unfortunately, mandates like that are often frowned upon with municipal and state governments because they’re looked upon as unfunded mandates.” So each municipality in the national capitol region is at a different level of cyber protection because it just depends on the executive director of that municipality and the guidance and direction given to their CIO as to what level of protection they’re going to have.

Reyes admitted that consequently some local governments are vulnerable while others are bulletproof. “It just really depends on the leadership of the municipality and the attitude that they have towards cyber protection,” he said.

To raise the level of leadership’s appreciation for the problem, Reyes said it’s actually a bottom-up approach.

“You have to have your tip of the spear, your workers, bring these vulnerabilities to the attention of middle management,” he said. “And then, of course, it’s middle management’s responsibility to bubble that message up and demonstrate to the decision makers at the executive level exactly the vulnerabilities that are out there every single day.”

When a security team produces a report that says there were seven attacks last night and repeats a similar report throughout the month, it puts the issue front and center before the executive officers as to just how vulnerable their networks are.

“It’s important because this isn’t just something that is going to be a bureaucratic headache. We’re talking about lives here,” Reyes said. When systems go down in a public safety environment, it’s not just inconvenient. It’s far more important. “If those systems are shut down, then someone dialing 9-1-1 needing emergency assistance may not get through. A police officer pushing talk on his radio may not get through for the historical data about a dangerous house they’re responding to.”

The Public Technology Institute and the Computing Technology Industry Association (CompTIA) hosted the National Symposium on Cybersecurity in Government in Washington, D.C.

Operational systems crucial for local government

Another symposium panelist was Barry Condrey, CIO for Chesterfield County, Virginia, just south of Richmond. Condrey has 35 years in the IT industry, about half of which was in the private sector working for Circuit City and then a number of other business verticals. The rest of it has been in the public sector working either in state or local government.

His panel focused on ransomware and he was able to explain the issue very clearly.

“I always compare ransomware to the analogy where you’re at work and somebody goes to your house and changes the locks and bars the door and when you come home from work, you can’t get into your house. They’ve stolen your house and you have no way to get back in,” he said.

The technology side of ransomware involves someone coming in to your network and actually encrypting all of the files and all of the systems in your operation so that you have no access to them. The encryption is very sophisticated, and can’t be broken by traditional means.

“The only way to unlock the files is to restore a backup,” Condrey said. “Hopefully you’ve been diligent about testing and doing backups or you can pay the criminal for the key to unlock all of your files.”

Ransomware: To pay or not

An interesting phenomenon entering the scene is ransomware insurance. “Ransomware insurance is not so much insurance for ransomware as it is cyber insurance,” Condrey told us. Cyber insurance can cover a wide variety of costs. It can cover the cost from rebuilding infrastructure, to notification of citizens that information has been breached.

“Policies are very different depending on the riders and the coverage principles,” he said.

Barry Condrey, John Thomas Flynn
John Thomas Flynn, left, spoke with Barry Condrey, CIO for Chesterfield County, Virginia, at the National Symposium on Cybersecurity in Government in Washington, D.C.

Perhaps most significantly, cyber insurance can cover paying the ransom. You can be reimbursed depending on the policy.

“If you pay a ransom and what we’ve seen recently is insurance companies encouraging localities and policyholders to pay and pay early to overcome this because these things never get cheaper,” he said.

This advice from the insurance companies runs counter to what we’ve all seen over the years on various cop shows where ransom of any kind is strongly discouraged. In fact, the federal authorities as well as cyber vendors still maintain that paying the ransom will only encourage more ransomware incidents.

However, given the relative affordability of cyber insurance, the sometimes exorbitant cost and lengthy time required to fix the problem, and finally, the fact that insurance will cover most if not all of the ransom, makes the option to pay up certainly attractive.

“In a perfect world, no one should ever pay a ransom. Unfortunately, services need to be delivered to citizens,” Condrey said. When a government cannot issue building permits, cut checks or put out fires because its systems are locked up, the ransom decision is more complicated. According to him, 80% to 90% of what his county employees do on the job is totally technology-dependent.

“If you take their technology away, they can’t do their job. And as local government officials, we have to be mindful of that,” he said. “Sometimes the lesser of the evils is to restore the services and pay the ransom.”

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.