Governments are dealing with a big spike in cybercrime, and as international ransomware attacks escalate, state and local governments are being increasingly targeted. Texas is not immune to the trend, and state Chief Information Security Officer (CISO) Nancy Rainosek provides a unique look at how the Lone Star State is reacting to the crime wave with a blow-by-blow description of a serious ransomware attack.
During a Feb. 10 Cyber Defenders virtual event organized by NextGov, Route Fifty Editor Alisha Powell Gillis interviewed Rainosek about the attack, with a focus on how Texas’ experience exemplifies how state and local governments are reacting to cyber assaults.
Gillis acknowledged that cyber incidents don’t respect borders, and international cybercrime attacks not only affect the Federal government, but state and local governments as well. “According to a recent report Route 50 covered on cybersecurity, foreign governments rank third on the list of security threats, with international cyber-attacks continuing to target government entities,” she said, and asked about how and why state and local jurisdictions are being targeted?
2019 Texas Attack
“In August of 2019, we had 23 local governments that were impacted by a ransomware incident which started on the morning of August 18,” Rainosek said. “It was a Friday morning and my deputy CISO called me. I used to joke that whenever he called on a Friday it wasn’t going to be a good day,” she said.
And this would turn out to be one of them, Rainosek explained. At the time there were 10 local governments that were impacted. As the morning wore on, the incidents affecting local governments kept rising. Eventually, the attack hit the supervisory control and data acquisition (SCADA) system of one of these governments – impacting its water district and their ability to monitor water supplies.
“So my boss talked to Governor Abbott, who issued the first statewide disaster declaration for a cyber incident,” Rainosek said. “This enabled us to join our Texas Department of Emergency Management, Department of Public Safety, and the Texas Military Department to respond and begin assisting these 23 local entities.”
The team then went to the state operations center which is used for major threats. “The center is a bunker that was essentially built for the Cold War. It’s three stories under the ground, and they use this facility for things like hurricanes, floods, and fires,” she said. Several years ago when Hurricane Harvey hit Texas, the team spent the next 60 days working from the underground facility.
In response to the cyberattack, the Texas officials began sending teams out to the field to help each of these local governments respond. It turned out that the attack infected a managed service provider, and the state team then pivoted from that provider and turned its attention to the company’s customers.
“Many of these local governments didn’t really have an IT shop,” Rainosek explained. “So it was very important for us to get boots on the ground to have people go out and shake the hands of the chief of police or the sheriff or the city manager and let them know that ‘Hey, we’re from the state and we’re here to help you out.’”
Ransom Denied
This cyberattack took the form of ransomware, and the cybercriminals were demanding $2.5 million to call it off.
“We don’t believe in paying ransom,” Rainosek said. “We feel like that funds criminals and encourages further crimes, and so no ransom was paid. We were able to then send our teams out to the field. And we had all these folks back to full recovery and operational within a day,” she said.
By the following Friday, the state team was essentially finished with its work. “We didn’t want to raise a big flag and say ‘Yay’, although we thought it was a pretty significant and successful response,” Rainosek said. “We also left endpoint detection response software on their computers for another 30 days in case something was deeply embedded that we didn’t find.”
Fortuitously, the team was very fortunate that there was a computer at one of the local governments that had not been turned off – it was simply unplugged from the internet. “We were able to retrieve that computer. In the bunker in addition to our local or state partners we also had the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) and some other Federal partners in the state operations center with us,” Rainosek said.
The fact that they were able to find that machine is important because once you turn the machine off, everything that’s in active memory disappears. “So we had a real chance of catching whoever this person was that was behind the attack,” she said. “And we were really excited in November of 2021 that the FBI actually issued an indictment against the person responsible.”
Unfortunately, the alleged perpetrator is in Russia, and there is no extradition agreement to bring him back to the United States to face these charges. “But again, that’s a significant thing, because if he chooses to leave Russia and go to a country that we do have agreements with, then we can have him arrested. So we were really glad to hear that,” Rainosek said.
The Ransom Equation
An interesting aspect of this Texas example – and I’m sure one that is prevalent around the country – is since the state has a policy not to pay ransom, does that also preclude the localities from paying a ransom?
“Texas is federated,” Rainosek replied, adding, “we don’t really have a lot of control or oversight over local governments. So it’s really up to them. If they ask us, we say we don’t believe in it; however, their insurance companies get involved and unfortunately, some do pay ransom,” she said.
The state’s stance concerning paying ransom seems to be justified, certainly in this recent case.
“When you look at this incident, we added up what the state’s response cost, and it was less than half of the ransom that was requested,” Rainosek explained. “So again, it was cheaper to fix the problems and determine how they attacked all these local governments, and create solutions so that they couldn’t come back, versus paying somebody to get the data back.”