Imagine walking into a hospital for a scheduled surgery or to refill a crucial prescription, only to find that the entire healthcare system has been paralyzed by a cyberattack. This scenario recently became a reality for patients in Michigan and across the United States when Ascension hospitals fell victim to a ransomware attack. This breach disrupted clinical operations at 140 hospitals and numerous senior living facilities, forcing healthcare workers to revert to manual systems and causing significant disruptions to patient care. Stories like this one highlight the growing threat of ransomware attacks to our critical infrastructure and the urgent need for robust cybersecurity measures.
Ransomware is a type of malicious software that encrypts data on a victim’s computer or network, rendering it unusable until a ransom is paid to the attackers. It is becoming increasingly severe, with attacks targeting critical infrastructure across various sectors such as healthcare, energy, drinking water, transportation, and manufacturing. In 2021 alone, the United States reported a loss of nearly $886 million in ransomware-related incidents, a 68% increase compared to 2020 (GAO Report).
The sophistication and planning involved in these attacks makes them a formidable threat to critical infrastructure. Attacks can come from hacker groups seeking to attack our nation. These attacks do not just cost money; they disrupt critical services and can even endanger lives. Across the country, state governments are beginning to focus their efforts on addressing cybersecurity concerns for critical infrastructure to combat this rising threat.
The Importance of Cybersecurity and Critical Infrastructure
Critical Infrastructure refers to systems and assets vital to the nation’s security, economy, public health, and safety. The Cybersecurity Infrastructure Security Agency (CISA) explains, “(t)here are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” When essential services are compromised, the consequences can be dire. Ransomware attacks on these sectors can have far-reaching impacts, affecting not just the economy but our safety and well-being. Because these services underpin American society, ensuring their security is paramount.
Real-World Impacts
Ransomware attacks have increasingly devastating impacts on the nation’s critical infrastructure. For instance, in 2022, the FBI reported that ransomware attacks hit 870 critical infrastructure organizations, affecting 14 of 16 critical infrastructure sectors. Four of those 16 critical infrastructure sectors experienced almost half of the incidents: critical manufacturing, energy, healthcare and public health, and transportation systems. An example of this occurred in 2023 when Pierce County Public Transportation in Washington State experienced a ransomware attack that disrupted agency systems and communications, with the attackers demanding almost $2 million in ransom. Healthcare systems are also particularly vulnerable; attacks have led to the cancellation of surgeries, disrupted emergency care, and diverted patient services. These incidents underscore the crucial importance of protecting these sectors from ransomware attacks.
State-Level Response and Recommendations
As ransomware continues to threaten critical infrastructure, state legislatures and their oversight partners have taken proactive steps to bolster cybersecurity. Some notable examples include initiatives by Washington State, Texas, and Utah, which each provide valuable insights into state-level responses to this pressing issue.
Washington State
In 2023, the Washington State Auditor’s Office (SAO) implemented the Cyber Checkup program, a comprehensive initiative that aims to evaluate the cybersecurity practices of state and local governments, offering a systematic approach to identifying vulnerabilities and improving defenses. The Cyber Checkup, offered by the SAO’s Center for Governmental Innovation, includes regular assessments, training for government employees, and recommendations for enhancing cybersecurity measures. Before the program, many local governments in the state were in a queue for an in-depth SAO cybersecurity audit, with wait times up to seven years. The Cyber Checkup Program seeks to alleviate that demand at no cost. The checkup process is often completed in a month and while it utilizes some “useful boilerplate” recommendations and standards, the program is being touted as a success. It is designed to ensure governments do the basics and implement 20 cyber safeguards based on standards set by the Center for Internet Security’s (CIS) Critical Security Controls Version 8. By providing these services, Washington State seeks to mitigate the risks of ransomware and other cyber threats at all levels of government, ensuring that critical services remain operational while also saving money.
Texas
In 2017, the Texas Legislature passed House Bill 8, known as the Texas Cybersecurity Act, which mandates state agencies to develop and implement comprehensive cybersecurity plans and established the Texas Cybersecurity Council to provide strategic direction and promote collaboration among state entities. The legislation came on the heels of significant oversight activity in the area, including hearings by the House and Senate Select Committees on Cybersecurity. These committees gathered input from stakeholders, including the Department of Information Resources and local government representatives. A 2019 statewide ransomware incident highlighted the need for enhanced cybersecurity measures, prompting the establishment of Regional Security Operations Centers (RSOCs). These centers, hosted at public institutions of higher education, offer real-time security monitoring, incident response, and cybersecurity training, providing hands-on experience for student analysts and addressing the shortage of skilled cybersecurity professionals. This initiative aims to create a cybersecurity baseline at no cost to governmental entities. Additionally, the state formed the Cybersecurity Incident Response Team and a Volunteer Incident Response Team to respond to cybersecurity incidents.
Utah
Utah’s Legislative Auditor General has introduced a High-Risk List, modeled after the GAO approach, as mentioned in last month’s blog post. This list identifies key areas of concern, including cybersecurity and data privacy, and provides targeted recommendations for state agencies. Seeking to modernize for the digital age by prioritizing cybersecurity on this list, Utah underscores the importance of protecting sensitive data and critical infrastructure. The High-Risk List serves as a tool for state legislators to monitor and address vulnerabilities. Recent audits by the Office of the Legislative Auditor General found that Utah must increase cybersecurity training and improve management of personal information. One of the audits uses CIS controls and mentions the reporting done in Washington State concluding that “(i)mplementing best practices can strongly reduce cybersecurity risk and decrease entities’ vulnerability to cyberattacks.” This audit emphasizes the importance of adopting recognized cybersecurity frameworks, improving communication between IT and management, ensuring comprehensive and regular training for all employees, conducting regular vulnerability scans, and maintaining up-to-date incident response plans. The Legislature created the Cybersecurity Commission within the Department of Public Safety in 2022 and believes that the Commission can help to ensure effective implementation of the recommendations in the audit.
Cybersecurity and States
These examples illustrate how state legislatures and other oversight-focused institutions across the United States are taking decisive action to address cybersecurity challenges. By adopting varied approaches, from legislative mandates to collaborative programs, states are working to protect their critical infrastructure and ensure the resilience of essential services.
The increasing frequency and severity of ransomware attacks on critical infrastructure highlights a pressing need for enhanced cybersecurity measures at both the federal and state levels. The devastating impacts of these attacks, from disrupting healthcare services to paralyzing energy and transportation sectors, underscore the vulnerabilities inherent in our interconnected systems. Safeguarding our critical infrastructure against cyber threats is not just a technological challenge but a strategic imperative. This effort requires coordinated actions, leveraging best practices and innovative solutions to protect the essential services that underpin our society.
State-level oversight initiatives provide valuable insights into effective cybersecurity measures. Texas’s House Bill 8 established the Texas Cybersecurity Council and mandated comprehensive cybersecurity plans for state agencies. Extensive oversight hearings and stakeholder consultations informed these robust policies. Washington State’s Cyber Checkup program systematically evaluates and improves the cybersecurity practices of state and local governments. Utah’s High-Risk List identifies key cybersecurity concerns and provides targeted recommendations for state agencies. These examples highlight the importance of legislative oversight in shaping effective cybersecurity programs. Moving forward, state legislatures must provide rigorous, regular oversight to ensure these programs are effective and adaptable. Our digital world will continue to evolve unpredictably, and state legislatures must proactively oversee cybersecurity efforts to create a safer, more secure digital environment for all.