GAO finds inconsistent communication during ransomware attacks as challenge for SLTT government agencies
The U.S. Government Accountability Office (GAO) was asked to review federal efforts to provide ransomware prevention and response assistance to state, local, tribal, and territorial (SLTT) government organizations. The report found that most government entities are satisfied with the agencies’ prevention and response efforts, though many cited inconsistent communication during attacks as a problem. With this in mind, the GAO has suggested that federal agencies address cited issues and follow key practices for better collaboration.
The GAO reviewed agency documentation from eight federal agencies to identify efforts to help these governments address ransomware threats. The report looks into how federal agencies assist these organizations in protecting their assets against ransomware attacks and in responding to related incidents, organizations’ perspectives on ransomware assistance received from federal agencies, and the extent to which federal agencies addressed key practices for effective collaboration when assisting these organizations. The watchdog conducted the performance audit from January last year to September this year in line with generally accepted government auditing standards.
GAO interviewed officials from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Secret Service, Department of Justice, Federal Emergency Management Agency (FEMA), Department of Commerce’s National Institute for Standards and Technology (NIST), National Guard Bureau, and the Department of the Treasury. It also talked to officials from government organizations receiving federal ransomware assistance who volunteered to share their perspectives. These officials represented governments from four states, eight localities, and one tribal nation.
GAO identified three federal agencies that provide direct ransomware assistance – CISA, FBI, and Secret Service – and assessed their efforts against key practices for interagency collaboration. The other federal agencies – FEMA, National Guard Bureau, NIST, and Treasury provide indirect forms of assistance that supports SLTTs’ efforts to address ransomware. Unlike CISA, FBI, and Secret Service, these federal agencies generally do not interact directly with SLTTs in preventing and responding to ransomware. However, each agency has ransomware-related initiatives or activities that may indirectly benefit SLTTs and contribute to the federal government’s efforts to combat ransomware across the nation.
To support its assessment, GAO reviewed agency documentation on collaborative mechanisms and efforts to coordinate assistance, such as joint alerts and guidance, incident coordination procedures, and interagency agreements. GAO also interviewed officials from the three agencies to clarify information about their collaborative efforts.
Additionally, the GAO interviewed officials from six national organizations. These groups included the National Governors Association, National League of Cities, National Association of State Chief Information Officers, and the National Association of State Auditors, Comptrollers, and Treasurers.
The CISA, FBI, and Secret Service provide assistance in preventing and responding to ransomware attacks on SLTT government organizations. To raise education and awareness, CISA, in collaboration with FBI, Secret Service, and other federal partners, developed the www.stopransomware.gov website to provide a central location for ransomware guidance, alerts, advisories, and reports from federal agencies and partners.
The CISA, FBI, and Secret Service focus on information sharing and analysis by collecting and analyzing security and ransomware-related information, such as threat indicators, incident alerts, and vulnerability data, and share this information by issuing alerts and advisories. The CISA, through a cooperative agreement with the Multi State Information Sharing and Analysis Center (MS-ISAC), provides intrusion detection sensors to non federal entities that reportedly analyze 1 trillion network activity reports per month.
The CISA and the MS-ISAC have provided review and assessment services upon request, such as vulnerability scanning, remote penetration testing, and risk assessments. Additionally, CISA, FBI, and Secret Service can provide incident response assistance to non federal entities upon request.
GAO reported that the SLTT government officials interviewed were generally satisfied with the prevention and response assistance from federal agencies that include CISA (and products and services that it provides through a cooperative agreement with the MS-ISAC), FBI, and Secret Service. “Among other assistance, officials cited helpful ransomware guidance, detailed threat alerts, quality no-cost technical assessments, and timely incident response assistance.”
Although officials from SLTT governments generally had positive experiences with the federal assistance, they identified challenges related to awareness and outreach, and communication, the report said. Additionally, officials identified service enhancements, funding, and federal coordination as opportunities to improve federal assistance on ransomware, it added.
Federal agencies have reported on ransomware trends over time to monitor the threat to organizations, as these attacks are occurring at an alarming rate, while the data on ransomware attacks are likely underreported because federal agencies rely on voluntary information from SLTTs. The MS-ISAC, for instance, which tracks and responds to SLTT incidents on behalf of CISA, stated that its research found more than 2,800 ransomware incidents against SLTTs from January 2017 through March 2021. Further, the FBI’s Internet Crime Complaint Center (IC3) which obtains and analyzes reports of internet-related crimes from victims such as business and the general public reported almost 2,500 ransomware complaints in 2020 and more than 3,700 in 2021.
The GAO report also said that with the increasing number of attacks, ransomware costs have also been steadily growing. According to CISA, the monetary value of ransom demands has increased over time, with some demands exceeding US$1 million today. Apart from the financial impacts from payments, ransomware attacks have other costs associated with recovering and restoring systems such as staff downtime while systems are inaccessible and the need to hire additional staff to restore data from backups or rebuild networks.
Although SLTTs were generally satisfied with ransomware prevention and response assistance, all 13 SLTTs and six national organizations cited challenges in the efforts of the CISA, MS-ISAC, and FBI, the GAO report said. Specifically, officials cited challenges with awareness and outreach, and communication.
Based on their experiences, officials from SLTTs and national organizations identified opportunities for improving federal assistance on ransomware. Among other suggestions, officials called for federal agencies to enhance services, provide opportunities for additional funding, and centralize federal coordination.
GAO reported that several federal agencies acknowledged that their efforts in these respects could be improved. “By taking such actions, the federal government has the opportunity to further strengthen the assistance it provides to the tens of thousands SLTT organizations,” it added.
To their credit, federal agencies have coordinated on ransomware assistance to SLTTs and designated leads for technical- and law enforcement-related responses, the GAO reported. “However, the agencies have not addressed aspects of other key collaboration practices such as defining common outcomes for ransomware assistance to SLTTs, procedures for how detailees should coordinate, and processes for making decisions such as how and when to involve another federal agency on a ransomware incident. These and other shortfalls were due, in part, to the lack of an established mechanism for interagency collaboration,” it added.
The report also added that federal action to better address key practices for interagency collaboration will help better support the effective coordination that SLTTs need to address the pervasive ransomware threat.
With this in mind, the GAO made a total of three recommendations, two to the Department of Homeland Security (CISA and Secret Service) and one to the Attorney General. The Secretary of Homeland Security should direct the CISA director to evaluate how to best address concerns raised by SLTTs and facilitate collaboration with other key ransomware stakeholders taking into account its leadership of the new joint ransomware task force and improve interagency coordination on ransomware assistance to SLTTs.
It also suggested that the Secretary of Homeland Security should direct the Director of Secret Service to evaluate how to best address concerns raised by SLTTs and facilitate collaboration with other key ransomware stakeholders and improve interagency coordination on ransomware assistance to SLTTs.
GAO called upon the Attorney General to direct the FBI director to evaluate how to best address concerns raised by the SLTT agencies and facilitate collaboration with other key ransomware stakeholders and improve interagency coordination on ransomware assistance to SLTTs.
The agencies have concurred with the GAO’s recommendations.
Earlier this week, the CISA published a Binding Operational Directive that calls upon federal civilian executive branch (FCEB) agencies to make measurable progress toward enhancing visibility into asset discovery and vulnerability enumeration across their networks. The document assesses continuous and comprehensive asset visibility as an essential precondition for any organization to manage cybersecurity risk. It calls for accurate and up-to-date accounting of assets residing on federal networks to manage cybersecurity for FCEB enterprises.