The Virginia Joint Commission on Technology and Science (JCOTS) met on September 20th to review several items, including a staff report on best practices for addressing ransomware. Though an ever-present threat, ransomware attacks on local governments have been increasing since at least 2019. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid to the attackers. When ransomware infiltrates a local government system, it can have devastating impacts such as occurred to the City of Baltimore in 2019. That attack was estimated to have cost the city $18.2 million to restore systems and make up for lost or delayed revenue. Closer to home, a 2021 ransomware attack disrupted the Virginia Division of Legislative Services a month before the General Assembly was scheduled to meet for a legislative session.
Mindful of these threats, JCOTS directed commission staff to review and report on best practices for addressing ransomware. The Commission had asked staff in previous meetings to also examine the practicality and impact of recommending a ban for public entities on paying ransomware attackers to restore access to systems such as in place in North Carolina and Florida. VACo and several other local government stakeholders asked to be, and were included in, the study group examining this issue. Current federal guidance does not recommend paying ransoms and these payments may be in violation of Treasury Department Office of Foreign Assets Control sanctions. However, a full ban on making payments ties the hands of public entities to respond quickly to attacks on mission critical assets such as healthcare systems or public utilities.
Commission staff reported that although the intent of banning payments of ransom is meant to discourage ransomware attacks, the evidence on whether this has been effective in reducing such attacks in North Carolina or Florida has been inconclusive. Staff reported that the workgroup recommended investing in frontline defenses that curtail ransomware attacks in the first place. VACo staff testified to the Commission expressing gratitude for being included in the study and urged the General Assembly to further invest in resources for local governments to bolster their own cybersecurity systems.
VACo Contact: Jeremy R. Bennett