‘Hygiene is core to everything’ on ransomware, San Jose CIO says
Just as ransomware attacks have become more sophisticated, the ways government IT organizations defend and respond to them has had to mature as well, Rob Lloyd, the chief information officer of San Jose, California, said Monday. Speaking on a panel at San Francisco CyberTalks, a CyberScoop event, Lloyd said his city has in recent years upped its emphasis on cyber-hygiene and also revised its procurement processes to put its technology vendors to the test.
“When a purchasing request is put through there is a checklist we go through,” Lloyd said. “We ask for an external audit of those solutions, when we do purchase things and see a risk, we do escalate what we ask for.”
While San Jose’s avoided the fate of large cities like Baltimore or New Orleans, which have had their systems infected by ransomware, Lloyd said the waves of ransomware attacks against municipal governments elsewhere remains a cause for concern for his office. He said he and his chief information security officer, Marcelo Peredo, started keeping track of incidents in other cities last year, counting at least two local governments a week that went down for what he called “cybersecurity violations.”
StateScoop’s research data shows 124 ransomware attacks against states, cities, counties and public schools in 2019, similar to the pace Lloyd said he and Peredo monitored.
“At that point, your peers are talking about it too,” Lloyd said.
[ransomeware_map]
Lloyd said there’s a culture shift underway, though, that’s finally putting cybersecurity at the forefront of government operations, with agency directors pressing IT staff for better protections against ransomware and other threats.
“Even the willingness of the organizations to come along for the ride is higher,” he said. “We’ve got directors telling their IT managers to get a handle on things.”
Lloyd also offered advice that’s become an increasingly common refrain among state and local IT leaders: Develop a response plan that reads much like a disaster playbook, as the states of Texas and Louisiana did last year.
“The first thing you do [in the event of a cyberattack] is apologize because you weren’t better prepared,” he said. “Second is you activate an emergency, a declaration by your city manager or elected body, that we’re going to enact certain powers. Then you go to your script. Make a public statement, activate your contracts with crisis managers.”
He also reminded the audience that such responses are not singular efforts.
“We like to be first, but we like sharing just as much, so we have a lot of joint response,” he said, rattling off the FBI, Department of Homeland Security, corporate partners, utility companies and state government as those among the city’s partners.
Another panelist, Tonya Ugoretz, a deputy assistant director of the FBI’s cyber division, said organizations such as local governments and businesses should make themselves known to the bureau other federal agencies, like DHS’s Cybersecurity and Infrastructure Security Agency.
“No matter what size organization you are, get to know the FBI, CISA,” she said. “That will help you build that relationship, and it will get you on our distro for the products we are releasing all the time on topics like ransomware.”
Ugoretz said building relationships with federal agencies is also crucial in the event an organization is successfully attacked, and that ransomware victims should not hesitate to call the FBI, even if they elect to pay their hackers’ demands. (The FBI and other organizations recommend against paying ransomers, but several local governments have paid, anyway.)
“We’re increasingly trying to be clear that if you have suffered a ransomware attack, you are the victim of a crime,” she said. “We are not there to investigate your response to that crime. We’re there to treat you as a victim.”
Lloyd brought his argument back to good cyber-hygiene, from employees knowing how to avoid phishing links that download viruses to IT organizations scanning and patching for vulnerabilities. He likened organizations that only act after an attack to heart-disease patients who take lots of medicine, but don’t change their diets.
“We still start with the human factor,” he said. “The number of devices and amount of continuous data being created is no longer humanly manageable or perceptible. Hygiene is core to everything.”