Law enforcement agencies are failing to protect government against ransomware attacks, according to a former security adviser to the UK government.
Paddy McGuinness OBE, who was deputy national security adviser for intelligence, security and resilience at the Cabinet Office until 2018, made the remark amid intensifying ransomware attacks on governments around the world.
Last week, the Austrian state of Carinthia halted passport services after ransomware infected 3,000 workstations. And this week, a ransomware attack on Somerset County in New Jersey prevented the local authority from accessing records created after 1977.
In total, 48 government organisations from 21 countries have been targeted by ransomware groups this year, according to new research from security provider Cyble.
These attacks reflect a failure by law enforcement agencies to protect government bodies – as well as businesses and private individuals – against criminal gangs, McGuiness told Tech Monitor. “We’re not being looked after properly at the moment.”
Ransomware attacks on governments are intensifying
Ransomware gangs appear to be stepping up their onslaught against governments, according to Cyble’s research. They are targeting “smaller nations to subvert government apparatus” and “nations with a relatively large cybersecurity exposure due to inadequate resources and spending”.
Until recently, attacks on critical national infrastructure have been the preserve of state-backed cyberattack groups, or APTs. But CNI is increasingly in the crosshairs from criminal groups too, Cyble noted.
Conti’s attack on Costa Rica bears a particular resemblance to APT attacks on nation states, the report observed. “Conti deployed various methods and tactics to target multiple government entities to force the nation into a state of national emergency,” it said.
Other countries whose governments have been hit by ransomware this year include Peru, where public sector bodies were targeted by multiple groups, and Malaysia, where four government entities have been attacked in five months.
This barrage of attacks has continued since last year. Four out of ten central government organisations globally, and a third of local government organisations, were hit by ransomware in 2021, according to research by security company Sophos. The average bill for rectifying a ransomware attack was $1.6m, it found.
Why are ransomware groups targeting governments?
This hit rate can be attributed in part to low security budgets and ageing IT systems at government organisations, says Alexi Drew, senior cyber analyst at think tank RAND Europe.
"The unfortunate truth is government organisations tend to find criminal access to their systems due to legacy equipment and the effect of poor investment over an extended period of time," Drew says. "We massively underestimate the amount of money that should be spent in keeping critical systems up to date.”
But organisations that fall victim to ransomware are often blamed for what McGuiness argues is a failure of law enforcement. "The government management of cyber[attacks] is prone to blame-storming,” he says.
“Rather than focusing on the attacker, they focus upon the victim and they seek to hold the victim to account through regulation or through a public kind of ignominy. None of that is particularly useful.”
Meanwhile, cybersecurity authorities have failed to address the criminal source of many ransomware attacks. "Too much of the discourse from governments, and from national technical authorities like the National Cyber Security Centre and others, is about nation state actors and criminals acting for nation states,” McGuiness says. “The reality is businesses and indeed local governments are attacked by criminals, not by states.”
"The rest of us are suffering from criminality against which government doesn't have many answers,” he adds.
Policymakers must address the threat of ransomware now, McGuiness argues, before post-pandemic budget cuts kick in and economic conditions worsen. "Over the next 12 months of real financial squeeze, supply shock, [and] inflation, the headroom to resolve issues with IT systems [will be] significantly reduced," he explains.
If a ransomware attack disrupts the food or energy supply, “we're going to feel it that much more because there is not going to be the same resilience”.
Drew argues that the ransomware crisis may need to get worse before policymakers can get a handle on it, however. "We don't have enough data to really work out what it is,” she says. “If we see more activities like this, targeted at a different level, with different thresholds of response, we can start seeing what the fallout is, what happens next."