Cyberattackers are coming for public safety; prepare now
Organizations and citizens have a “shared responsibility” to defend their data, computer hardware and software systems from ransomware attacks
The threat of cyberattacks, especially ransomware attacks, against public safety is real. In early June, Christopher Wray, FBI director, made clear the significance in a “Wall Street Journal” interview when he described malware and ransomware attacks as similar to the challenges posed to national security in the aftermath of the Sept. 11, 2001, terrorist attacks. Wray also said, "There’s a shared responsibility, not just across government agencies, but across the private sector and even the average American. The scale of this problem is one that I think the country has to come to terms with.”
All public safety leaders and personnel share the responsibility of understanding the risks of cyberattacks, educating themselves and taking action to protect their organizations, as well as their private information.
Public safety is a target
Ransomware attacks are increasing in cost and frequency. In the private sector, 37-61% of businesses report being attacked, with an average financial impact of $1.85 million and six days of downtime per attack. In a Police1 poll, 21% of respondents said their department had been a victim of a ransomware attack.
Public safety organizations, the local governments they are part of, as well as hospitals are a target rich environment for attack because:
Attacks on these organizations are sure to generate media coverage, can compromise essential services and lead to a ransom payment to protect sensitive information and restore operations.
Attackers may be motivated to attack public safety, especially law enforcement, in an attempt to embarrass the department or humiliate personnel, by holding confidential information, such as police disciplinary files, for ransom.
Attackers, especially novices, might seek out public safety organizations because too many departments have soft security protocols, a patchwork of out-of-date software and vulnerable mobile hardware systems in patrol cars, fire apparatus and ambulances.
Public safety organizations may have invested less in prevention and preparedness while cyberattacks were focused on the private sector. As businesses and private industry harden systems against infiltration, attackers may turn their attention to soft targets.
Public safety organizations have a statutory obligation to protect some of the information they collect and store, like electronic patient care records, thus making those records valuable to an attacker threatening to release those records if a ransom is not paid.
What public safety leaders need to know about cyberattacks
Wray has made clear that the threat of cyberattacks is significant. In the months and years after 9/11 fire, police and EMS organizations trained for new CBRNE threats, developed new protocols and procedures for investigating and mitigating those threats, and updated training requirements and programs. Ransomware attacks warrant the same level of focus and funding.
Ransomware attackers seek to take control of computer operating systems until a ransom is paid. The Colonial Pipeline systems were breached through a single compromised password from an inactive account. Attackers may also threaten to publish confidential or sensitive information, such as intra-organizational emails, personnel files or patient care records, unless a ransom is paid.
As public safety leaders consider the significance of the threat, keep in mind that service disruptions after software is compromised by a cyberattack can have short- and long-term consequences to organization operations. After an attack on the City of Tulsa, police officers had to write paper reports that were hand-delivered to the courthouse. Because computer systems were down, police were unable to response to non-injury traffic collisions and firefighters used map books to navigate to calls. It may take days or weeks to restore computer operating systems and months before the depth of the attack is fully understood and cyber forensic investigators can declare that all malware has been removed and systems are no longer vulnerable.
What leaders can do to prepare
Respondents to the annual EMS Trend Report acknowledge their organizations are poorly prepared for a cyberattack. More than half (56%) of 2021 respondents say their organization is “slightly prepared” or “not prepared at all.” This represents a slight improvement from 2020, when 64% of respondents answered either “slightly prepared” or “not prepared at all.”
The first preparedness step is to increase your knowledge of cyberattack methods, terminology, prevention tactics and response techniques. Here are some ideas:
Attend the June 24 expert panel discussion, “Understand the risks and prepare your department for a cyberattack,” co-hosted by Police1, FireRescue1 and EMS1.
Increase your knowledge of department cybersecurity prevention and response protocols by meeting with information technology staff and contractors.
Monitor and understand the actions vendors take to secure your department’s data and software systems.
Read this White House Memo to corporate executives and business leaders, “What we urge you to do to protect against the threat of ransomware.”
Next, cyberattack preparedness, defense, response and recovery represent a new budget line item for public safety organizations. If your organization hasn’t already begun to request funding for these new expenses, begin as soon as possible to budget for:
- Increased information technology staffing through additional employees or contractors
- Software as a service products to protect operating systems and hardware
- Cyberattack and ransomware insurance that may help investigate a claim, negotiate a ransom payment and reimburse for damages after an attack
- Additional expenses for cyberattack forensic investigations that may not be included in insurance coverage
- Operating reserve or a rainy-day fund that could be used to pay a ransom to restore software operating systems and secure data
Along with budgeting and increasing your knowledge of cyberattacks and cybersecurity, check on the content and frequency of training offered to staff. Training should include:
Protection of usernames and passwords, as well as other best practices for data and software protection
Recognizing a ransomware attack and the process for reporting an attack to department leadership and IT administrators
Tabletop exercises for department leaders to respond to a ransomware attack
Ongoing reading about ransomware attacks in public safety and other industries to understand attack tactics and how other organizations respond to a ransom demand
The time to prepare for a cyberattack on your department is now. Learn more from these additional resources:
A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force. Prepared by the Institute for Security and Technology
- Command Staff - Chiefs / Sheriffs
- Cyber Attack
- Cyber Crime
- Cyber Security
- Data/Information Sharing
- Digital Evidence Management
- Evidence Management
- Fleet Management
- Incident Management
- Mobile Data
- National Cyber Security Awareness Month
- Operations Management
- Public Record Data Delivery