Transcripts are generated using a combination of speech recognition software and human transcribers and may contain errors. Please check the corresponding audio before quoting in print.
Your network has been locked, you need to pay 30 million US dollars now. The following excerpt from Cyber Mayday was a real life negotiation between a ransomware gang and a $15 billion US company that was hit with a $28 million ransom demand in January of 2021. The victim company counters with 2.25 million, which was met with a scornful response by the ransomware criminals. Quote, "It is funny to watch your admins failing to install Microsoft Exchange Server. We've encrypted 5,000 of 6,000 of your servers. If we do some very simple calculations, if your expenditure is $65 per hour and 24 hours is spent to restore one server, multiplied by the number of servers encrypted, that is 10 million just on labor," end quote. It is interesting to note how these ransomware gangs have found an effective way to communicate the financial impact of business interruption caused by their cyberattack and demonstrate how their victims will cut their losses by adhering to their demands.
The ransomware criminals continued quote, "But don't forget that you spent all this time on installation and oops, you can't even restore any data because it's gone. Time is ticking and in the next eight hours, your price tag will go up to 60 million so either take our generous offer and pay us the 28 million or invest in quantum computing to expedite the decryption process," end quote. When the company asked for additional time, the crooks countered by writing back quote, "I don't think so. You aren't poor. If you f'ed up, you have to meet the consequences," end quote.
A day later, when the company finally managed to get authority to pay 4.75 million, the attackers agreed to lower their demand to 11 million on the condition that the remaining amount be paid within 72 hours. After a few additional messages, they came to an agreement where the attackers promised that the company would get the tool to fully decrypt the encrypted data, they would not launch any new attacks, they would give the company access to the data to delete it themselves and that the data would never be published or resold, they would provide a full report on their actions, how they got into the network, how the attack was carried out and tips for improving security to protect against other hackers.
That was an excerpt from Cyber Mayday and the Day After, co-authored by Dan Lohrmann, who will let us know how the story ends. Dan is field CISO of Presidio and former chief security officer of the state of Michigan. He started his career at the National Security Agency and has over 35 years in the security industry. He's authored three books and hundreds of articles for Government Technology Magazine. Dan will be joining today's show along with Nancy Rainosek, chief information security officer of Texas, where she led the successful coordination of the 2019 ransomware incident impacting 23 local governments. We'll discuss how local government can lean on each other on the state level for cybersecurity and ransomware response, go into detail on real examples of ransomware and what to do next and answer a few questions from members and staff.
Welcome to Voices in Local Government, an ICMA podcast. My name is Joe Supervielle. Nancy, Dan, thanks for joining us today to talk about ransomware and what local governments can do to plan, respond and recover.
Joe, it's great to be with you. Thanks, for having us.
Yeah. Thank you, Joe.
The audience heard the excerpt from Dan's book, Cyber Mayday, but before we give them the thrilling conclusion, let's give a little bit of context and background on ransomware. We did an earlier cybersecurity podcast covering some of the basics but ransomware quickly popped up by our membership and our audience as what they wanted to hear about next. Nancy, Dan, can you jump in here and just give us a little bit of context on the scope, the seriousness? 2021 was a year of bad records and probably getting worse. Where do we stand now?
I'm happy to start. It was a bad year. You look at the numbers and I think there was a congressional report that it's hard to believe this Joe, but it's actually said that there was more ransomware in 2021 than the last 10 years combined. It was really, really scary. Lot of different attacks. I think it's global, it's hitting public, private sector. It's hitting all size businesses. There's nobody who's immune. Small government certainly, mid-size governments, large governments, businesses. It's pretty much ubiquitous. The numbers are scary but I think what's even probably, if you'd say more scary, I don't want to use scary because there's good news we're going to talk about.
But I think the challenge is that the breadth and depth of the attacks, we think about Colonial Pipeline, we think about JBS Meats. We think about the Irish Health Service. Those were three big stories that just kind of dominated 2021, where it caused gas lines in southeast part of the United States. It really brought hospitals to their knees. It meant people couldn't have government services available to them. It really was a bad year and most predictions say that 2022 is going to actually be just as bad or worse. That's my view and sorry for the pessimistic start here, Nancy, but I'd love to your thoughts.
No, I feel the same way, Dan. It's a bad thing. It's out there. In Texas, it's hitting a lot of our local governments and school districts and we just need to make sure that they're equipped to respond and react when that occurs and hopefully beef up the cyber defenses so that it doesn't occur in future.
Let's also clearly define ransomware. I think most people understand it's when the attackers block access, kind of gain control and then demand the ransom, literal dollar ransom to let go but slightly more technical or how does it differ from other cybersecurity threats? Why is this kind of the biggest one or the top of list of what people need to address?
I'll take that one. Essentially they encrypt the data and then there's an encryption key that you need to decrypt it. When it first started, it was simply encrypting data and then charging a price to get that decryption key, so that organizations could get their data back. It has now gotten worse because now they will actually steal the data so that if you refuse to pay for the key to decrypt, they will also threaten to publicly post the information that they have gotten access to.
We're going to get into some real examples. Dan, why don't you pick up where the excerpt left off on the ransomware story, on the back and forth between the bad guys and the business and this case. What happened? Did they end up paying it? Where did that leave off?
Yeah, so ultimately Joe, the company did pay $11 million ransom and the criminals assured them that they would not attack or help anyone to attack their network moving forward. As you and I were discussing earlier, I come from NSA, the background is you don't know what you don't know. So far so good if you will, at least publicly. Supposedly there hasn't been any release of that data that we know about. Obviously, we don't know what the future holds, nor do we know who joined what hacker gang or who moved around and that kind of a thing. It was a scary story there in chapter five and it's really a one that is too often the case, back and forth between companies and the hacker group. And oftentimes people aren't prepared, they don't have the different things they need to have in place, whether that be the best of the negotiation piece but also they don't often have the contractual pieces in place to respond to incidents and that kind of thing. It's pretty typical of what's going on in the industry, certainly for the major ransomware.
Another example you had was the Northeast blackout of 2003. Tell us a little bit about that, the kind of the background, maybe in hindsight what went wrong and what could have been prevented and then how the response went.
It takes us a way back. We have stories in the book really that go back almost 20 years and it was basically in August and I was the Michigan Department of Information Technology's emergency management coordinator. That was my role. When the blackout happened, I think many people probably know, many states were hit. Power was lost not just in a good chunk of Michigan, but Northern Ohio, New York, parts of Pennsylvania, it really was widespread. And I remember being in the room, Landmark Building in downtown Lansing when the lights went out on that hot August day. And it was kind of surreal walking out on the streets. The lights were all out. There were traffic jams, people beeping. Took me a half an hour to get out of the parking garage. And I remember driving back, finally, literally listening on the radio as I'm driving out of Lansing and they were saying, "Is this a terrorist attack?"
The early days of any kind of emergency, information is so key and who you're going to trust and where are you going to go? And remember, this was only about two years after 9/11 so people didn't really know. Obviously it turned out not to be terrorist attack and turned out, for those who wonder, it was caused by big storm and the trees going down. Interestingly enough, there's a side story, which there was a virus in the control room where they weren't able to see what was going on. It wasn't caused by any kind of cyberattack but there was computer problems that actually probably made it worse because they didn't have access to all their tools and really the visibility wasn't there. But I went to the State Emergency Coordination Center, all the agencies assembled there.
One of the things right out of the gate that we learned, about half the people we thought were going to show up, didn't show up for a wide variety of reasons. Some of them were on vacation, turns out the emergency management coordinator for the state was on vacation in Mexico so he wasn't going to be there. Person who ended up running the emergency, who later was colonel but at that time it was Captain Etue, Kriste Etue, who was the deputy emergency management coordinator. I ended up working with her. Who knows? 10 years later, she turns out to be, she's the director of Michigan State Police. You always meet people during these emergencies, you never know what's going to happen there.
But there was a lot of things we couldn't do. The number one thing in any emergency, how are you going to communicate? How are you going to get in touch with people? The phone lines were all jammed. And so there were people that had priority access. They had GETS, if you will call it that, where they had priority phone calls but people trying to get in touch with people. We were ready for that but people weren't available, people weren't where we thought they were going to be.
Couple quick lessons we learned. Communications, who you're going to call. Couple quick lessons I'd say right out of the gate is you never really anticipate that some of the challenges that you're going to have. We had scenarios that we talked about but we needed to get water from one side of the state to the other. That permitting was a big challenge. We couldn't update our web portal, which was actually we housed it in Boulder, Colorado. We had no connectivity out there. Another one was we had three data centers but only one had a generator. One of the top things of our list was we needed to get generators for the other two data centers. That became a high priority. We got Homeland Security grant money to do that. The next year it turns out because we had those generators in place, which we learned from, it turned out the next year when we had a big ice storm in mid-Michigan, we stayed up and we would've gone down had we not had those generators.
Communication, lessons learned, who you're going to call, who you going to talk to, all of those things were important lessons that affect any kind of, we call them all hazard with this fire, flood, tornado, natural disaster or a cyberattack.
Nancy, you've had experience with that in Texas, coordinating with local governments who often may not have the resources or the technology staff to handle this. Can you talk to the audience a little bit about they have these concerns, hey, I'm the manager of a local town. I don't even really know how to handle this or address this. I have an IT director, but we don't have a CISO or those sort of people. How do you coordinate and how do you help those local governments there in Texas?
Really in 2019 is when ransomware started springing up across different towns and governments in Texas and we had started to stand up, we've got a 24/7 hot line and we've got people skilled in helping any governmental agency in Texas in terms of ransomware. In 2016, our legislature passed a bill that required us to develop a statewide incident response plan. And when we started developing that, I was thinking more of the state government level. If a bunch of agencies got hit at the same time, which one will we help to restore first, et cetera. And little did I even envision what happened in 2019. And that was in August. August 16 my deputy CISO called and said that there were several low governments that had been impacted by ransomware. And as the morning went on, the number grew. And when it hit a SCADA system at one of these local governments, which impacted their water distribution, my boss called Governor Abbott and he issued the first statewide disaster declaration for a cyber event in Texas.
And the fact that we had developed this plan and we had worked on all the communication and we had over the two years, had formed a team of different people from different agencies, had tested the plan, had done tabletops, had really helped us in responding to that event. It ended up, we had 23 local governments that were impacted. Through the resources we had, through the Texas Military Department, the Department of Public Safety, the Division of Emergency Management and our staff and then Texas A&M University joined us, we were able to go out into the field and meet with each of these people, each of these towns. And it might be a sheriff, it might have been a city manager or a mayor and say, "Hey, we're here to help." And within eight days time, we were able to restore all of these governments back to operational.
We were very proud of the response we did. However, a lot of preparation work went into helping them. This was the case that you're talking about because it came through a managed service provider. And a lot of these places didn't have an IT staff even. It was very important that we got out there, we got out there quickly and were able to assist. I will tell you that when we did our hot wash afterwards, one thing that we talked about that we didn't cover was first off, dealing with the press and the media. We were just swarmed with calls from the media. And it was interesting along the way also to see how factual and unfactual it was in the things that were being published because this made international news. We helped these governments issue their press releases and determine how they were going to communicate with the public. But it's something that we're incorporating into our plans moving forward.
Another thing that we talked about was we had 23 end governments and with the resources we had, could we have handled 50 at the same time? Probably. Could we have handled a 100? I don't know. It would've taken a lot of time and effort. We're standing up other response mechanisms now so that should this happen again, we're even more ready to assist and bringing governments back on.
Yeah. There's so many moving parts when that happens, when it's that widespread, would a local government, Texas or otherwise in a different state, would it be a good idea for them to try and proactively or preempt the actual incident and try and coordinate with the state level or even amongst themselves in a region to get involved with those tabletop trainings and understand who's responsible for what and try and sort out as many of those pieces as possible. That way when the chaos hits, it's a still going to be confusing and troubling but hopefully a little bit more organized and better prepared.
Very much so. I'll tell you, there was one, we did election assessments for 254 counties in Texas before the 2020 election and there was one county in particular where we had done the assessment and they determined that if the internet went down, if they had an issue, they might not be prepared to do the election. They went out and bought equipment and worked with their staff, got a call down list. And it just so happened on the Saturday of a special election, they were hit with a ransomware and they were very vocal about the fact that had they not had that assessment and received the information that they needed to be prepared, they may not have been as successful in doing the local election. However, because they'd had this assessment and because they had prepared in advance, they had the call down list, they had extra laptops that they could deploy, they successfully did the election while the entire county was under a ransomware attack.
It's really important that local governments think about what their priorities are, have an inventory of their systems and equipment and understand what would happen and what should come back up first, second, third so that they can continue to operate if by chance this bad event happens.
Yeah, there you go. That's a kind of a win or a success story. Dan was saying earlier how it seems like all gloom and doom but there are positive examples. There's one right there. Also probably like other things we hear about or it's in the news when it goes wrong or worst case scenario, but when it's blocked or the bad guys don't get what they're trying to get after, we don't hear about it, which is an internal win, but the publicity isn't there. Dan, do you want to add anything just kind of on the state to local interaction, what resources are out there, even in the private sector a little bit when the local government might need to outsource it or just kind of need some help because they don't have the staff or the expertise to even know what questions to ask, let alone necessarily putting them in place.
Yeah. Great question, Joe. And I just mention here, one of the things we do at the end of the book is we list literally hundreds of resources that are free or available. We can post some of those as well on the side, but NIST has a wealth of resources. Most states, you need to know who your state CISO is, chief information security officer, state CIO. Want to work with the counties and cities. In fact, the new grants that are coming out here in 2022 require that for a grant, working together, that's another topic for another day.
But there are a lot of great resources in different states. Certainly in Michigan tabletop exercises, they have statewide. A lot of the counties do participate. Quite frankly, a lot of the local governments don't have the opportunity because they just don't have the time and the resources to be able to go commit to something like that, like a day long statewide tabletop. But I know in Michigan and other states, they do include sometimes the hospitals or they include energy companies or in some cases, even auto companies. Other businesses at different years, they focus and also local governments and include them in those tabletops.
I just want to mention one other tip and Nancy did a great job. And by the way, Texas is really a national leader, give Nancy a lot of credit. She does a great job and has a great reputation nationwide. One thing, having a retainer in place. A lot of times people think, I don't have money, how would I respond in this situation if I need to get, whether get any kind of help, private sector resources or breach response or forensics done, maybe the state can help you, maybe they can't in your particular situation. I don't know. Every situation is different. I hope in many cases, I know in North Carolina, they do work where the state's were able to help, like in Texas.
A lot of times, it could take a week or two just to get all the T's and C's, the terms and conditions worked out with the relationship with the private sections. We talked about managed services and what would you do if that incident hit? Or maybe not even necessarily having money applied to that contract but having that in place. It's like insert money here and now we can, boom, we can go get something done. We need to go get help on forensics or we need an incident response or some other function that we need. Thinking through those kinds of things in advance can be hugely important and really kind of scenario planning and having playbooks, as Nancy was talking about, for various scenarios. And know, what are you going to do if this happens? When this happens? You're never going to have exactly the perfect scenario, but those help. And even going back to the story I just mentioned about the blackout of 2003. We had a lot of scenarios based on after year 2000, Y2K, that we used.
Let's get to a few of the audience questions and this will tie into what you've already covered on a little bit, but coming from the local government, thanks for the audience, the members, the staff that helped out with this. Kind of getting back to that first story, what do you think the best official policy once this happens, should they pay? Should they not pay? Is it case by case? What do you think?
I'll start and Nancy can give her. This is a very difficult question. It's one that we talk about a lot. I personally don't think there's a one size fits all answer here. I think the best answer is to be prepared. Is to have good backups, have them tested, do all the things that Nancy's doing in Texas, basically prepare in advance so you don't have to pay. Of course, the best thing is to say, the easy to thing to say is, "I'm not paying." Now, the challenge becomes in real life, if you have a business, you determine after the fact that it's going to take six weeks or who knows? Months to restore and maybe millions of dollars and you could pay the ransom for much less and be back up much quicker. Hopefully, not necessarily, because you don't know for sure you're going to get the key to unencrypt. There may be cases where you need to pay.
I use a good lawyer answer, it depends. It really, it's hard to just give a one size fits all answer. The best answer right now you're listening to this, you're a local government, prepare in advance. Have good tabletops, have good backups, have them tested, know what you're going to do, go through the scenario planning, look at the best practices that NIST has. Great guide is 800-61, NIST special publications. Go to the CRC, the computersecurityresourcecenter.nist.gov and look at those best practices. But I don't think there's any one answer. Dan Lohrmann doesn't think there's one answer to pay or not pay.
I agree with Dan. In Texas, our office official stance is we don't believe in paying because you're funding these guys to further develop their tools and giving them incentive to do it more. However, there may be instances, let's say a hospital gets hit where life and safety is an issue and that may lead you to make that choice. However, in most circumstances I would say don't pay because again, you're funding criminals.
Yeah. It's hard. No one's really going to just say, "Yeah, sure. Go ahead and pay." That's not what anyone would say but it's easy to have that stance until it happens to you. Is there a known release rate? Going back to the story, it's kind of hard to judge because just because it hasn't happened yet doesn't mean it won't but when entities, local government, state government or private business, when they have paid, is there a release rate where they at least get that key to decrypt the original problem even if the criminals potentially still have that data or can get right back in whenever they want?
Yeah. I'll give you a couple numbers here, Joe, but first of all, I say for any numbers around ransomware, it's very difficult because of this. Some caveats up front, some disclaimers, if you will. We don't know about all the ransomware attacks. And we do know that a lot of them are never reported. Back to NSA, you don't know what you don't know. How many cases don't we know about? And then we also know, even in the cases where people do pay, there's certainly a percentage. I've heard numbers around 10, 20%, that for whatever reason, it doesn't work or doesn't fully work. Other people have used numbers as high, I've heard of people 40 to 50%. But I think by and large, most of the community think that if you pay, again, not advocating that as I agree with Nancy, everything she just said, but that it's a bad business model for the hackers to not give you your stuff back because then the next time people aren't going to pay.
I'm a believer more in the 10% range, whatever. Or I know people that did pay, the key didn't fully work for whatever reason. They got some of their data back but all of it. Again, how do you define that fully in, fully out? But I will say one other metric that's really scary, again, I'm going to scare people with these numbers, but just if anything, hope it drives you to prepare and be ready in advance so you're ready if it does happen to you. The numbers came out in the United States, more than 30% of the businesses that are hit by ransomware are out of business within a year. It's even higher in the UK or higher in the UAE. United Arab Emirates is over 40%. Those were scary numbers. Again, based on what? Based on what population. But governments can't go out of business. This is not an option for us so we've got to get back up operational. But there are certainly two sides to these issues.
Another question came in, it says, "Should we have dedicated cybersecurity risk insurance coverage? And if so, how do we assess requirements for coverage? How do we select a policy? And just a like policy on anything else, cost versus coverage? How often should we revisit or reassess the policy? How does insurance possibly fit into this? Even if that means paying the ransom or if the insurance means paying for what it takes to kind of rebuild or revamp on the back end??
Well, I'll take that. In Texas, a lot of us self insure. The prices are going up. The most recent things I've heard is from people that have actually gone to renew their policies is that the prices are doubling. The deductibles are doubling and the coverage is getting split, cut in half. It may not be as lucrative as it has in the past. There are a number of other factors you need to consider. Number one, when you do have cyber insurance, you have to go with the company for restoration that the insurance company designates so you don't always get a choice as to who's going to help you out in the event that you have ransomware. We've seen a lot of instances where the cyber insurance has really paid off for these local governments and has helped them come back on board.
Okay. Another question, I'll try try and paraphrase this one, who is the best person, whether that's by title or skillset, to kind of be point person for this on staff? They say, "The city manager is non-technical, to put it politely," they said. "The IT director's overwhelmed with just day to day technology troubleshooting and cybersecurity may be kind of above their pay grade." The question boils down to the skillset or the title when it's not some of the obvious choices or they don't have the CISO on staff, who would be your recommendation when you're talking to these local government to kind of run point, even if it's not really their full day job?
I'll start and then I'll turn it over to Dan. I think it needs to be somebody that is in a position to make decisions and to call the shots. What comes back up first? How are you dealing with the media? All of those questions need to be answered and it has to be a decision maker and leader in the organization. Dan?
Yeah. And I just would add to that, whoever runs emergency management certainly needs to be intimately involved. And that might be the right person. In any government, if there's an emergency, they say all emergencies are local, which is somewhat true. It all starts locally. And so I'm not saying it's somebody who, fire, flood, tornado, natural disaster, maybe that person doesn't have the skillsets around cyber but then they need to get some help from some others. But they do have the skillsets around responding to emergencies and this is going to be an emergency situation. A lot of the the call lists, who you're going to call, how you're going to contact people, all the things Nancy mentioned about the press, working with other organizations, the partnerships, they understand that.
And so that might be someone they want to consider is whoever they put in charge of that, if you don't have someone on the cybersecurity side or security side, who can be the point person. Remember that I know that even in most emergencies, like in Michigan we had the power outage. One of the big issues was generator fuel. We have contracts that in an emergency we're going to go to this person or that person or we're going to rely on whoever that may be, the fire department or whatever it might be. Those lists exist for every local government nationwide, for any, could be fires, floods, tornadoes, natural disasters and they have to respond to that. That may be a choice but I think it really back to my lawyer answer, it really depends on your individual situation.
It's not just the technical expertise, it's the emergency management you mentioned, the communication skills and as Nancy said, the decision maker has to be involved. Even if they're not understanding how these things are getting done, them chiming in on what needs to get done or what priorities order still boils down to them.
One thing I wanted to add is just be prepared. And so you need to have that decision made before the event happens. And so that's the important thing is understanding when the event happens beforehand, who's going to be in charge? Who's going to call the shots? Who's going to contact who? Et cetera, and be prepared before it happens so that you're not flying by the seat of your pants once a ransomware event occurs.
What law enforcement agency or level should be notified first, if something happens? And the second part was, can they actually help or is it just a formality? Which I think expresses the skepticism or maybe frustration that the staff or the local government aside, they're kind of saying, "Well, where is law enforcement?" I don't think they necessarily mean the local law enforcement, the FBI or whatever it is. The frustration that the criminals seem to be always one step ahead of the cops on the cyber front. What is that first move? If you're informed, hey, we've been hit with ransomware, who are you calling other than maybe the state level CISO like Nancy, how do they get law enforcement involved?
I believe that we contact the FBI. And if we go back to the August ransomware incident, we all assembled in our state operation center and the FBI team was sitting right next to us in that state operations center, helping us gather evidence so that they could take action should they have the opportunity. And in the case of our incident, number one, we were able to get a machine that had not been turned off. A lot of people's first act when a ransomware incident is happening, it's just to turn off all the equipment so that it can't do further damage. And when you do that, it erases what's in memory.
And so we were fortunate in our case that there was a machine that they simply unplugged from the internet but they kept it running. We were able to go pick up that machine, give it to the FBI and in November of 2021, they actually issued an indictment against a guy in Russia for perpetrating this crime. And so we don't have extradition rights with Russia. We may never get this guy but then again, he may never be able to leave Russia to go to some country that we have agreements with because he is wanted by the FBI for the incident that happened in Texas in August 2019.
And you kind of preempted that, the last question I had here, which is they wrote in, "I read that if there's a suspected or confirmed attack, should we literally unplug devices from ethernet cables and turn off Bluetooth to cut as many connections as possible, slash turn everything off?" It sounds like yes unplug but don't necessarily turn off. Is that right?
That's the way I see it, yes. Unplug from the internet but don't power the equipment down because there may be evidence that they can find through forensics to determine who actually perpetrated that crime and it is a crime. And that's why law enforcement's important and we've had a lot of ransomware in Texas. A lot of times we never hear who did it but there have been times when yes, they have been in able to make arrests or at least make indictments against people that have committed these crimes.
The law enforcement, just wrap that up a little bit. It seems like the local FBI office, either on the local level or county, state, whatever it might be, but they are the first call there to get involved from the get go and hopefully they can help on the back end.
Well that wrapped up all the questions from the audience. Thanks again for everyone sending it in. I wanted to remind the audience that we'll have some resources on the ICMA website on the podcast page. We'll link to some resources from the state of Texas and some of the helpful links Dan mentioned earlier from the book, we'll also on there. Cyber Mayday and the Day After is available on Amazon or wherever you buy your books from Mr. Dan Lohrmann. Nancy, Dan, thanks for your time today. Ransomware is not going to be solved easily, quickly or really maybe ever but there are tangible steps local government can do to help prevent it and at least prepare to recover and respond a little bit more effectively.
thank you, Joe. Really great being on the show today.
Thank you, Joe. Enjoyed it.
Nancy Rainosek, chief information security officer of Texas
Dan Lohrmann, field CISO of Presidio
This episode begins with a short excerpt from Cyber Mayday and the Day After on a real ransomware negotiation with cyber-criminals. Then Nancy Rainosek, chief information security officer of Texas, and Dan Lohrmann, field CISO of Presidio speak on how local government can better plan, respond, and recover from ransomware attacks, as well as how to best coordinate with state or regional-level resources. Then we answer audience questions, including:
- If it happens, should we pay or not?
- What do the stats say on release rates?
- Our city manager is non-technical and IT is limited, who should be in charge of cybersecurity?
- What are best practices for involving law enforcement? And does it even help?
- When a serious attack is reported, should we power off all devices? (Spoiler: No. But disconnect from the internet, WiFi, and Bluetooth.)
Cyber Mayday and the Day After: A Leader's Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions
National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide
NIST Computer Security Resource Center
Mutual Aid Agreement Framework