State, local governments urged to toughen cyber defenses

ANNAPOLIS — State and local governments may have to increase the amount of money they spend on cybersecurity efforts, according to one national expert.

Cybersecurity and concerns about attacks that could paralyze government services has drawn more public attention since a May 7 ransomware attack that crippled Baltimore City government computers. A joint legislative committee of the General Assembly Wednesday met for the first of at least three hearings on the subject of cybersecurity issues.

“Cybersecurity is a business risk,” said Doug Robinson, executive director of the National Association of State Chief Information Officers. “It needs to be taken seriously.”

Topping the list of threats, according to Robinson, is “continuity of government” in the face of increased ransomware attacks and “hacktivism” aimed at disrupting government operations, such as the one that struck Baltimore nearly two months ago.

Robinson warned that while governments have become targets only recently they are “going to continue to proliferate.”

Government officials need to adopt the mindset that cybersecurity will be an ongoing budget expense, he said.

“This is not going to go away,” said Robinson. “This is life going forward.”

Governments face problems with attracting and retaining top information technology employees because they can make more in the private sector. In Maryland, a budget analysis by the Department of Legislative Services noted the state lags behind other jurisdictions in its own salary ranges.

Private-sector companies spend 5-8 percent of their information technology budgets on cybersecurity, outstripping comparable government spending that tends to be in the 2 percent range, according to Robinson.

The federal government spends about 16 percent.

In the current fiscal year, five state cybersecurity employees oversee $3.5 million in related contracts totaling slightly less than 2 percent of the Department of Information Technologies’ budget.

Gov. Larry Hogan’s fiscal 2020 budget included an additional $5 million for cybersecurity efforts.

“A lot of the talk today has been about security. Quite frankly, most everything we touch has a security aspect,” said Michael Leahy, secretary of the state Department of Information Technology.

The Baltimore attack shut down many government services and systems. On Wednesday, the Board of Estimates approved $10 million of city surplus funds to pay for ongoing recovery efforts. Early estimates from city officials place the overall cost of the attack to the city at $18 million.

City officials were scheduled to speak to lawmakers Wednesday but did not attend the meeting.

Such cyberattacks are becoming more common. On Tuesday, Lake City, Florida, paid $460,000 in ransom to regain control of its systems after an attack two weeks ago. The payment came a week after another Florida city, Riviera Beach, agreed to pay $600,000 in ransom and spend more than $1 million to upgrade computers and other hardware.

The attackers reportedly asked Baltimore for $80,000.  City officials have said there was some concerns that paying the ransom would not result in regaining control of its systems.

Cybersecurity experts Wednesday told lawmakers that cyberattackers rarely fail to release systems after ransoms are paid.

“The game continues to change,” said Robinson. “No matter what the states are doing, the bad guys are operating 24 hours a day.”