As governments shun ransomware payments, cyberattacks may cost taxpayers even more

Rather than pay $20 million in ransom to a Russian hacking gang that took dozens of government and public entities offline for two months, Costa Rican officials sought other options. As the local economy reportedly bled about $30 million a day, much of it in lost productivity, Costa Rica set out to restore each attacked ministry, one at a time. Efforts are ongoing.

The response stands in sharp contrast to most other attacks on public entities, which — often on advice of their insurers and in a rush to restore public confidence — pay ransom because they determine it costs less and takes a shorter amount of time than other efforts to recover data or rebuild a system. In the last couple of years, the University of California paid hackers a ransom of $1.14 million; the city of Riviera Beach, Fla., handed over $600,000; and the town of Lafayette, Colo., made a $45,000 ransom payment. And the list goes on.

In fact, nearly half of the world’s government entities paid ransom in 2021, compared to just 32 percent of financial institutions. The average payment was $214,000, although many say it’s higher. That is a lot of taxpayer money being used to pay off hackers.

But the potential costs of these attacks are about to get higher.

In order to remove incentives for attacking amid the growing outcry of spending taxpayer money on ransom, some U.S. states have outlawed it, with more likely to do so. This is tied to the trend of companies in the private sector not publicly reporting ransomware attacks or payment of ransom, partly out of concern that it could further motivate future attackers, and also because victimized companies often don’t want law enforcement officials involved.

Banning ransom payments makes sense as far as removing motivations for hackers. But at the same time, if ransom fades as an option, government and public entities could end up paying more to mitigate an attack, as the case of Costa Rica shows. Another example comes from Israel, where a public hospital was banned from paying ransom, but still reportedly had to spend about $11 million of taxpayer and state money mitigating an attack last year.

Rather than focus on banning ransom payments, governments and public institutions need to be doing more to shield taxpayers from cyber attack expenses. And the answer does not lie in requiring increasingly expensive cyber security insurance or increased post-attack transparency.

Governments and public entities need to be smarter about the efforts and resources they commit to strengthening resiliency. They need to follow the model that the private sector is increasingly embracing, mainly following a real-world risk-based approach to defense in addition to complying with government or industry standards.

Governments and other public institutions, like libraries, schools and medical centers, should carry out regular risk quantification and cost of breach assessments, and be able to put a dollar value on cyber exposure, just as many companies do. This allows them to see how much taxpayer money and assets are at risk, to make sure they are spending in the right places to truly increase security, and to budget accordingly in case of an attack.

To make the best decisions about what to protect, government and public entities need to be engaging in constant threat hunting, in order to identify and respond to emerging threats, and testing their security with ethical hacking. The public deserves to know that its tax dollars are used efficiently and effectively when it comes to cybersecurity spending.

Because attacks are inevitable, there needs to be a well laid out cyber response plan, in terms of incident response, training and simulation, including how to achieve a comprehensible status report within the required time and how to best communicate with the press.

This part of an attack — and the valuable amount of time and public money spent on it — is actually in the hands of the victim, and should be as efficient and effective as possible. If done well, this stage of response can also help the organization better defend against future attacks.

In addition, government agencies and branches need to have their data and activities under a central defense structure. For example, organizations need to comply with standards put forth by CISA, but CISA also needs to better understand each sector and where it fits into the overall cybersecurity landscape, and what needs protecting in order to implement an effective defense.

The recently enacted State and Local Government Cybersecurity Act, which is designed to improve coordination between CISA and state and local governments, allowing them to share tools, procedures, and information more easily, is a step in the right direction. Another new law, The Cyber Workforce Program Act, which allows U.S. federal cybersecurity and IT workers to rotate roles and jobs across government agencies, will also help in developing a more centralized approach. But other tax-funded or public infrastructure — such as hospitals, schools, and utilities — that are not directly part of the government need to be fully included in such agreements and other cyber security mandates.

While these new federal initiatives are admirably aimed at improving cybersecurity, more needs to be done in terms of protecting the public from the costs of attacks.

At this point, the public and the government are asking more of companies when it comes to responsibility and accountability for cybersecurity. For example, proposed new SEC regulations seek to increase cybersecurity disclosures to shareholders. We should also be asking more of governmental and public entities themselves — especially as paying ransoms fades as a legal or ethical option.

Elad Leon is a cyber intelligence analyst and senior CTI expert at cyber security firm CYE. He previously served as a cyber intelligence analyst for the Israeli Ministry of Defense.