- IBM-sponsored research shows that while 73% of U.S. state and local government employees are worried about ransomware, just 38% say they have been trained to handle it.
- A Department of Homeland Security agency says it is working "hand-in-hand" with state and local employees to prepare for ransomware and other threats to the 2020 elections.
- Government auditors say the agency has not communicated well enough with the state and local officials.
- The official in charge of preparing state and local officials for ransomware election attacks told a cybersecurity conference this week "we can figure it out together," but conference-goers have doubts.
- Visit Business Insider's homepage for more stories.
New research released today by IBM shows that while 73% of US state and local employees are worried about ransomware attacks, just 38% say they have been trained in how to respond to them.
Ransomware attacks, which encrypt an organization's data and demand payment to make it available again, hit 174 US municipal organizations last year, according to research by the cybersecurity company Kaspersky, a 60% increase from 2018. The Department of Homeland Security says ransomware attacks on state and local computer systems are a key concern when it comes to the issue of protecting election systems from hackers.
The IBM research shows 26% of the government workers say they have received no cybersecurity training at all.
In related research from Google, 60% of politicians and their staffs said they hadn't upgraded their computer systems since the last presidential election. Forty percent have clicked on a malicious link in a "phishing" attack email scam, the Google study found.
'A huge gap between concern and readiness'
"There's clearly a huge gap between concern and readiness," said Wendi Whitmore, an IBM vice president who oversees cybersecurity threat intelligence.
Cybersecurity training to prevent ransomware attacks and other election hacking has been a major initiative of the DHS's Cybersecurity and Infrastructure Security Agency.
Whitmore noted that election systems across the country represent a vast and diverse "attack surface" of different computer systems that are "nearly impossible for one agency to centrally organize." IBM said it did not draw any conclusions about the effectiveness of federal programs in preparing state and local agencies for election hacking.
CISA Director Christopher Krebs said this week at the RSA security conference in San Francisco that his agency is working closely with state and local law enforcement to prevent election hacking such as ransomware attacks on voter-registration databases, saying, "We can figure this out together."
Agency cites success working with state and local officials
The 2020 DHS budget for Krebs' agency allocated $22.3 million for state and local government cybersecurity assistance.
The 2021 budget's summary of those programs says, "in preparation for the upcoming 2020 elections, CISA has worked hand-in-hand with Federal partners, State and local election officials, and private sector vendors to defend elections infrastructure. Over 500 CISA employees supported election security preparedness nationwide, including providing free technical cybersecurity assistance, information-sharing, and expertise to election offices, campaigns, and technology vendors."
But earlier this month the General Accountability Office, Congress's auditor of government agencies, criticized CISA's election security programs for not adjusting its services to meet "the resource and time constraints of customers such as local election jurisdictions," communications issues with election officials, "a lack of clarity regarding CISA's incident response capabilities in the event of a compromise that exhausts state and local resources," and other issues.
Cybersecurity professionals at the RSA Conference this week – where 2020 election is a key concern – raised doubts about readiness to address election-hacking.
'We are really, really ill-protected'
"We are really, really ill-protected," said Richard Bird, chief customer information officer at Ping Identity in Denver and a former security executive at JPMorgan Chase, who served as a local elected official in Ohio. "The IT teams within counties are seriously exposed to ransomware."
Federal coordination of local agencies will be the key in responding to election hacking, said Sam Curry, chief security officer of Cybereason, a Boston cybersecurity company that simulated the election hack of a city at RSA this week. "States and cities are going to call them," he said of CISA, the agency headed by Krebs. "That's one of their mandates."
Lawmakers have questioned if CISA has the staffing to answer those calls. Rhode Island Congressman James Langevin has said that CISA has been unable to fill cybersecurity job openings.
Langevin, a Democrat, said Wednesday that "the substantial cybersecurity-related vacancies at CISA are concerning considering that we must be vigilant and proactive about addressing cybersecurity vulnerabilities that pose a risk to the American people. It's difficult for any agency to operate efficiently with a lack of qualified staff."
The DHS jobs board shows more than a dozen openings for cybersecurity roles at CISA. "We're hiring," Krebs told the audience at the end of his RSA talk.
A CISA spokesman said Krebs was not available to comment and the agency did not reply to questions about staffing, training of state and local agencies, and election hacking.
'Could pay a price for it'
Curry, who staged the election hacking simulation, said he believed CISA "was working hard" to address threats. Langevin noted CISA "stood up a task force to address this issue" of depleted staffing.
Others doubted the ability of the federal government to protect elections or rein in computer users in office.
Stewart Baker, general counsel of the National Security Agency from 1992-1994, who was a speaker at the RSA Conference, said he was not particularly worried about local infrastructure attacks, and noted that "Elections are not a federal responsibility."
Baker said he was much more concerned with the campaign vulnerabilities, such as the 2016 Democratic National Committee hacking. Stewart said the many challenges of election cybersecurity extend all the way to President Donald Trump. "He's still using phones that are hackable," Stewart said of the president, who is known to communicate with close associates on unsecured lines.
"That's very dangerous, and he could pay a price for it," Stewart said.
A doxxing attack, in which someone's personal information and communications are accessed and publicly released, "could cost him the election."
