To Pay or Not to Pay? What Citizens Think Governments Should Do When Responding to Ransomware Attacks

The May 7th ransomware attack against Colonial Pipeline Co. highlighted the vulnerability of America’s critical infrastructure to acts of cyber-aggression. The attack—which resulted in the payment of a $4.4 million ransom to the criminal hacker organization known as DarkSide—disrupted the pipeline’s operations, leading to a surge in fuel prices and panic-buying-induced gasoline shortages throughout many eastern states.

Severe as the Colonial shutdown was it was just one in a growing number of attacks against America’s government and our nation’s critical infrastructure, including the health care industry.

According to recent estimates, government agencies and jurisdictions in the United States have experienced nearly 250 ransomware attacks in the past three years, costing roughly $50 billion in combined recovery costs and productivity losses. On top of these tangible costs, ransomware attacks can interrupt or disrupt critical public services and infrastructure, including water utilities, emergency communication platforms and airports to name a few, and those costs are incalculable.

Perhaps unsurprisingly, local government jurisdictions have proven to be particularly vulnerable to ransomware attacks. The expansion of digitally supported public services, coupled with limited staff and resources, make local agencies easy targets for cyber-exploitation. While agencies at all levels of government are hard at work in adapting to emerging cyber-threats, many will continue to face a difficult question: to pay or not to pay?

It’s been rightly noted that the payment of ransoms is likely to encourage additional cyberattacks, all at the expense of taxpayer dollars. However, savvy cybercriminals typically levy ransoms that pale in comparison to the costs of system recovery. Using this calculus, paying a ransom is typically a faster, easier and less expensive route to restoring critical public services. As part of a recent public policy survey, we asked residents of Florida—a state whose local governments have been particularly hard hit by ransomware attacks—how they felt local agencies should respond to these cyberattacks.

The survey, which included a representative sample of 600 adults, posed the following question to respondents: In recent years, several local governments in the state of Florida have suffered cyberattacks known as “ransomware”. These attacks can disable online systems—such as public utilities and emergency communication platforms—until a “ransom” is paid to the cyberattackers. Some experts believe that paying these ransoms is necessary in order to ensure the continuity of public services, while others believe that paying them encourages future cyberattacks. In your opinion, should local governments in Florida be allowed to pay ransomware attackers if they suffer a cyberattack?

The results suggest that most citizens oppose the payment of ransoms by local government agencies, even at the cost of interrupted or disrupted services. A majority of respondents (56.5%) said that “the state of Florida should outlaw ransomware payments by local governments to deter future attacks.” In comparison, only 21.2% felt that “it should be up to the local jurisdictions if they want to pay off ransomware attackers,” while 22.3% were “unsure” of the correct government response.

While an outright prohibition on the payment of cyberattack ransoms—whether at the state or federal level—may appeal to our higher sense of justice, its impact is uncertain, especially in the short term. A uniform, legally mandated prohibition on the payment of ransoms could potentially deter future attacks in the medium and long term, though in the short term it would likely result in a dangerous game of 'cyber-chicken' as hackers test the resolve of legislators, public administrators and the public.

Additionally, any such prohibition would require a significant allocation of state or federal resources to financially backstop municipalities for system recovery in the case of an attack. On the heels of the Covid-19 pandemic, this is a budgetary commitment that Congress and many states may not be prepared to make.

In the meantime, size and resource constraints will continue to leave local governments and parts of our critical infrastructure particularly vulnerable. However, there are real steps that government, providers of critical infrastructure and health care facilities can take to mitigate cyberthreats. Investing in robust, compartmentalized IT systems, as well as steps to establish a more robust and vigilant ‘cybersecure’ culture, can act as a deterrent by making these organizations a more challenging target for cybercriminals. A recent report from Deloitte’s Center for Government Insights underscores this point, while also highlighting several important steps in this direction. These include, among other things, adopting policies and practices (both formal and informal) that “prohibit checking email or playing games on critical devices.”

Creative solutions—such as cross-jurisdictional talent sharing and risk pooling, as well as state level cybersecurity coordination and collaboration—can also help local jurisdictions overcome the resource and talent gaps that leave them vulnerable to exploitation. However, even more importantly, more senior leadership attention to the internal cultural aspects of cybersecurity—to include more aggressive cybersecurity training and education, frequent testing and war-gaming, early reporting mechanisms and incentives, can eliminate many threats before they arise.

For example, it’s been reported that the attack on Colonial Pipeline was the result of a single, inadvertently leaked password. However, such ‘soft’ attack vectors are far too common, a product of a less-than-optimal organizational culture that offers cybercriminals an easy ‘way in’ to an organization’s critical networks, systems and data in the vast majority of breaches.

Bottom line: While ‘don’t pay ransomware’ is easy for taxpayers to say, it’s much harder for government agencies and jurisdictions to do, especially given some of the resource constraints and trade-offs they’re faced with.* At least in the short term, there are no easy fixes for the latter. The guidance we offer won’t be enough to eliminate entirely the growing cyberthreat faced by local governments. But they will help to raise the bar for cyberhackers, lower incident rates and keep more tax-payer dollars in the communities where they belong.

Note: The Florida Center for Cybersecurity, in conjunction with the Florida City and County Management Association, is preparing a survey of the state’s local government chief executives (mayors, city managers, county administrators) about their cybersecurity "preparedness" as a follow-on to their 2019 survey.