Ransomware, malicious software that renders data and systems inaccessible until a ransom is paid, continues to wreak havoc on government operations and critical infrastructure. Its impact extends beyond financial losses, leading to disruptions in healthcare services and critical sectors such as manufacturing, energy, healthcare, and transportation systems. The urgency to combat this growing threat is underscored by the Department of the Treasury’s report, revealing a staggering $886 million total value of U.S. ransomware incidents in 2021—a 68 percent increase from the previous year.
The consequences of ransomware attacks are far-reaching, ranging from financial losses to the incapacitation of vital services, such as emergency care in hospitals. The Federal Bureau of Investigation (FBI) reports that in 2022, 870 critical infrastructure organizations fell victim to ransomware, impacting 14 of the 16 critical infrastructure sectors. Nearly half of these incidents occurred in four sectors—critical manufacturing, energy, healthcare and public health, and transportation systems. The actual scope of the impact remains uncertain due to the voluntary nature of reporting. To address this, the Department of Homeland Security plans to issue new reporting rules by March 2024, aiming for a more comprehensive understanding of ransomware’s repercussions.
In the face of this escalating threat, federal agencies responsible for overseeing risk management in critical sectors have initiated or planned assessments of ransomware risks. However, the adoption of leading cybersecurity practices within these sectors remains largely unknown. Federal agencies designated as sector risk management leads have yet to determine the extent to which the National Institute of Standards and Technology’s recommended practices for addressing ransomware have been adopted. This critical information gap hinders the effectiveness of federal agencies in collaborating on national efforts to combat ransomware.
Although most lead federal agencies have undertaken or planned assessments of cybersecurity threats, including ransomware, within their designated sectors, challenges persist. Half of these agencies have evaluated some aspects of their support to sectors in addressing ransomware. Notably, agencies have received and assessed feedback on ransomware guidance and briefings. However, none have conducted a comprehensive assessment of the effectiveness of their support, as recommended by the National Infrastructure Protection Plan. A thorough evaluation of effectiveness could address sector concerns related to communication, coordination, and the timely sharing of threat and incident information.
As the nation grapples with the evolving landscape of ransomware threats, this report highlights the need for a cohesive and proactive approach among federal agencies and critical sectors. Strengthening the adoption of leading cybersecurity practices, conducting comprehensive risk assessments, and enhancing the effectiveness of federal support mechanisms are pivotal steps towards fortifying the nation’s critical infrastructure against the scourge of ransomware.
Read the full GAO report here.
