Officials from government organizations have told the Government Accountability Office (GAO) that they were “generally satisfied” with the ransomware prevention and response assistance provided by federal agencies.
According to the Department of Homeland Security, attacks using ransomware have at least doubled since 2017. Meanwhile, the Multi-State Information Sharing and Analysis Center found that state, local, tribal, and territorial (SLTT) governments experienced more than 2,800 ransomware incidents from January 2017 through March 2021.
The officials reported generally positive views on ransomware guidance, detailed threat alerts, quality no-cost technical assessments, and timely incident response assistance – via a GAO survey. However, they also identified challenges related to awareness, outreach, and communication. For example, half of the survey respondents who worked with the Federal Bureau of Investigation (FBI) cited inconsistent communication as a challenge associated with the agency’s ransomware assistance.
When assessing cooperation, GAO found that the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and the U.S. Secret Service took steps to enhance interagency coordination through existing mechanisms—such as interagency detailees and field-level staff—and demonstrated coordination on a joint ransomware website, guidance, and alerts. GAO’s report notes however that there is room for improvement. The FBI established CyNERGY, an interagency database and coordination platform that offers federal cyber centers and other sector risk management agencies the ability to enter, view, and coordinate a whole-of-government response to targeted entities and victims of malicious cyber incidents. According to the FBI, while select early adopters used the platform, CISA and other relevant agencies did not use it. Meanwhile, CISA was in the process of piloting a dashboard to track reported ransomware incidents.
GAO discovered that the three agencies have not fully addressed six of seven key practices for interagency collaboration in their ransomware assistance to SLTTs. These practices include updating guidance and monitoring accountability. According to GAO’s analysis, the agencies generally addressed the practice of identifying leadership by designating agency leads for technical- and law enforcement-related ransomware response activities. However, the watchdog believes the agencies could improve their efforts to address the other practices. For instance, GAO found that existing interagency collaboration on ransomware assistance to state, local, tribal, and territorial governments was informal and lacked detailed procedures.
GAO determined that the shortfalls across the six collaboration practices were due to the lack of a mechanism that facilitates coordination of federal agencies’ ransomware assistance to SLTTs consistent with key practices. Further, existing interagency collaboration for SLTT assistance was informal and lacked detailed procedures. For example, officials stated that coordination occurred on an as-needed basis between agency detailees and field personnel.
The government watchdog has recommended that CISA, the FBI and the Secret Service evaluate how to best address concerns raised by SLTTs and facilitate collaboration with other key ransomware stakeholders taking into account its leadership of the new joint ransomware task force; and improve interagency coordination on ransomware assistance to SLTTs. The Department of Homeland Security, responsible for CISA and the Secret Service, agreed and said that CISA plans to use existing and planned efforts to address challenges and improvement opportunities identified by SLTT governments. Such efforts include addressing questions and providing information on available resources to SLTT organizations through CISA’s dedicated SLTT Partnerships team and field-based cyber state coordinators. In addition, CISA is considering additional service offerings through a cooperative agreement that may help smaller entities with limited resources.