In 1991, Hurricane Andrew walloped Florida. By all historical accounts, recovery from the storm was a disorganized disaster. Because of a lack of preparedness, there was little post-event coordination and cooperation and citizens suffered.
In 2004, Florida was hit by four hurricanes in two months. Because of an emphasis on preparedness, cooperation and coordination improved considerably.
State officials in Tallahassee leverage a central command center to manage response efforts statewide while integrating national assets. Florida’s efforts in emergency management were so well done, state director Craig Fugate became the head of FEMA following the national mismanagement of Hurricane Katrina response and recovery.
Today, Florida faces another threat. Instead of coming from the sky, this new threat is coming from computer networks. From aerospace to amusement parks, federal buildings to financial centers, military bases to medical facilities, Florida contains many prime targets for hackers.
According to the 2018 Florida State of Cybersecurity Report, “Florida is currently third in the nation for cybercrime incidents, victims, and losses reported to the FBI.”
In response to the threat, Florida’s military and national government entities such as Central Command, Special Operations Command, and NASA have all fortified their networks. Likewise, so have national banks and hospitals.
But Florida’s small companies and local governments still remain at risk.
In June 2019, three Florida towns, Key Biscayne, Lake City and Riviera Beach, were hit with ransomware. Access to the files on their computers was locked by hackers using complicated malware once used exclusively by the North Korean hacking group “Lazerus.”
This malware is now obtainable and usable by hacking groups worldwide.
While many cybersecurity experts and the FBI have advised against paying ransoms, insurance companies have overruled the experts and told cities to pay their attackers.
Instead of taking a chance with programs that may decrypt files and make hackers’ demands null, Lake City paid over $460,000 in bitcoin to their attackers, Riviera Beach spent $600,000 to settle with the hackers as well as sped up over $900,000 in new system purchases, and (to date) Key Biscayne has not decided whether to pay the hackers who are holding their systems hostage.
Even without accounting for Key Biscayne, Florida taxpayers paid over $1 million in disaster recovery.
Allowing cities and municipalities to negotiate cyber ransoms on their own is a terrible idea. It is akin to letting a town control its own Category 5 hurricane response. (Ironically, according to reports, Riviera Beach’s disaster recovery plan was more focused on hurricanes than ransomware.)
Even if malware is contained to a single network, no municipality should make independent cyber-defense decisions. Allowing cities to negotiate with hackers is similar to a municipality negotiating with terrorists or negotiating their own international treaties.
Like with hurricane response, a single response process should be pushed down from the state level to the county level to each city and municipality. All of Florida should be on the same page.
The best hackers enter systems undetected and delete their tracks. Advanced hackers also insert or modify code, so it appears as if other groups were to blame.
Even the best computer forensic analysts have a difficult time determining the origin of attacks. Understanding the intent of international hacking threats requires the combined skills of experienced cybersecurity, organized crime and geopolitical experts.
Local governments lack the threat intelligence and expertise to deal with these threats. Paying hackers based on the recommendation of insurance companies — who probably also lack the depth of intelligence and expertise — only emboldens hackers and does little to prevent the threat.
There is currently an all hands on deck attitude to toward cyberdefense. Florida universities and independent organizations are training cybersecurity professionals as fast as possible. Other efforts include initiatives such as the Cyber Defense for SMBs run by Cyber Florida, which helps small businesses recognize the cyber threat.
At the most organic level, companies are training personnel not to click suspicious links. But while people are rushing to the front and manning the defenses, Florida also needs to ensure it has a unified disaster response plan.
Florida had years to develop a better response plan after Hurricane Andrew. Florida doesn’t have years to develop a unified strategy to minimize damage from hacking.
Due to the nature of its targets, Florida must act quickly to develop the best statewide cyber disaster response procedures possible, so cities, towns, corporations, and citizens are not on their own to defend or negotiate against the global storm of cyber threats.
If only hacks were as easy as hurricanes.
___
Michael Lortz is a threat consultant in Tampa. He has experience providing intelligence and insight to state, national and international operations. Lortz is involved in Tampa’s cybersecurity community and has developed and documented intelligence processes for US Central Command.