At a national summit, Louisiana Gov. John Bel Edwards said before his state could test a cyberattack plan, five schools were hit with ransomware.
States across the country are increasingly realizing that more needs to be done to prepare in advance of cyberattacks, according to Louisiana Gov. John Bel Edwards, who spoke at the National Governors Association's biennial National Summit on State Cybersecurity.
Edwards spoke in depth about his efforts to prepare Louisiana for any potential cyberattacks, highlighting his work in creating the Louisiana Cybersecurity Commission in 2017, and then another committee that built out a cyber incident response plan in 2018.
He brought together professors from LSU, law enforcement officials from the state police force and the national guard as well as private sector experts to help the state map out how things would work in the event of a cyberattack.
SEE: Identity theft protection policy (TechRepublic Premium)
"Two of the most critical actions that I took as governor were establishing the Louisiana Cybersecurity Commission and developing a statewide incident response plan. One of the most critical things you can do as a state is to have a cyber emergency preparedness plan that has been battle-tested and validated," he said.
The incident response plan allows Edwards to activate resources from the Louisiana National Guard, Louisiana State Police, and the Office of Technology Services in the event of an attack.
But Edwards was honest about areas where the state struggled and spoke about how Louisiana dealt with a major cyberattack on a series of schools in 2019.
The state committee had not even tested out its incident response plan when it was hit with the cyberattack in the summer of 2019, right before schools were getting ready to open for the year.
"I believe that if the cyber commission had not developed the plan, we would not have been able to respond as well as we did," he noted, adding that five of the state's K-12 schools were hit badly and lost their entire network.
As news outlets noted at the time, Edwards activated the state's cyber incident response plan, called the Emergency Support Function 17, for the first time after multiple school districts were hit, including the Tangipahoa Parish school district as well as the Sabine, Morehouse, and Ouachita parishes. The Lafayette Parish School System was forced to cut off all internet and phone connections to central offices as a way to mitigate the damage, according to The Advocate.
"Three North Louisiana school districts reported last week that cyberattacks had shut down their district phone lines and locked and encrypted school system data. As a precautionary measure, we have shut down the IP phone connections at all of our offices, including schools, Central Office, and our registration center so the team can mitigate any potential spread of the malware," Tangipahoa School Superintendent Melissa Stilley said in a statement at the time.
While it is still unclear who was behind the attack, it took place right as schools were beginning orientations, placement exams, and registrations ahead of the start of the school year.
At the time, at least five other cities across the country faced ransomware attacks that crippled government systems.
"I declared a state of emergency and began executing the playbook. It was the first time in Louisiana's history that a cyberattack was addressed like a disaster. We activated state police, the office of technology services, and the national guard cyber team."
The quick response allowed state officials to help the five schools recover but also limited the damage at seven other schools, and Edwards said that with the help of the National Guard, all of the schools were able to open on time.
Over the past two years, attackers have increasingly targeted schools, hospitals, and other vital government functions with ransomware and malware because they know these organizations cannot run without computers and devices so they are more likely to pay faster.
But the FBI has released strict guidance, advising anyone hit with ransomware not to pay it.
Tonya Ugoretz, deputy assistant director of Cyber Policy, Intelligence, and Engagement Branch at the FBI, spoke at the summit and said it was imperative for state or city level governments to come to the FBI first.
Ugoretz acknowledged that the first step must be to bring systems back online, but she noted that working with federal law enforcement after an attack was critical in not only stopping others from being hit with similar attacks but also so that federal authorities could proactively find attackers.
"A computer intrusion is a crime and we need to treat a virtual intrusion the same way we treat a physical break-in. If your City Hall suffered a physical attack, you're going to call someone to clean up the broken glass, change the locks, and put in new windows. But you're also going to call law enforcement so we can find who did this and prevent others quickly from also becoming a victim," she said.
"That same need exists for cyber intrusions. The attacker's goal isn't just to compromise a network, it's to use that access to do something else. The 'do something' could be many things. To steal your info, to encrypt your networks and ask for a ransom, or something more destructive, like wiping your data or destroying your systems."
She went on to explain that the FBI can help use its connections to national and international law enforcement agencies to help "go on offense against those responsible."
State-level organizations should not only develop closer relationships with their nearest FBI field office but should make sure officials are trained in cybersecurity in order to address a crisis faster.
"As we look ahead, we know that unfortunately, cyber intrusions will take their place alongside other criminal violations and terrorism as a type of threat we all have to be ready to protect against," Ugoretz said. "Your police and sheriff's departments may not currently receive many calls for service for cyber attacks, but that future is on the horizon and the time for us to prepare for it is now."
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)