IBM: Taxpayers Don’t Want Local Government Paying Ransomware

A new IBM Security study shows taxpayers oppose local governments paying malicious hackers in ransomware attacks, but they’re not willing to provide more funding locally to beef up security.

Based on responses from 2,200 U.S. citizens spanning various city sizes, ages, incomes, political views and more, the study examined the extent to which U.S. citizens understand the severity of ransomware attacks, what they’re willing to contribute from their tax dollars, how they feel government leaders are handling the issue, and how they prioritize the services that are being targeted during attacks.

The study was sponsored by IBM Security and conducted by Morning Consult.

IBM’s John Kuhns

John Kuhns, senior threat researcher with IBM X-Force, tells us the findings can help to encourage cybersecurity providers to enforce a preparedness and response plan among their clients — especially if they’re working with government agencies.

“Organizations need to not only develop response plans, but regularly practice and rehearse them — so that when an attack hits, they’re ready,” he said. “The cities that have chosen to pay ransoms have been caught off guard with no response plan to fall back on; response plans need to be successfully implemented and practiced before an attack is even on the horizon. Teams should conduct regular simulations across all departments to test response escalation paths — this is essential in ensuring everyone is ready and prepared in the case of an emergency.”

The FBI reported nearly 1,500 ransomware attacks in 2018 alone, and more than 50 cities and government entities impacted by ransomware attacks so far this year.

Key findings include:

• Seventy-five percent of respondents expressed concern around ransomware threats to their personal data, while nearly 80% fear ransomware’s impact on cities across the United States.
• Nearly 60% of U.S. citizens surveyed are against their local governments using tax dollars to pay ransoms.
• Sixty percent of respondents would prefer their city to deal with the larger recovery costs rather than use tax dollars to pay ransom in a ransomware attack.
• More than 30% of taxpayers surveyed wouldn’t support payment of any amount to assist 911 emergency services, police departments and school systems if they were targeted by a cyberattack. Even those who were willing to pay to restore critical emergency services were, in many cases, often only willing to do so if the cost ran below $50,000.
• Nearly 40% of respondents specifically noted they wouldn’t pay anything to assist K-12 public schools or police departments.
• Nearly 90% of taxpayers surveyed are in favor of increasing federal funding for local governments to improve cybersecurity. And for those that have already been hit by these attacks, more than three-quarters of responding citizens believe the federal government should be reimbursing those cities who continue to be crippled by the aftermath of their attacks.

“The fact that a majority are unwilling to pay ransoms is encouraging, but I’m hoping that number grows as there’s a common misconception that paying a ransom completely solves the problem — that’s not the case,” Kuhns said. “The cost of paying a ransom is still a small price of what a city or organization will pay to recover; after an attack, cities still need to manually decrypt each infected device to restore the data, as well as look into what security issues caused the attack in the first place. Additionally, even if a ransom is paid, there’s still no guarantee hackers will release systems. Paying can also help to fuel criminals to perform more attacks and request higher ransoms in the future.”

While there’s still a lot of work to be done in preparing for ransomware attacks, there has been progress around its awareness, he said.

“With new attacks on cities constantly in the headlines, citizens are taking notice, as more than half have cited being somewhat familiar with the method,” Kuhns said. “More awareness around the problem is certainly a step in the right direction, but again, there’s still progress to be made in properly preparing, as well as in understanding that paying off cybercriminals is not the only option in battling ransomware.”