Who got attacked isn’t fully clear — the state declined to release that information, citing security concerns — but what is known is that none of the hackers got paid to end their attack.
Last November, North Carolina became the first state to prohibit state and local governments from paying or even communicating with ransomware attackers — those who threaten to block access to organizations’ virtual networks until they’re sent thousands, if not millions, of dollars, most always through cryptocurrencies.
By barring payments, North Carolina hopes to discourage cyber attackers by erasing their chief incentive. But whether it’ll actually dent the will of hackers is up for debate, with state leaders saying yes and ransomware experts decidedly more skeptical.
Public cyber attacks are up in the state this year compared to 2021, but down from their peak of 17 incidents in 2020, according to data provided by the North Carolina Department of Information Technology (NCDIT).
Attacks have been rising nationwide, in both the private and public sectors, with attackers in recent years infiltrating several North Carolina county governments like Orange (multiple times), Mecklenburg, Davidson, Pasquotank, Robeson, and Duplin, as well as agencies like the ABC Board, the Onslow County Water and Sewer Authority, and the N.C. State Bar. Among 2022’s publicized attacks was one targeting North Carolina A&T University in March, which resulted in the cancellation of classes.
“I believe (the payment ban) will be a deterrent down the road,” said Jim Weaver, the state’s chief information officer who heads the NCDIT. “It’s too early to tell right now.”
PIPELINE ATTACK SPARKS NC ACTION
In early May 2021, a bill was introduced in the North Carolina House of Representatives to eliminate public ransomware payments. The timing was perfect.
Only a few days later, it was reported that hackers had successfully infiltrated the systems of Colonial Pipeline, causing gas shortages and unnerving many throughout the state. Colonial Pipeline ended up paying a $4.4 million ransom to regain its full services.
“I will say once that attack happened, everyone’s ears kind of perked up on what we can do as far as cybersecurity and deterring these attacks,” Rep. Jake Johnson, a Polk County Republican who sponsored the payment ban bill, said in a December interview with the MIT Technology Review. “And of course, we were like, ‘We’ve got this legislation ready to rock and roll.’”
The House passed the ban unanimously.
After the Colonial Pipeline breach, many state legislatures looked at toughening their stances on ransomware. Yet so far, only Florida has joined North Carolina in enacting a ban on public payments.
Under North Carolina’s law, governments and public schools must also alert the NCDIT if they fall victim to ransomware attacks. Instead of negotiating, Weaver said the state’s Joint Cybersecurity Task Force, which Gov. Roy Cooper formally established in March, will typically travel to the site of the attack, assess the issue and develop corrective actions.
Weaver didn’t detail what those actions are, citing security reasons.
The state task force is made up of four entities: NCDIT, the North Carolina Department of Emergency Management, the state National Guard and the North Carolina Local Government Information Systems Association. Each group takes on different roles depending on which level of government or type of public institution is hit, Weaver said.
“Some incidents can get done quickly, and some incidents can take a little bit longer time,” he said. “And by time, I mean weeks potentially.” By having ransomware negotiations “off the table,” Weaver said, both the victims and the task force can better focus on regaining their services.
AN ILL-ADVISED POLICY
Yet those who study the sordid world of hacking argue that laws banning payments won’t reduce attacks.
“I appreciate the intention, but I think it’s sorely misguided, unfortunately” said John Stark, a cybersecurity consultant who teaches at the Duke University School of Law. “I don’t think that’s how hackers think.”
Cyber attackers, he said, aren’t always rational or even aware of individual state laws. They may work in groups or as individuals. They most often aim to make money but might also let ideology guide who they target. Some hackers go after specific organizations, in a process called “spear-phishing,” while others send malicious links indiscriminately in mass emails through a technique known as “spray and pray.”
Consistent cyber attacks, Stark said, are “as inevitable as a kindergartner catching a cold in class.” So rather than try to dissuade the bad actors with a payment ban, he said, the state would be better served elevating cybersecurity funding and training for local governments.
Others agree.
“Unless there is a corresponding investment into information system robustness and backup, I believe there is potential that an attack could cause irreversible loss of data,” said Erick Galinkin, a researcher for the cybersecurity firm Rapid7 who lives east of Charlotte in the city of Monroe.
Ther bill banning ransomware payments did not include additional funding for cybersecurity. Yet, over the next four years, the state could receive approximately $26.4 million for “cybersecurity-related activities” through President Joe Biden’s Infrastructure Investment and Jobs Act. To receive this money, states must match a portion of the federal funding with their own contributions: a 10% match in the first year, a 20% match in the second year, and so on for the four years.
Ron Pierce, who owns the IT consulting firm Trinity Solutions in the North Carolina Triad, argued the state would capitulate to attackers’ ransom demands if a vital government agency was crippled by hackers.
“I understand why the General Assembly would write such a statute, but I don’t believe it’s a realistic one or one that won’t be broken when necessary,” Pierce said. “Have a local 911 center hit and unable to serve the public, that statute is going to be broken quickly.”
Pierce said paying ransoms should be “a last resort,” but is a tool towns and agencies may have to utilize in a crisis.
“In the real world, these entities rarely have the proper funding to secure their technology and provide the needed training to prevent attacks,” he said. “They are already handcuffed in what they can do to protect and now a statute would prevent them from using a possible solution to restore their servicing abilities quickly.”
This story was produced with financial support from a coalition of partners led by Innovate Raleigh as part of an independent journalism fellowship program. The N&O maintains full editorial control of the work.
©2022 The Charlotte Observer, Distributed by Tribune Content Agency, LLC.