Ransomware: Federal agencies provide helpful assistance but can improve collaboration


What the GAO found

Ransomware is a form of malicious software designed to encrypt files on a device and render data and systems unusable. Malicious actors then demand the payment of a ransom in exchange for restoring access to locked data and systems. A ransomware attack is not a single event but occurs in stages (see figure).

Figure: Four stages of a common ransomware attack

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Secret Service provide assistance in preventing and responding to ransomware attacks against state, local, tribal, and territorial government organizations. For instance:

Education and awareness. CISA, in conjunction with the FBI, Secret Service, and other federal partners, developed the www.stopransomware.gov website to provide a central location for ransomware tips, alerts, advisories, and reports from federal agencies and partners.

Sharing and analyzing information. The CISA, FBI, and Secret Service collect and analyze security and ransomware-related information, such as threat indicators, incident alerts, and vulnerability data, and share this information by issuing alerts and notice. For example, CISA, through a cooperative agreement with the MultiState Information Sharing and Analysis Center, provides intrusion detection sensors to non-federal entities that reportedly analyze 1 trillion network activity reports per month. .

Cybersecurity review and assessment. CISA and the Multi-State Information Sharing and Analysis Center provided on-demand examination and assessment services, such as vulnerability scanning, remote penetration testing, and risk assessments .

  • Incident response. When a ransomware attack occurs, CISA, the FBI, and the Secret Service can provide incident assistance to non-federal entities upon request. CISA and the Multi-State Information Sharing and Analysis Center provide technical assistance such as forensic analysis of the attack and recommended mitigation measures. Additionally, the FBI and the Secret Service primarily collect evidence to conduct criminal investigations and attribute attacks. According to the Multi-State Information Sharing and Analysis Center, state, local, tribal, and territorial governments experienced more than 2,800 ransomware incidents from January 2017 to March 2021.

Other federal agencies, such as the Federal Emergency Management Agency, the National Guard Bureau, the National Institute of Standards and Technology, and the Treasury Department have a more indirect role. These agencies provide ransomware assistance to non-federal entities by administering cybersecurity grants, issuing guidance to manage ransomware risk, or pursuing penalties to disrupt ransomware activity.

Officials of government organizations that GAO interviewed were generally satisfied with the prevention and response assistance provided by federal agencies. They generally had positive opinions of ransomware advice, detailed threat alerts, quality free technical assessments, and timely incident support. However, respondents identified challenges related to outreach, outreach and communication. For example, half of respondents who have worked with the FBI cited inconsistent communication as a challenge associated with assisting with the agency’s ransomware.

CISA, FBI, and Secret Service have taken steps to improve interagency coordination through existing mechanisms, such as interagency delegates and field personnel, and demonstrated their coordination on a website ransomware spouse, tips and alerts. However, the three agencies did not address aspects of six of the seven key practices for interagency collaboration in their ransomware assistance to state, local, tribal, and territorial governments (see table).

Table: Extent to which the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Secret Service have addressed key collaborative practices in their assistance with ransomware

key practice

Scope treated

Defining results and monitoring accountability

Not addressed

Bridging Organizational Cultures

Partially processed

Identify and sustain leadership

Usually addressed

Clarification of roles and responsibilities

Partially processed

Include relevant participants

Partially processed

Identify and mobilize resources

Partially processed

Develop and update written guidelines and agreements

Partially processed

Source: GAO analysis of agency documentation. | GAO-22-104767

Specifically, agencies have generally addressed the practice of identifying leadership by designating agency leads for technical and law enforcement-related ransomware response activities. However, agencies could improve their efforts to address the other six practices. For example, existing inter-agency collaboration on ransomware assistance to state, local, tribal, and territorial governments was informal and lacked detailed procedures.

Recognizing the importance of formalizing inter-agency coordination on ransomware, the Consolidated Appropriations Act, 2022 asked CISA to create a joint ransomware task force, in partnership with other federal agencies. Among other responsibilities, the task force aims to facilitate coordination and collaboration among federal entities and other relevant entities to improve federal actions against ransomware threats. Addressing key practices for inter-agency collaboration in concert with the new Ransomware Task Force can help ensure effective delivery of ransomware assistance to state, local, tribal and territorial governments.

Why GAO Did This Study

The Department of Homeland Security has reported that ransomware poses a serious and growing threat to government operations at the federal, state, and local levels. In recent years, numerous ransomware attacks have been reported against hospitals, schools, emergency services, and other industries.

The GAO was asked to review federal efforts to provide ransomware prevention and response assistance to state, local, tribal, and territorial government organizations. Specifically, this report discusses (1) how federal agencies are helping these organizations protect their assets from ransomware attacks and respond to related incidents, (2) organizations’ perspectives on ransomware assistance received from federal agencies, and (3) the extent to which federal agencies have addressed key practices for effective collaboration when assisting these organizations.

GAO reviewed agency documentation from eight federal agencies to identify efforts to help state, local, tribal, and territorial governments address ransomware threats. Documents reviewed included agency service catalogs, ransomware advice, and agency websites. The GAO supplemented these reviews with interviews with officials from CISA, the FBI, the Secret Service, the Department of Justice, the Federal Emergency Management Agency, the National Institute of Commerce for Standards and Technology and Treasury Department.

GAO also interviewed officials from government organizations receiving federal ransomware assistance who volunteered to share their insights. These officials represented the governments of four states, eight localities and one tribal nation. In addition, GAO interviewed officials from six national organizations. These groups included the National Governors Association; National League of Cities; National Association of State Chief Information Officers; and the National Association of State Auditors, Comptrollers and Treasurers. To analyze the responses from these interviews, GAO coded qualitative data to enable the identification of common patterns across the interviews. The results of these interviews are not generalizable, but provide insight into the prospects for federal assistance in the fight against ransomware.

The GAO has identified three federal agencies that provide direct ransomware assistance (CISA, FBI, and Secret Service) and assessed their efforts against key inter-agency collaboration practices. To support its assessment, GAO reviewed agency documentation on collaborative mechanisms and assistance coordination efforts, such as joint alerts and referrals, incident coordination procedures, and interagency agreements. GAO also interviewed officials from the three agencies to clarify information about their collaborative efforts.


Comments are closed.