San Jose, the capital of Costa Rica, is seen in this cropped photo by wikipedia user ArquiWHAT. Costa Rica declared a national emergency after a cyberattack last week.
Last week, Costa Rica declared a national emergency after a widespread series of ransomware-based cyber attacks that crippled infrastructure across the entire nation. The incident, according to several reports, has sparked concern among regulators and government officials that other municipalities or entire countries could face widespread downtime of critical services after a cyberattack.
The New York Times reported May 17 the incident was likely perpetrated by a Russian “cartel,” possibly in retaliation for the Costa Rican government’s support of Ukraine. The country’s president told reporters the attack dated back to April 12, when a ransomware gang broke into the Ministry of Finance, which houses Costa Rica’s tax agency. The ransomware spread to other government agencies, significantly impacting telecom and technology services. Thus far, the government has said it has not and will not pay a ransom demand to the attackers.
Emsisoft has estimated that ransomware attacks cost victims more than $600 million in the U.S. last year. But the attack on Costa Rica’s government is the largest known single criminal ransomware attack to date against one country’s government. Costa Rican residents were even forced to struggle to pay their taxes by hand last week after the ransomware cyberattack took down the country’s online tax collection system.
The attacks have had an “enormous” impact on the country’s foreign trade system as well, according to the Central American country’s President Rodrigo Chaves, who publicly acknowledged the enormity of the crisis in comments to reporters barely a week after he was sworn in as president.
The incident presents the usual “lessons learned” in ransomware: creating networks with strong segmentation can help contain ransomware attacks and others that spread easily between departments; and adequate back-ups to restore service after an outage. Public-private partnerships can also help fill knowledge gaps between the types of attacks businesses observe and those governments experience.
While these steps could help prevent such an incident, in reality, we all know there are talent shortages, time shortages and money shortages that constrain governments of all types — local, state or federal — from taking steps to prevent against a determined attacker, as is the case here.
This leaves one important lesson for businesses: a forward-thinking disaster recovery strategy may need to include preparation not only for a direct cyberattack against the business, but a successful attack against the infrastructure on which the business relies. With telecommunications, utilities, police, fire and other public services deeply impacted in Costa Rica, businesses will also face near-term uncertainty.
This type of scenario has happened in the U.S. before in major cities: In 2020, Baltimore was targeted by ransomware attacks that crippled city services and trickled down into the local economy: real estate transactions ground to a weeks-long halt and water services companies couldn’t process transactions.
All of these incidents are reminders that protecting companies from cyberattacks will continue to be far more than the responsibility of each individual business, government agency or service provider, but a problem that casts a very wide net to all parts of the economy.
Kate Fazzini is CEO of Flore Albo LLC, an adjunct professor of cybersecurity at Georgetown University, author of Kingdom of Lies: Unnerving Adventures in the World of Cybercrime and has served as a cybersecurity reporter for The Wall Street Journal and CNBC.
John Shegerian is co-founder and Chairman/CEO of ERI, the nation’s leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company. Business Journal readers can visit eridirect.com/insecurity-of-everything-book/ to receive a free copy of John’s new book, The Insecurity of Everything.