Florida House Bill 7055 on cybersecurity is on its way to the governor’s desk, having passed both the House and Senate unanimously during the recent legislative session.
This critical legislation appears to have three primary goals:
- Expand the state’s cybersecurity leadership and management responsibilities, adding oversight of Florida’s local government entities.
- Establish cybersecurity readiness and reporting standards and facilitate their adoption by local government.
- Address the growing problem of ransomware attacks in local government.
Each of these is worthy of its own article, but the ransomware mitigation will have the most immediate impact on Florida’s municipalities and counties. The National Institute for Standards and Technology, a division of the US Department of Commerce, defines this type of cyber attack: “Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access.”
The Institute further explains, “Ransomware disrupts or halts an organization’s operations.” This situation leaves management having to consider two options: Pay the ransom and hope the criminals restore the systems or incur the impact and cost of restoring the systems themselves.
By the way, subscribers:L3Harris reorganization gives boost to company’s Brevard operations
And:Brevard companies, students mark National Engineers Week, in effort to promote careers
Florida’s new legislation reduces that choice to only one option for local government leaders. Starting July 1, assuming Gov. DeSantis signs HB 7055 into law, it will be illegal for any local government in Florida to pay ransoms when attacked.
A 2019 ransomware attack on the city of Baltimore, Maryland, resulted in devastating consequences that could happen anywhere, including Florida. Utility and tax bills could not be sent or paid. Real estate transactions were on hold for weeks. It took over a month for the city’s 10,000 employees to regain access to their city accounts. The cyber criminals had a massive impact.
In the end, systems, data and services were restored. The city contracted with outside experts to help. After weeks of effort, the bills came in. The criminals had asked for a ransom of $76,280 at the onset of the attack. Baltimore decided not to feed the evil enterprise. In the end, it cost Baltimore citizens more than $18 million. While not paying criminals is arguably the moral response, it was undeniably costly to the taxpayers.
Are Florida’s local government entities ready for what is to come? And how prevalent are these attacks?
Allan Liska of Recorded Future, a cyber threat intelligence provider, explains there were 170 publicly reported ransomware attacks against state and local governments in 2021, up from 159 in 2020. Since 2016 there have been 30 publicly reported ransomware attacks against local governments in Florida. Since most ransomware attacks are not reported, the real number is likely much higher.
According to a 2019 report on local government cybersecurity preparedness from University of South Florida’s Cyber Florida, many, if not most, local governments in our state are not ready to fend off and/or respond to cyber attacks. Cyber Florida conducted a survey of primarily executive leaders of Florida municipalities.
Some of the responses highlight significant shortcomings in cyber readiness.
- 46% of respondents have no resources dedicated to cybersecurity.
- 44% of respondents say less than 5% of their budgets are dedicated to cybersecurity.
- Less than 5% of respondents say they include cybersecurity as a regular agenda item in their staff meetings.
- 61% cite fiscal constraints as the primary reason for their lack of adequate cybersecurity.
The cities of Riviera Beach and Lake City were recent, high-profile ransomware victims in Florida. Both were covered by insurers, which paid the ransoms.
Cyber insurance is increasingly sought after by government entities, but they are expensive. Just like Florida hurricane insurers, cyber insurers require organizations have minimal protection standards in place. It is not clear whether or not HB 7055 precludes insurers from paying ransoms on a local government’s behalf.
Florida’s legislation isn’t leaving local governments high and dry. It also provides resources to help them meet newly established, minimum requirements. The Florida Digital Service, a division of the Department of Managed Services, is getting much-needed funding to build a cybersecurity operations center.
Typically, a security operations center would act as an early-warning system for local government, using technologies such as threat detection. For example, if the CSOC is notified about a known ransomware that is actively targeting our region, it can warn local governments so they can prevent falling victim to the attack. Since known attacks change by the minute, this type of central notification system is crucial.
Recorded Future’s Jalbert reports that states of all sizes, from New York to North Dakota, are already using this shared threat detection model to bolster the defenses of local governments, providing actionable intelligence and improving the security of their municipalities and constituents. He is encouraging Florida to adopt this model as well.
According to the Cyber Florida report on local government’s cyber readiness, less than 5% of local government entities have cybersecurity as a line item in their budget.
The mandates in this legislation will necessitate change. Florida’s local governments are now under the gun to step up their cyber readiness, and that will require adequate funding of these efforts. I applaud the Florida Legislature for forcing the issue.
Monique Miller is the state and local director for Merlin Cyber and the host of “Cyber Bites.” Miller is a Brevard County resident.
Support local journalism and become a subscriber. Visit floridatoday.com/subscribe.