Security

NASCIO 2019: Texas CIO Credits Strong Governance for Ransomware Recovery

After 23 local Texas governments were attacked in August, a disaster declaration was fundamental to the cybersecurity response, Todd Kimbriel says at NASCIO 2019.

Mickey McCarter

Mickey McCarter is the senior editor of StateTech Magazine.

At 2:30 a.m. on Aug. 16, a Texas-based organization reported a ransomware event to its managed services security provider. By 10 a.m., a number of other organizations also reported ransomware attacks. Ultimately, 23 local government organizations fell prey to the cybersecurity attack.

The Texas Department of Information Resources responded promptly, determining the 23 localities were infected through their shared managed services provider, said Texas CIO Todd Kimbriel on Monday at the annual conference of the National Association of State Chief Information Officers in Nashville, Tennessee.

JOIN THE CONVERSATION: Follow @StateTech on Twitter for continued NASCIO 2019 conference coverage.

In a statement to StateTech, Kimbriel emphasized the complexity of the ransomware incident:

“There aren’t easy answers or a silver bullet to prevent attacks. However, it is crucial that any service provider, whether in-house or outsourced, has good cyber hygiene practices in place. DIR’s role is to provide cybersecurity assistance and education to Texas government. We take that role and our relationship with those we serve seriously.”

Kimbriel attributes the successful response to the authority of the Texas governor to declare an emergency in response to a cyber event and to a strong statewide cybersecurity incident response plan.

“I would characterize our response to that as A++, and there’s a couple of reasons why our response was so good compared to some other ransomware events,” Kimbriel said during the presentation.

Governor’s Disaster Declaration Activated State Operations Center

Through the Legislature, the Texas governor has the authority to declare a disaster in response to a cybersecurity event, Kimbriel emphasized. In that case, the state can activate a state operations center to immediately bring the authorities and capabilities of all state agencies to bear on the problem.

“That’s a huge differentiator, because now you have feet on the ground,” Kimbriel said. “State operations centers have protocols, communications procedures and engagement. One of the key things that states have started to embrace over the last eight years is a federally directed mandate to governors to get the military departments of each state … to participate in cyber activities.”

It is crucial that any service provider, whether in-house or outsourced, has good cyber hygiene practices in place.”

Todd Kimbriel Texas CIO

The Texas National Guard dispatched six-person teams in fully equipped vans to the 23 locations struck by the ransomware to assist in recovery from the attack. Texas CISO Nancy Rainosek does not have the authority to call upon these specialized teams to assist, Kimbriel added. The only way to activate the state military cybersecurity response units is through the state operations center.

“If you don’t have the disaster declaration and if you don’t have that state operations center function in place, you cannot get that organization dispatched,” Kimbriel said.

Within 24 hours, the state identified all but one of the ransomware victim organizations. Within 72 hours, responders eradicated all ransomware and were in the process of recovery. Within a week, the recovery was complete, Kimbriel said.

BECOME AN INSIDER: Gain exclusive video coverage of the NASCIO 2019 when you subscribe to StateTech.

Cybersecurity Response Plan Depended on Tested Partnerships

Once the governor activated the state operations center, officials activated the state cybersecurity incident response plan, Kimbriel said. Rainosek led an update of that plan only a few years ago.

The state operations center was activated within eight hours of the first report of an incident, Kimbriel recounted. Rainosek was among the officials who went to the state operations center to coordinate the cybersecurity response.

“We did exercises with [the military] and spent a week on contracting and with the lawyers,” Rainosek said, speaking at the NASCIO 2019 conference.

The state participated in a cybersecurity exercise last year in Houston. “We worked with them for about a year to plan this tabletop exercise. It was three days, and we learned a lot from that,” Kimbriel said.

The exercise simulated a cyberattack at the Port of Houston during a hurricane. An attack on the port would cripple the state’s defensive posture and its ability to resupply, Kimbriel said.

At the county level during the exercise, federal and state officials witnessed local leaders mount an effective response because of their personal relationships and agreements to commit resources. At the federal level, such an effort may have required a memorandum of understanding drawn up by lawyers, he added.

“We learned at the county level that it’s who you know, the personal network of these people who are so passionate about first response, that allows things to happen,” Kimbriel said.

The Texas Department of Information Resources met with the Texas Military Department over two years to finalize plans and agreements, which proved vital in the recent ransomware response, Rainosek said. An established managed security services contract also provided strong incident response services, she said.

In addition, Dell stepped in after the attack to offer local Texas governments the opportunity to replace their hardware at a significant savings, Rainosek noted.

Check out more articles and videos from StateTech’s coverage of NASCIO 2019 conference here.

Getty Images / Art Wager