Ohio’s local governments have a new line of defense to deal with computer hacking in a civilian cybersecurity reserve force that's part of the state National Guard.
A bill Gov. Mike DeWine signed into law in October creates a reserve force to be deployed by the state to help local governments, businesses and critical infrastructure recover from and reduce the impact of cyberattacks.
The Ohio Cyber Reserve is the first of its kind, although other states have similarly stepped in to assist their local governments improve their computer network security and fight online criminals.
The creation of the reserve comes in the wake of at least four ransomware attacks against Ohio local government computer networks in the past year. The cities of
The new law also requires the Ohio Secretary of State to appoint a chief information security officer to advise the office on information security. It also requires the Ohio Board of Elections to audit the official election results for primary and general elections and makes the Secretary of State a member of the Ohio Homeland Security Advisory Council.
Moody’s Investors Service called the Cyber Reserve a credit positive for local governments because it expands and deepens the technical assistance available to them, bolstering their responses to attacks with the aim of limiting the impact on their operations and finances.
The legislation also underscores the significant role states can play in helping governments respond to rising criminals targeting governments online.
“Given their relatively limited resources, many local governments do not have the technical sophistication and expertise needed to respond adequately to an attack,” said Moody's analyst Daniel Simpson. “Ohio’s creation of the Cyber Reserve provides them some additional state resources that gives them the ability to respond more quickly and limit the impact of a cyberattack.”
The Cyber Reserve will operate as part of the state's defense forces under the command of the Adjutant General, which includes Ohio National Guard, and would be available upon the governor's request to respond to a cyberattack in the state.
“I think you will continue to see a trend of state governments getting more involved in advising and protecting local governments in dealing with cyberattacks,” said Howard Cure, director of municipal bond credit research at Evercore Wealth Management. “[Ohio's] program will supplement cyber insurance policies held by local governments and is needed due to the increasing complexity of the threat.”
Cyber Reserve will deploy a force of 50 initial volunteer civilian cybersecurity experts who will be deployed at the request of a government hit by an attack, according to Moody's. The legislation appropriates $100,000 for fiscal year 2020 and $550,000 in fiscal year 2021 to operate the reserve. When on active duty, members of the reserve will be paid similarly to other military personnel with a similar level of training, according to the bill.
"Recruiting for members is currently underway, and more than 60 individuals have registered for consideration,” said Mark Bell, cybersecurity outreach coordinator for the Ohio Adjutant General's Department. “Many more have expressed interest in the program. Recruiting is ongoing as the teams will be set up in a staggered start." The first two teams will be set up at the end of January, as the bill takes effect 90 days after DeWine's signature. More teams will be set up throughout Ohio through the rest of 2020.
Bell said the Cyber Reserve is an initiative of the Ohio Cyber Collaboration Committee, a partnership of public sector agencies, enterprises and military organizations that was formed three years ago to bolster the state's online security posture.
Cure said that cyber risk is an area that will be increasingly scrutinized by the rating agencies to determine if the local governments and state agencies are providing the appropriate security measures.
“To the extent this becomes a financial burden in terms of operating expenses or additional debt issuance, that will weigh on the ratings,” Cure said.
“I think there are certain sectors within municipal bonds that are more vulnerable to cyber risks, although all municipalities need to heavily invest in equipment protection and training,” Cure said. “These vulnerable sectors include the healthcare and public power areas that maintain personal data in the case of healthcare and need to protect the power grid in the case of public power.”
Moody’s analyst Orlie Prince said the increase amount of cyberattacks hasn’t triggered any ratings action on municipal bonds it rates primarily because rated entities have sufficient reserves to offset near term losses or costs.
“Combined with an increase of cyber insurance to help with the costs and the ability for these issuers to operate manually — these have all been mitigants to the attacks in terms of the issuers' ability to continue to operate and get back online pretty quickly,” Prince said, adding that some governments opt to pay the ransomware because it’s faster and easier to get their systems up and running.
Prince said the risk of online attacks is “certainly something we are looking more into, we ask more questions about cyber defense and how a rated entity might handle an attack.”
Prince said that Moody’s has started to see an increased focus in local government information technology budgets.
“There have always been IT budgets, but there is more attention to cyber defense now,” Prince said. “So I think in some cases we are seeing an increased amount of budgeting on that and certainly an increase in spending on cyber insurance.”
Akron, target of an attempted malware attack in early January, has invested more than $9 million in citywide IT infrastructure and maintenance since 2016. “We will continue to monitor our systems and make necessary investments to protect public assets and citizen information," Mayor Dan Horrigan said in a statement.
Cleveland Hopkins International Airport has spent nearly $2 million on upgrading computer security after a malware attack in April took down message boards in the terminal for about a week. Airport Director Robert Kennedy said in September that the airport has experienced an unspecified number of unsuccessful system intrusions since the April attack.
Ohio’s creation of cyber reserve is the first of its kind, but other states have similarly stepped in to help their local governments fight cybercrime.
"In fact, we are seeing a growing involvement from states, but they are different forms,” Prince said.
At least 24 states have launched cybersecurity commissions since 2011.
Prince said that when a number of cities in Texas that were attacked last August the state stepped in to help them. “They don’t have a law, but the state came in to help these cities,” Prince said.
In July, Louisiana Gov. John Bel Edwards declared a state of emergency in response to ransomware attacks on three school districts. That brought assistance from the Louisiana National Guard and Louisiana State University, among other state entities. The state had also taken steps to prepare for malicious attacks by forming the Louisiana Cybersecurity Commission in 2017.
The state of Washington provides
