What Skyjacking and Kidnapping Cases Can Teach Us About Responding to Ransomware Attacks

Stephen Smith

While ransomware is a relatively new phenomenon, ransom-related crimes have been around for generations. Here are four lessons from the past which we believe will help state and local governments protect themselves in today’s digital world.

In 2018, there were 56 targeted ransomware attacks reported by state and local governments in the United States, a 40 percent increase over the number reported the previous year, according to a May 2019 Recorded Future report. In the first half of 2019 alone there were 55 documented attacks, nearly equaling the 2018 total and suggesting that this trend is accelerating. 

The increasing number of ransomware attacks in state and local government has resulted in an explosion of media coverage, most of which has focused on current causes and effects. We believe there’s value in looking at past instances of ransom-related crimes, such as skyjackings and kidnappings, and examining the actions taken to reduce them. These examples offer response tactics we believe can be applied to today’s digital world. 

Let’s start with skyjackings. In the 1970s, over 150 planes were hijacked and held for ransom in the United States alone. Fast-forward to 2018: there were none. So what changed? Three things: 

  • More stringent airport screening; 
  • Hardened cockpits on planes; and
  • Aggressive responses by passengers and crew to potential threats. 

The response to political kidnappings can be equally instructive with regard to dealing with ransomware. The advent of “Kidnapping and Ransom (K&R)” insurance completely changed the calculus on these events by adding a risk reduction requirement to the policies. If you wanted K&R coverage you had to take precautions to actually reduce your risk of being kidnapped. 

Using Past Ransom Crises to Define Future Ransomware Response Strategies

What do the responses to these past threats have to do with today’s digital attacks? We see four lessons learned from past ransom crises which we believe can be applied to protecting state and local  governments from ransomware. 

  • Change behaviors. In the skyjacking example, increased airport screening has affected air travel for all passengers, but they’ve adapted to it. Taking off your shoes and going through a metal detector are now accepted practices. Similarly, cities might consider adopting e-screening techniques as a requirement before the public can access digital services. This might include something as simple as making sure residents have updated the operating system software on their mobile devices before allowing them access to city websites. Or, it might mean changing internal practices to implement more stringent patch management on agency-owned assets, such as using tools to prioritize this type of mitigation. In addition, city employees could be required to connect to work-related applications only with city-owned assets or via proprietary VPN connections using two-factor authentication. 
  • Harden the infrastructure. If a threat actor in a skyjacking scenario can’t get in the cockpit, they can’t take over the plane. Government IT infrastructure needs to be equally hardened. While information technology professionals understand the importance of implementing CIS controls and/or other standards, they often lack the budgetary influence to obtain the tools necessary to implement them. In the ongoing Deloitte-NASCIO Cybersecurity Study, which is based on biennial surveys of state CIOs, respondents have routinely cited a lack of sufficient funding as their No. 1 challenge in addressing states’ efforts to thwart threat actors. To address this, cities should transfer cybersecurity responsibility from IT to public safety. Public safety initiatives get funded because their work is visible to the public. More to the point, public safety leaders can acquire weapons and weapons systems — and cybersecurity tools could be branded as such. Here are three ways local governments can change the conversation when it comes to cybersecurity funding
  • All for one and one for all. Behave threateningly on an airplane today and fellow passengers will take action. While we’re certainly not condoning vigilantism, we believe cities should empower their communities to respond quickly and assertively to all forms of cyberthreats, from phishing attacks to complex exploits by threat actors. First, mayors should install someone in uniform as the city CISO and address cyberthreats in the same manner as any other potential crimes. Tools like Tenable’s, which offer predictive prioritization of vulnerabilities, can stand alongside crime reporting, analysis and forecasting tools like CompStat to ensure appropriate resources are applied based on the probability of these crimes occurring. Second, public safety officials should set up Crime Stopper-type channels for reporting cyberthreats and vulnerabilities and make them publicly available. Finally, mayors should create a “cyber corps” of local experts who can be called on as advisors during a crisis and also serve as a sounding board for public comment regarding cyberthreats. 
  • Use insurance as an instrument of change. Kidnapping and ransom insurance policies led to enhanced risk management requirements on behalf of the potential beneficiaries of these policies. The same will be true for cyber insurance. Cities will want to obtain the lowest rate possible for coverage and will therefore comply with similar risk management requirements. This will come with a cost, albeit a much lower one than a ransom. Mayors who choose to acquire cyber insurance can use this fact as a lever to gain increased budget for the acquisition of cyber tools and staffing to control the cost of premiums and further reduce the probability of future ransomware attacks. 

While it’s true that the challenges we’re facing in today’s digital world are unique, it’s helpful to consider these and other ways state and local governments have responded to other major public safety challenges. If you have other ideas on how we can use historical responses to guide our future strategy, email me at stsmith@tenable.com.

Learn more:

Read more >

Published on Sep 16, 2019

People also viewed

Business Cost Analyst - Cloud Infrastructure

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
Your Role:Tenable is seeking a Business Cost Analyst of Cloud Infrastructure with strong MS Excel experience to assess, analyze and compile current costs and potentially determine initiatives to reduce and improve our cloud infrastructure cost for...

Professional Services Engagement Manager

Singapore Singapore Singapore North Bridge Road, Parkview Square, Singapore, 188788 Professional Services Professional Services
Your Role:The Professional Services Engagement Manager assists in the professional services business development and oversees the delivery of projects. The Professional Services Engagement Manager’s roles include tactical project management oversi...

UX Designer

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Engineering Engineering
Your Role:Tenable is looking for an extraordinary Senior UX Designer to join our team. Our group is chartered with creating the next generation of security products while at the same time pioneering unprecedented user experience in the digital sec...

Commercial Territory Manager - West

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Sales Sales
Your Role:The Commercial Territory Manager will meet and exceed quarterly sales quota by developing new opportunities within specific geographical territory.  Researching and identifying potential accounts; outbound cold calling to soliciting new ...

Senior Software Engineer (Java & Kotlin)

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
Your Role:Tenable is looking for a Senior Software Engineer to join the Lumin product development team. As a Sr. Software Engineer you will drive projects end-to-end, collaborate on product requirements with Product Managers, architect and impleme...

Public Sector Channel Manager - Distribution

Reston Virginia United States Reston, Virginia, United States Channel Sales Sales
Your Role:The Public Sector Channel Manager-Distribution is responsible for establishing and managing relationships with the Distribution Partner(s).  The CM-Disty will act as a sales liaison between distributor and Tenable Channel Manager personn...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.