When it comes to ransomware attacks, Maryland can’t catch a break. The impacts of malicious software found on a state Health Department server on Dec. 4, 2021 are still being felt over a month later. While most reporting functions have been restored, staff are still sharing computers and are unable to access some shared files. The downstream impacts are real, with onboarding and licensing problems for new staff as well as disrupted patient care in state mental hospitals. But the state’s lack of transparency around this disruption has made it all but impossible to understand its cause and potential effects. An update published Jan. 11, 2022—nearly six weeks later—still vaguely refers only to a “network security incident.” The state’s head of cybersecurity finally confirmed it was a ransomware attack a day later, but offered no other details on when systems would be fully restored.

Equally concerning, this is only the latest in a string of such “security incidents” across the state. In 2018, Baltimore’s 911 emergency management system was disrupted by hackers, and the call center was forced to manage calls manually for 17 hours. A year later, a far more crippling attack struck the city, leaving residents without access to non-emergency city services, such as water bills or parking tickets, for several months. The breach cost the city $18.2 million. And in 2020, just before Thanksgiving, Baltimore County schools had to shut down virtual classes for three days after another ransomware attack. Files on the school system’s shared drive were lost forever, and experts estimated an $8 million price tag.

Maryland is not alone in reeling from a blast of ransomware—business leaders reported attempted attacks increased 50 percent from 2020 to 2021. But with Maryland’s municipal governments particularly vulnerable and often left hamstrung in the face of attacks, action is needed. The state legislature made progress in 2021 with the passage of Senate Bill 49, which established a cybersecurity strategy in the state’s Department of Information Technology. Sen. Katie Fry Hester (D-District 9), who chairs the legislature’s Joint Committee on Cybersecurity, Information Technology, and Biotechnology, also described additional improvements. Incorporating her recommendations and others, further action can be divided into four steps: centralize both preemptive measures and after-action recovery in one office; permanently increase cybersecurity funding; partner with experts from the private sector or the National Guard to advise on building more resilient frameworks; and increase reporting transparency. Each of these actions would aid in recovery from security breaches and help to prevent them in the future.

Centralize Authority

One solution described is centralizing authority under the state’s Chief Information Security Officer, and this should be priority number one. The distributed model of authority and accountability, which currently characterizes the cyber environment not just in Maryland but all the way to the U.S. Congress, creates deeply inefficient prevention of and recovery from ransomware and data breaches. From municipal information officers to several officials with various oversight functions at the state level, Maryland’s cyber environment is proving the adage: when everyone is responsible, no one is. This year, state legislators should follow the recommendation to create the role of Chief Information Security Officer, a centralized position with the responsibility of preventing attacks as well as accountability when a significant security incident does happen. As Sen. Angus King (I-Maine) memorably put it, this would give the public and other officials “one throat to choke” when things go wrong, and increased accountability would yield increased security.

Increase Funding

Next, legislators must solve the problem from which Maryland’s other problems all stem by instituting permanent funding for cybersecurity. A 2018 letter pegged the state’s cybersecurity budget at just $3.8 million, but the department had requested $15 million in annual allocations, plus $29 million in capital for initial development. That may have seemed like a dramatic increase at the time, but now it is just a tiny fraction of the $4.5 billion surplus legislators will be working with this fiscal year and next. The federal government allocated nearly $2 billion in the 2021 American Rescue Plan Act for hardening states’ cybersecurity infrastructure, which Maryland could also apply for to use on these investments. Given the volume of Marylanders’ personal information across state and municipal governments, cybersecurity should be the top priority, and reflected as such in the state budget.

Create Expert Panels

As they reform the cyber infrastructure, legislators should also build in mechanisms to bring a diverse array of experts together in roundtable strategy discussions and planning meetings, including those from the private sector and the National Guard. Maryland would not be the first to develop this framework; several other states have modeled how this might look. Ohio established the Cyber Response Team in the state’s National Guard with legislation passed in 2019; Michigan recruits volunteers to serve as cyber consultants in its Michigan Cyber Civilian Corps; and Wisconsin assembled a group of public- and private-sector experts to develop a comprehensive set of recommendations for enhancing system security. Maryland leaders should think creatively about incorporating this kind of corps of cyber experts, which would both increase capacity and experience-based expertise.

Ensure Transparency

Finally, Maryland must change course from the striking opacity since the beginning of the most recent security incident in the Department of Health. To employees, media outlets and the public, investigators have been tight-lipped on what caused them to suspect a security incident, what the implications were for data security and even the nature of the attack. Some of this may be due to sensitivity in an ongoing investigation, but Marylanders at least deserve that explanation, and they deserve it far more quickly than the state has provided. It is sadly all too common for those responsible for cybersecurity to cover up or distort the facts when an attack happens, as Uber’s Chief Security Officer did in 2016 when a data breach compromised 600,000 contractors’ drivers licenses. Uber’s actions were unacceptable as a business practice, but Uber does not represent or answer to the public. Far worse is such a dearth of transparency when it comes from elected and appointed officials. Maryland legislators should consider policy changes that establish reporting protocols during and after these breaches, particularly when sensitive data could be at risk.

Over the last few years, Maryland’s cyber defense has been in the news for all the wrong reasons. This session, legislators have an opportunity to turn the page. Some elected officials have already expressed the need for more effective central operations and system modernization, so it is clear the appetite exists for policy changes. When the impact of policy changes like these take hold, Maryland can look forward to a smoother cyber landscape.

Image credit: Christopher Boswell

Featured Publications