When the city of Baltimore faced a ransomware attack back in 2019, they faced two choices. Agree to pay the hackers to release their hijacked systems or refuse and turn to outside help to recover. Baltimore chose the second option. While many would agree with the idea of never giving in to any ransom demand, the decision came at a cost. Baltimore ended up spending over $10 million to get their city accounts back, $10 million more than the $76,280 asked for by the hijackers.
Some might say that not paying saved Baltimore from becoming a more frequent attack target. Either way, the choice was up to the city. With HB 7055, a Florida bill passed on July 1, 2022, agencies and local governments in the Sunshine State will no longer have the option of paying out a ransom. How will this impact local Florida governments, and how many are prepared to set up the kind of cybersecurity protections necessary to protect themselves?
Florida HB 7055 is a set of amendments to Florida’s State Cybersecurity Act that establishes requirements around how state agencies and local governments report and respond to cybersecurity incidents. It specifically prohibits agencies from giving in to payment demands from hackers. This bill may have been spurred by similar experiences like that of the Florida city of Riviera Beach.
Like Baltimore, Riviera Beach was hit by a ransomware attack in 2019. Unlike Baltimore officials, Riviera Beach’s city council agreed to pay a $600,000 ransom to release their paralyzed systems. As a result of the incident, Riviera Beach invested almost a million dollars in upgrading its hardware to eliminate the vulnerabilities exploited by cyber hijackers.
Riviera Beach was by no means an outlier. Whether through older technology or limited resources, many cities around the US might be underprepared when it comes to protecting their data and systems. It can be as simple as a single person opening one malicious email to shut down city services and cause millions in damages.
Without the ransom payment that led to the release of Riviera Beach’s systems, how much more damage could the hackers have caused? Suppose officials in cities like Baltimore or Riviera Beach had been able to invest in their IT and security posture sooner? In that case, protection could have been in place to stop and contain the malicious software before it could wreak havoc.
The Florida ransomware bill defines a ransomware incident as one where a person or entity uses software to infiltrate the data of a state agency, municipality, or county. Once they gain access, the person or entity asks for a ransom in return for one or more of the following:
Any unauthorized intrusion that results in stolen data and subsequent demands is considered a ransomware incident. The hacker doesn’t have to use tools or files when attempting.
The Florida cybersecurity legislation enforces strict requirements around reporting cyberattacks where attackers don’t use ransomware. How fast agencies, city, and county officials must notify state authorities about attacks depends on the severity of the incident. The U.S. Department of Homeland Security established severity levels around cybersecurity attacks which got added to Florida HB 7055 as amendments.
Level one incidents are assigned to low-priority incidents unlikely to impact the public, the economy, or security at the local, state, or national level.
Level two incidents are medium-level impacts with the potential to impact the public, the economy, or security at the local, state, or national level.
Level three incidents are considered high-level occurrences. Attacks assigned to this level could significantly affect the public, the economy, or security at the local, state, or national level.
Level four incidents are severe occurrences that would significantly impact the public, the economy, or security at the local, state, or national level.
Level five incidents prevent an imminent threat to the ability of authorities to offer critical infrastructure services. They also impact local, state, and national security or the lives of residents.
State agencies and local governments are now subject to the following requirements under the updated Florida cybersecurity bill.
While the requirements aren’t yet fully defined, having the appropriate training programs, compliance procedures, and active cyber-defense processes in place will be a must. With NIST cyber frameworks are referenced, digging into the statue changes tells us that the following will be required:
Florida HB 7055 also expands the responsibilities of the Cybersecurity Advisory Council to cover the following:
Does Florida HB 7055 apply to colleges and universities?
How can the notification requirement negatively affect local officials and state agencies?
The City of Weston recognized that they were not adequately equipped to handle the technological challenges of the current online environment. Officials invested in building an efficient, secure, stable technology stack. The city didn’t want to wait until it became another ransomware headline before taking proactive action. Read more about how R2 Unified Technologies (R2UT) helped Weston modernize its IT in our case study.
R2UT understands what it takes to update local and state IT infrastructure to combat cybersecurity threats and comply with state legislation. Learn more about how we can help you rebuild your technology stack and protect yourself against threats by contacting us here.