In the wake of a significant ransomware attack on Columbus, Ohio now mandates that every government agency implement cybersecurity measures to protect its IT systems. This requirement extends to counties, cities, school districts, and townships.

Cybersecurity Training and Reporting

Public employees must undergo regular cybersecurity training as part of this new policy. The legislation also compels local officials to report any cyberattack to the Ohio Department of Public Safety within seven days after detection. Moreover, paying a ransom can only be done with approval from the legislative body overseeing the government agency.

Background of the Policy

The catalyst for this policy was a ransomware attack on Columbus’s IT infrastructure in July. Allegedly carried out by the Rhysida gang, based in Russia, the hackers claimed to have stolen sensitive data including employee credentials and video camera footage. The stolen information reportedly comprised personal details such as names, dates of birth, Social Security numbers, and bank account details, along with records of residents’ interactions with city services.

Rhysida demanded 30 bitcoin for the ransom; whether Columbus paid this ransom in full or not is unclear. Mayor’s office stated that the stolen data was likely “corrupted” and “unusable.”

Emerging Zero-Trust Approach

In response, Columbus has initiated a zero-trust network aimed at enhancing security. Under this model, all access to city systems, including by employees, requires strict identity verification and multiple layers of authentication.

This initiative marks the beginning of Columbus’s comprehensive cybersecurity strategy.

Opinions from Experts

Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, commented that such upticks in cyberattacks targeting municipalities and governments are not unusual. She emphasized the need for stronger cybersecurity measures beyond mere regulatory mandates, advocating for a cultural change starting with leadership.