Ohio Responds to Ransomware

In response to a ransomware attack that struck Columbus last July, Ohio enacted legislation requiring every government agency to implement robust cybersecurity programs. This includes counties, cities, school districts, and townships.

Employee Training and Reporting Requirements

A key component of the new mandate is the establishment of cybersecurity training for all employees. Additionally, local officials must report any cyberattacks to the Ohio Department of Public Safety within seven days of identifying a breach. Paying ransoms requires approval from a government’s legislative body.

The Rhysida Ransomware Attack

The Rhysida ransomware gang based in Russia claimed responsibility for the attack, stating they had stolen sensitive data such as employee credentials and footage from city video cameras. The stolen information included names, dates of birth, Social Security numbers, bank account details, and records of residents’ interactions with city services.

Rhysida demanded 30 bitcoin for the stolen data. Whether Columbus paid all or part of the ransom remains unclear, but the mayor noted that the data was likely “corrupted” and “unusable.”

Expert Perspective

“Ransomware attacks targeting municipalities and governments are not a new phenomenon,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “These entities have historically been prime targets due to their importance and the sensitivity of the data they handle. It’s unfortunate that it took such an attack for government bodies to recognize the critical need for stronger cybersecurity measures.”

Columbus Implements Zero-Trust Network

In response to this threat, Columbus has introduced a zero-trust network, enhancing security by requiring strict identity verification for all access requests. Under this model, no user or device—whether inside or outside the organization—is automatically trusted.

This is just one step in an ongoing cybersecurity initiative designed to fortify city systems against future attacks.

Call for Cultural Change

“While public declarations about new cybersecurity mandates are important, they must be backed by actionable and specific guidelines,” Goldberg noted. “A zero-trust model should be embraced as a cultural change, starting from the highest levels of management down.”