On Wednesday, Louisiana Governor John Bel Edwards declared a state of emergency following a series of cyberattacks impacting the computer and phone systems of several of the state’s school districts. The declaration, which will remain in place for the entire state until Aug. 21, is out of concern that the attacks could spread to affect other organizations in local and state government.
According to Gov. Edwards’ office, the attacks were directed at school systems in the Sabine, Ouachita, and Morehouse districts, and are described as "severe, intentional cybersecurity breaches" that "may potentially compromise other public and private entities throughout" the state in the emergency declaration.
The declaration, which is the state’s first cybersecurity emergency activation, allows several resources to be devoted to the ongoing investigation. This includes cybersecurity experts from the Louisiana National Guard, Louisiana State Police, the Office of Technology Services – and others – to determine how best to resolve and prevent future cyberattacks. The state is also coordinating with the FBI on the issue.
According to CNN, there have been at least 22 reported breaches of public sector networks in 2019. Recently, ransomware hackers have taken over the computer systems of several cities, including Atlanta, Baltimore, Albany, and at least two cities in Florida.
In 2017, Gov. Edwards created the Louisiana Cybersecurity Commission – a 15-member board inclusive of state officials, private-sector executives, and academics – in anticipation of such attacks on its government-run organizations and systems.
“This is exactly why we established the Cyber Security Commission, focused on preparing for, responding to and preventing cybersecurity attacks, and we are well-positioned to assist local governments as they battle this current threat,” Edwards said in a statement.
The State of Software Security for Government and Education Sector
In a world where the threat landscape is always evolving, public sector agencies around the U.S. are taking steps to ensure that their technology and critical infrastructure systems have the right protections in place – just as they’re ensuring that they have the right policies and processes in place when a cyberattack cannot be prevented. A great example of this is how Colorado created the standard for best defense following the 2018 SamSam ransomware attack on its public transportation system, and additional examples of cyberattacks impacting critical infrastructure can be found in the Policymakers’ Guide to the State of Software Security.
It’s true that there is plenty to celebrate according to Veracode’s State of Software Security Volume 9 (SOSS Vol. 9), which showed that the Government and Education sector improved significantly over the previous report. In SOSS Vol. 8, the industry was dead last in latest scan OWASP pass rank. This year, it came in second only to healthcare.
In examining flaw persistence – or how long it takes to close a flaw from first discovery – the analysis curve shows that while these organizations are slower than usual out of the gate, they pick up speed with resolving vulnerabilities as they dig into the second half of remaining flaws.
It’s understood that the reliance on digital technologies and software will continue to increase, just as the threat landscape will remain fluid and ever-changing. With approximately one quarter of breaches occurring through web application attacks, it’s imperative that government organizations and agencies ensure their applications are protected.
After seeing the rise in data breaches at all levels of government, the State of Missouri enlisted Veracode to create and implement an application security program that fixed more than 28,000 flaws in the first year of the program, and scaled to 360+ applications within three years. Curious to learn more about how Veracode helped the State of Missouri build and scale its application security program? Read the case study – which covers the process from start to finish – by clicking here.