Steven Potter:
Tell me about some areas where we're most vulnerable.

Zachary Oster:
A lot of the areas where we're most vulnerable are places you might not expect. So, local governments tend to have vulnerabilities because they have small IT staffs — they maybe don't have a lot of funding for cybersecurity, it's not a top priority. The top priority is serving the people of the city or the county or the school district. But they have valuable information. They have information about the police records. They have property records, all kinds of vital records that are worth money on the open market. A lot of cyberattacks tend to be ransomware, where you have — an attacker is able to get access to a system, encrypt all the data, lock other people out, and basically send them a ransom note, a literal ransom note saying pay me this amount of money in real money or more often in Bitcoin. You might get your data back, and if not, your data will just go away.

Steven Potter:
Walk me through a ransomware attack from start to finish — how does that look?

Zachary Oster:
Yeah, so with a ransomware attack, normally there's some way that the attacker can get into a system. Maybe it's an open connection on the internet. Maybe it's a website that's not fully secured. It could even be a building where someone's able to walk into the right room and plug in a device in the right computer. So regardless of how they do it, the attacker finds a way into a system, and that's easier to do than ever before. A lot of that — like scanning for vulnerabilities for ways into a system — can be done in an automated way. It can be done using AI to simplify the process. Once they're in, they find a way to scramble the data, to encrypt the data. They might also pull off a copy for themselves before they do that, because they can go sell those data on the dark web. There are people willing to pay money for that data. And once they've done whatever they want to do, they lock down the data or they lock down the system. They lock down the network, and they send a ransom note to whoever they think will have the money to pay.

Steven Potter:
What are the options from the victim standpoint about what to do?

Zachary Oster:
So one option is pay the ransom. That's normally not encouraged, partly because we don't want to incentivize people to do more ransomware attacks. If people think they can make easy money from this, they're more likely to do it. But partly because if you pay the ransom, there's no guarantee they'll actually give you access. They might have actually destroyed everything behind the scenes and now they have your money and your data, and you still have nothing. So there's a chance you might not get what you pay for. Another option, probably the best option, is to contact your local law enforcement. That's something you should do right away. So, law enforcement has special cyber incident response teams. There are several throughout the state of Wisconsin, a lot of them staffed by volunteers with cyber experience. The federal government also has cyber incident response folks who can help in some cases navigate the process. UW-Whitewater also has a Cybersecurity Center for Business that can help with some of that outreach. If we can't do the work ourselves, we can certainly refer people to those other resources to help them get help recovering their data hopefully, and certainly developing better practices to make themselves and their organizations more resistant to cyberattacks in the future.

Steven Potter:
Are smaller government entities or agencies or smaller communities more vulnerable victim for cyberattacks?

Zachary Oster:
Smaller government agencies, local governments can be more vulnerable victims, and often that's because they just don't have as many resources to devote to cybersecurity specifically. You know, if you're the federal government, if you're a state government, you probably have enough resources to have dedicated cybersecurity specialists working for you. If you're a local government, especially in a smaller locality, a smaller city or county or school district, you're less likely to have people who can just dedicate their time to monitoring for cyberattacks and intrusions and data breaches.

Steven Potter:
Is there something about their computer systems that maybe also make them more vulnerable?

Zachary Oster:
In a lot of cases, smaller governments might have older computer systems. They might not be fully patched in some cases. Again, that's a resource limitation in some cases — maybe they can't afford the latest and greatest, or they don't have people to make sure that all the systems are patched, they're getting the latest security updates, they're protected as well as we would maybe want them to be.

Steven Potter:
OK. How disruptive can these attacks really be?

Zachary Oster:
They can be very disruptive. They can take an entire county government or an entire city government or organization down for multiple days, or part of an organization.

Steven Potter:
Some numbers from the state Department of Justice is showing that there are more cyberattacks being reported here in the state. Do you know why we're seeing an increase in cyberattacks?

Zachary Oster:
In some ways, cyberattacks are getting easier. I think that's a big reason, especially with AI. Attackers are using AI too, and it means they can spread more attacks more widely. Basically they just have to get lucky once, and they're into a system and they can start doing damage.

Steven Potter:
There was the recent and still ongoing case in Iowa County where they received a ransomware cyberattack. Tell me what you think of that attack and what's happening there.

Zachary Oster:
Well, first, it's unfortunate that it happened, but it looks like they had backups for everything. So one thing about registers of deeds offices, they keep good records — it's their job. And so it looks like they've been able to reconstruct the records from what they had, even if that has been a time-consuming process. They've slowly been able to get things back online and they're continuing that process, and I'm sure they're all putting in a lot of extra hours.