Ohio Establishes ‘Cyber Reserve’ to Combat Ransomware

One hack made a county’s emails unreadable. Another disabled a city’s 311 help line amid a snowstorm.

At least three local governments in Ohio and the Cleveland Hopkins International Airport have all been hit with ransomware attacks in the last year alone.

The next time hackers go after a local government in Ohio, however, the state will have a new weapon to deploy: the Ohio Cyber Reserve.

Gov. Mike DeWine signed a bill into law Friday that establishes a volunteer “cyber reserve” of computer and information technology experts who will be able to assist local governments in the face of a ransomware or cybersecurity attacks.

The reserve will consist of five teams of 10 people spread throughout the state who will be vetted and trained to respond to cybersecurity emergencies affecting local governments. The response will be similar to the way the Ohio National Guard is placed on active duty during a natural disaster, said Maj. Gen. John C. Harris Jr., the Ohio Adjutant General who oversees the state’s National Guard.

“This is a persistent threat, and we have to continuously evolve our approach to protecting our critical infrastructure when it comes to cyber,” Harris said during Friday’s bill signing at the statehouse in Columbus.

Cyberattacks on local governments have become increasingly common, and experts have warned that ransom payments made to hackers may embolden them to attack with increasing frequency. Poor cybersecurity hygiene, including failure to update software patches or use of weak passwords, has contributed to making local governments vulnerable to attacks.

Along with the Cleveland airport, the cities of Akron and Riverside Heights were successfully attacked this year, as was Fayette County. The state’s national guard was deployed earlier this year to respond to the attacks that locked Akron’s financial accounts. 

Going forward, the cyber reserve team will supplement the Ohio National Guard in its duties but would only be deployed for cyber missions and related training, said Mark Bell, the cyber security outreach coordinator for the Adjutant General.

While the team is designed to support smaller local governments and critical infrastructure, Bell said businesses and individuals could also make requests for assistance that would be evaluated by the governor’s office. 

In a statement, DeWine called the reserve program an “innovative idea” that can “serve as a model for other states.”

Unlike the National Guard, the volunteer force would be comprised of civilians who could not be called up for active military duty. Members must vetted to join and the guard is currently accepting applications. Members would only be paid when deployed.  

The legislation allocates $100,000 in fiscal 2020 and $500,000 for operation of the cyber reserve.

The team will also provide proactive help to local governments by making the cybersecurity experts available to conduct vulnerability testing on computer systems and through providing recommendations to address threats, Harris said.

Several states, including Texas and Colorado, have deployed National Guard teams in the past to respond to cyberattacks on municipal governments. 

In the wake of ransomware attacks targeting municipalities in Texas and school districts Louisiana, where the National Guard deployed to assist local governments, the guard at the federal level is evaluating its cyber training program.