Cybercrime is more likely to interrupt government services, hobble a business or hit your wallet every year. What is Georgia doing to protect you?

Three years ago a ransomware attack hobbled the city of Atlanta, ultimately costing the city as much as $17 million. Two years ago an attack on the Department of Public safety meant that the Georgia State Patrol couldn’t access incident reports stored digitally. This past June Savannah’s largest hospital system had to revert to paper records after being hit by ransomware. 

In response to these increasing threats the state has developed new programs, implemented reforms and invested substantially in beefing up cybersecurity resources and capabilities. This included the construction of the Georgia Cyber Center in Augusta that opened in 2018, funded with an initial investment of $100 million and which aims to provide affordable education and training for the next generation of cyber security specialists as well as serve as a center for technical and policy research.

Just one part of that overhaul was the creation of the Cyber Crime Center, a unit of the Georgia Bureau of Investigation (GBI) located at the cyber center in Augusta. The changing face of internet crime meant that the GBI’s existing Child Exploitation and Computer Crimes Unit, whose focus was cracking down on child predators and pornography, was ill-suited to the task at hand.

“We found, especially over the past few years, that online crimes that are not related to children — so online fraud or ransomware intrusions — are increasing at an extremely fast rate,” said Steve Foster, the GBI’s special agent in charge at the Georgia Cyber Crime Center. 

“Just between 2017 and 2018, those types of crimes increased by 62%,” he said. Between 2010 and 2020, the cost of cybercrime to Georgians has risen 832%, from just over $10 million a decade ago to a reported $98,762,523 last year. 

Federal data shows cybercrimes have been on the rise in Georgia over the past decade. (Credit: Brittney Phan for State Affairs)

---

What Cybercrime is Affecting Us Most?

While ransomware attacks have garnered the most attention, hitting high profile targets like the city of Atlanta in 2018 or the Colonial gas pipeline earlier this year, those attacks are not necessarily representative of most cybercrime in Georgia, according to Foster.

“Ransomware doesn’t take on normal folks, they’re not picking on me or you as an individual, they’re looking for deep pockets, so that they’re going after big corporations, big, big government agencies that can actually pay,” Foster said. 

The state has also upgraded much of their  information-technology infrastructure to prevent and minimize the effects of such attacks, according to David Allen, the chief information security office for the Georgia Technology Authority (GTA) which manages IT services for 85 state agencies. 

“The effects of that ransomware were pretty severe in some cases, and it really just highlighted the need for good cyber hygiene and in a number of state agencies, especially state agencies that …  had not been as well funded from an IT perspective,” he said. 

Among the changes put in place were simple safeguards like having backups of data, or having networks that would isolate and contain any intrusion, so only one machine might be affected instead of a whole system, Allen said. Allen said that when he took his post in 2019 ransomware was at the top of everyone’s agenda. But trends in attacks change year to year, and more recently online and email-based fraud attacks have become more common than ransomware, and the state is adjusting their security training for state employees accordingly.

The GTA oversees and implements a training curriculum for employees at state agencies that were mandated by an August 2019 executive order by Gov. Brian Kemp. Part of this includes testing employees by sending them emails that mimic fraudulent or harmful ones, and seeing how successful they are, Allen explained. It’s a training technique commonly offered as a service by private cyber security firms. When the success rate drops below a given percentage, Allen said, the program gets updated in what amounts to a deception arms race.

“We want it to be a learning activity because the adversary gets more crafty every day as well,” he said. 

• Read about what state law-enforcement authorities are doing to combat gang crimes in Georgia in our Explainer story, “Why is Georgia Spending Millions on a Task Force to Fight Criminal Gangs?”

---

How Does State Law Enforcement Take on Cybercrime?

Large attacks, especially those involving foreign actors, demand the attention of federal authorities. But when local governments and businesses are attacked, local sheriff’s offices or police departments don’t necessarily have the resources or expertise to address those issues. That’s where GBI is trying to fill the gap, Foster said. 

“The mission here is to put ourselves in a position where we can start investigating those kinds of crimes that are too small for the federal government, and they might be too large or complex for local law enforcement,” he said. 

Georgia agencies have to ask GBI for help before investigators step in when there’s a cyber crime and they’ve taken steps in recent years to make sure agencies do so. Luckily, the needed communications infrastructure to receive reports from all of Georgia’s counties was more or less in place at the Georgia Emergency Management Agency (GEMA), the agency that handles responses to natural disasters or recently, a global pandemic. House Bill 156 which Kemp signed into law in May now requires local governments to notify GEMA if they are the victim of cyberattack, streamlining the process for the state to get involved.

“GEMA basically is now the clearinghouse for those types of attacks,” Foster said. “So if you come into work on a Monday morning and you find out that your sheriff’s department has been compromised by ransomware, you now have that hotline that you can call to GEMA and GEMA gets all of the important partners involved in that.” 

The Georgia Technology Authority is integral to that process too, providing assessments, recommendations and policy guidance to local governments that have been hit by cyberattacks.

This architect’s rendering shows the Georgia Cyber Center in Augusta. (Credit: Georgia Technology Authority)

---

The Cost of Cybercrime 

It should be noted that the true cost and number of cyberattacks is far higher, as much as sevenfold according to Foster, than what is reported by authorities. This is mainly due to private companies dealing with attacks internally and wanting to avoid the negative publicity associated. “The important thing is the trends,” Foster said. 

Ransomware has certainly grown, FBI statistics show: 

• In 2015 there were just five reported ransomware attacks in Georgia, costing victims just $1,008. 
• In 2020 the number of ransomware attacks reported to the FBI grew to 47 and cost victims $2,620,500. 

That said, available information points to fraud and scams of various types accounting for the bulk of cybercrime. These include romance frauds and identity theft to simply not delivering purchased products. 

But one type has stood out in particular: business email compromise or personal email account compromise. Such attacks work when a fraudster accesses an email account and provides instructions to a vendor or client to change banking information, so payments intended for a business end up rerouted to the crook’s account. 

• In 2020 the FBI reported 476 such attacks in Georgia, costing victims $35 million, over a third of the cost of all cybercrimes recorded in the Peach State that year.

“It dwarfs everything. It’s a huge moneymaker,” Foster said. 

Since the GBI Cyber Crime Center opened in July of 2018, GBI has conducted 66 cybercrime investigations resulting in 13 arrests. These cases involved the theft of $6,120,582 through various forms of online fraud of which GBI has recovered 54% of stolen funds, or nearly $3.3 million. The victims of these crimes included 10 state agencies including the Departments Community Health, Transportation, Community Supervision, Driver Services and Natural Resources. Of those attacks, only three involved ransomware. 

“The overwhelming percentage of our investigations involve online fraud,” Foster said. 

• Read about how most local police agencies in Georgia do not report use-of-force statistics to the federal government in our story, “Only a Fraction of Georgia Police Report Use-of-Force Data to the FBI.”

---

 ‘We’re not where we need to be’

Beyond those regulations put in place by the federal authorities for businesses and governments to protect data, there are few state laws or regulations that mandate cybersecurity measures for governments or businesses outside of those the GTA has imposed on state agencies.

For local governments, instituting mandates could be a high burden. Some counties may simply not have the financial resources to invest substantially in their IT infrastructure. Even so, Foster sees that policy-making so far has been reactive to a constantly evolving threat.

“We’re making up the rules as we go. I mean that sounds silly but honestly I think we’re making the policy, as we’re seeing the threats and we’re evolving as these threats evolve,” Foster said. 

Despite the reforms, investments and improvements in cracking down on cyber threats and beefing up security, the situation statewide demands more, Foster said. 

“We’re not where we need to be,” he said. Key to that, he said, is prevention and getting the word out to the public and small businesses on how best to protect themselves.

“I think that we’ve fallen short on getting word out,” Foster said. Afterward, especially with foreign attacks, the law enforcement response is limited, he explained.

“Cybercrime is one of those areas where the prevention piece has to be the 90 to 95% of the effort. If we can keep people from becoming a victim in the first place, we’ve solved the problem,” he said. “If they become a victim, there’s very little that we can do, and that’s the frustration.”

---

What else do you want to know about how Georgia is handling the threat of cybercrime? Share your thoughts/tips by emailing [email protected].