How hurricane response helped one state’s cyber preparedness
Bloomberg Creative/Getty Images
Local governments in Louisiana are used to having the National Guard come in during natural disasters. Today, they are growing used to the guard coming in during a cyberattack, too.
When Hurricane Katrina slammed into New Orleans on August 29, 2005, it brought sustained winds of 145 miles per hour that knocked out power, destroyed homes and, in some cases, turned cars into projectile missiles. Record storm surges overwhelmed the levees protecting the city, leading to catastrophic flooding and more than 1,800 deaths.
It remains Louisiana’s worst natural disaster, and the state has had its fair share. To date, it has suffered 97 natural disasters, including droughts, cyclones, severe storms and winter storms, with losses for each event exceeding $1 billion from 1980 to 2024, according to the National Centers for Environmental Information.
And now, like so many other state and local governments, Louisiana is confronting a different kind of threat: cyberattacks.
Over the past five years, the state has experienced several debilitating cyberattacks, including a ransomware attack in 2019 that hit several public school systems, another that same year in New Orleans and an incident last year where five state colleges were notified that their networks were compromised. The costs to mitigate these attacks and recover from them is steadily rising. In FY 2020, the state paid $2.3 million to respond to cyberattacks, but by FY 2022, recovery costs had hit $14.4 million.
Louisiana’s solution is to apply its approach to natural disasters to cyberattacks.
When disaster strikes, a host of state and local agencies spring into action, including the Louisiana State Police, the Louisiana National Guard, the Governor’s Office of Homeland Security and Emergency Preparedness, the state Office of Technology Services and others. They are backed up by federal agencies, most notably the Federal Emergency Management Administration.
Louisiana used its response to natural disasters as a model when building its cybersecurity strategy and the partnerships needed to address breaches, said Lt. Col. Stephen Durel, deputy chief of cyber operations at the Louisiana National Guard.
“The first thing with these locals is you have to establish trust,” Durel said during last week’s Zscaler Public Sector Summit in Washington, D.C. “Because we'd been in there with a lot of these parishes during hurricanes, they knew the National Guard, they trusted us, they were friends of ours. We come in, and we establish that relationship so that the state, and everybody that wants to help them with cybersecurity can start to assist them.”
But there are challenges with the approach, namely turnover. Durel said sometimes guardsmen will come in for a few years, get experience and then move elsewhere, often staying with the National Guard but attached to another state. The Guard, like other state agencies, also lacks the resources and has a shortage of workers to plug those gaps and provide support.
Cyberattacks are multiplying, too. Durel estimated that 60% of agencies in Louisiana are targeted, including in “repeat business” attacks where hackers try to exploit vulnerabilities more than once.
A recent report from the Center for Internet Security, the nonprofit that coordinates the Multi-State Information Sharing and Analysis Center for states, found that cyberattacks against state and local governments went up from 2022 to 2023. Malware attacks went up 148%, while ransomware increased by 51%. The report also found a startling 313% increase in endpoint security services incidents, which include data breaches, unauthorized access and insider threats.
The center recommends that states and localities make use of existing federal resources, identify necessary improvements they can make to their cyber posture and have robust future plans in place to prevent major attacks. But the threats combined with workforce and financial pressures are adding up.
“We’ve gotten tired of it,” Durel said.
But there are encouraging signs that agencies and institutions are willing to work with the National Guard to better prepare. Durel said after the cyber incident last year involving the state colleges, guardsmen were able to go into every potentially infected network and remediate the issue at the same time.
It was unclear at the time of the attack whether the schools had been compromised, but out of caution, the guard limited access to their networks, email and systems.
Louisiana is looking to invest more in shared cybersecurity services that localities can access, a key tenet of whole-of-state cyber strategies. But it can be difficult, as after a cyberattack, the National Guard and the state might help stand up a better network, but the local government may find itself unable to maintain it after the state leaves. It’s all a “balancing act,” Durel said.
NEXT STORY: Survey: Few states have ‘established’ privacy program