A year after the city of Columbus fell victim to a massive ransomware attack, Ohio now requires every government agency to implement a cybersecurity program that safeguards their computer systems. The measure applies to counties, cities, school districts, and townships.
Local governments must establish cybersecurity training requirements for all employees. The law also mandates that local officials report cyberattacks to the Ohio Department of Public Safety within seven days of discovering a breach. Additionally, officials may only pay a ransom with the approval of the government’s legislative body.
Origins of the Policy
This was all the fallout from a cyberattack on Columbus’ IT systems last July. The Rhysida ransomware gang, based in Russia, claimed responsibility, stating they had stolen databases containing sensitive data, including employee credentials and footage from city video cameras. The stolen data reportedly included names, dates of birth, Social Security numbers, bank account details, and even records of residents’ interactions with city services.
Rhysida demanded 30 bitcoin for the stolen data. It is unclear whether Columbus ever paid all or part of the ransom, but the mayor later declared that the data was likely “corrupted” and “unusable.”
“Upticks in cyberattacks that lead to ransomware targeting regional and community municipalities, departments of education, schools, and governments is not new or surprising,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “These types of targets have long been low-hanging fruit for cybercriminals. It shouldn’t take a devastating ransomware attack for government entities to realize the importance of cybersecurity.”
A New Zero-Trust Approach
Columbus itself has now introduced a zero-trust network, which enforces strict identity verification for anyone accessing city systems, including all city employees. Under the zero-trust model, no user or device—whether inside or outside the organization—is automatically trusted, so every access request requires multiple layers of authentication.
This policy is just the first step toward a comprehensive cybersecurity plan.
“It’s interesting to see that the governor is making a public declaration that cybersecurity mandates for stronger security and training will be enforced, but it’s not likely that this declaration will have any real impact unless these new mandates have actionable and attainable cybersecurity guidelines and roadmaps,” said Goldberg. “Zero-trust is a bare minimum, but organizations cannot rely on regulatory mandates to implement stronger cybersecurity standards. Zero-trust has to be a cultural change, one that starts with the C-suite.”
