October was Cyber Security Awareness Month, an initiative of the Department of Homeland Security (DHS) and the nonprofit National Cyber Security Alliance. Many of their campaigns center around the idea of “shared responsibility,” a concept that becomes more relevant as every facet of society – from individuals to commercial enterprises and government agencies – becomes more enmeshed in linked digital services that collect, use, and transfer sensitive data.
Recent Rash of Ransomware
The recent increase in publicized cyber attacks on local and state governments put the “we’re in this together” dynamic under a stark spotlight. These attacks increasingly target critical infrastructure agencies like water utilities, police and fire departments, school districts, and judicial and administrative services. In a recent newsletter, SANS Institute expert William Hugh Murray said: “Healthcare, small utilities, and municipalities are now the preferred targets for these extortion attacks.”
Murray was referring to an October ransomware attack on a North Carolina water utility company. Just days later, a similar attack on West Haven, Connecticut’s municipal systems infected 23 servers (Connecticut’s Judicial Branch and Department of Administrative Services were hit earlier this year in separate attacks). A wide range of Madison County, Idaho’s services were held hostage by a ransomware attack, also in mid-October. After nearly a week, they were able to restore some critical functions, thanks to backup files. They expect to encounter related technical issues for several weeks. The City of Muscatine, Iowa is still working to restore service and public safety operations in the wake of an October 17 attack, and the Indiana National Guard is notifying personnel whose identifying information was stored on a server that was encrypted by ransomware the same week.
Some of the attacks have been linked to Emotet malware and Ryuk ransomware (e.g., the water utility attack) and are believed to be initiated through targeted phishing schemes and brute-force hacking of remote desk protocols to gain credentials. The Department of Health and Human Services issued a warning about Ryuk (a variant of Hermes) in late August, noting that attackers had already netted $640,000 from their extortion schemes. The Hermes ransomware has been linked to Lazarus, a powerful North Korean cybercrime group deemed responsible for the Sony hack, the WannaCry ransomworm, and the Bangladesh Bank heist, among others.
Indeed, it was a busy and expensive summer for an unfortunate list of municipalities: Matanuska-Susitna Borough, near Anchorage, estimates it will cost $2 million to recover from an attack that paralyzed their systems for weeks. The borough serves a population of approximately 100,000 Alaskan residents and ecompasses Port MacKenzie, a massive new development of facilities and railway links designed for the export of petrochemicals and natural gas. This case unmasks hidden risks in municipal cyber attack stories — these local systems are almost always linked to larger networks, databases, and resources, which could be breached by compromising the local sites first. Moreover, it’s hard to know how many of these attacks are motivated by espionage (often state-sponsored), with ransomware demands being used as a distraction.
Two ransomware attacks on fire and police systems in Riverside, Ohio earlier this year caused the state’s attorney general to cut off Riverside’s access to the Ohio Law Enforcement Gateway system, a statewide database for use by police departments. If Riverside can’t prove effective remediation of their systems’ vulnerabilities, they may permanently lose access, significantly hampering their day-to-day public safety operations. Similarly, a March ransomware attack on Baltimore’s 311 and 911 systems brought down automated dispatching, forcing operators into manual mode. While this attack was quickly detected and stopped, it isn’t hard to imagine the potential disastrous outcomes in a city of more than 600,000.
In a larger and less targeted campaign, Washington, D.C. came under attack in the form of 30,000 phishing emails sent to municipal employees that contained requests for sensitive information and passwords. Fortunately, their awareness training seems to have worked; employees quickly reported the suspect emails, thwarting further deployment of the attack. In the nation’s capital, compromise of city systems could rapidly become a threat to national security.
Small Government Agencies, Huge Responsibilities
Local and state governments factor heavily in the security of critical infrastructure. In many ways, their operations have a more immediate impact on day-to-day life, public safety, and core public welfare systems than other entities. And yet, many are run more like small businesses, with infosec budgets and teams that are remarkably out of scale to the threats and challenges they face. They are being targeted because of these vulnerabilities, but also because they store and process large amounts of highly sensitive information about citizens, public systems, and infrastructure operations (e.g., blueprints, schematics, organizational charts, etc.)
“Critical infrastructure” is often cited in discussions about cybersecurity, but we tend to think of it too narrowly in terms of electric power plants, water utilities, and urban public transportation. But we need to think more broadly and deeply about the interdependencies in all major systems, and the vulnerabilities and criminal opportunities they create. We’re in the midst of learning a hard lesson about this in terms of election interference. Ten years ago, it might have been hard to envision Facebook as a component of critical infrastructure, but given the scale of recent hacks and social media manipulation, the big picture is becoming painfully clear.
According to DHS, critical infrastructure includes the following sectors: chemical, communications, dams, critical manufacturing, commercial facilities (e.g., large shopping and entertainment venues), the defense industrial base, emergency services, energy systems, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors/materials/waste, transportation systems, and water/wastewater utilities. Local and state governments play a range of roles in all of these systems, and are dependent on them in many cases.
Third-party Risks and Dependencies
In the U.S., businesses of all sizes, both public and private, make up huge portions of this critical infrastructure, which means that state and local governments have to contend with the risks and vulnerabilities they introduce, even though they may have very little control to wield. For example, during the recent California wildfires this summer, Verizon throttled the network bandwidth of the Santa Clara County firefighters on the scene, hampering their emergency response efforts.
In a less dramatic fashion, third party vendors can introduce risk when state and local governments outsource business processes in an effort to streamline service delivery to citizens. Flawed implementations of online-billing systems designed and widely used by local governments led to the exposure of thousands of citizens’ data in Florida, California, Texas, Arizona, Wisconsin, and beyond. While some of the fault for the breaches may lie with the government’s administration of the billing servers, the Click2Gov and GovPayNow breaches highlight the importance of working closely with vendors on secure configurations, incident response plans, breach disclosures, and network monitoring. In most of these cases, governments cannot solve the problem by simply switching providers; such migrations represent a huge commitment of staff time and budget for strapped local agencies and require months of planning. When legacy systems are breached, often the only viable alternative is to rebuild systems from the ground up.
Daunting Costs and Challenges
In general, breaches are growing more expensive. The Ponemon Institute’s 2018 Cost of a Data Breach Study indicates that for public sector organizations, the total average cost of a data breach is $2.3 million, with an average cost of $75 per stolen or compromised record. The report highlighted risk factors that increase the chances of a data breach, including third parties and compliance failures; it found encryption, employee training, and incident response planning to be effective in reducing risk.
Improving cybersecurity programs is challenging for any organization, given the speed and sophistication with which cybercriminals adapt their techniques to exploit fresh vulnerabilities and thwart every new security method. Local and state governments typically lag far behind the programs run by large, fully funded infosec teams at commercial enterprises. Municipal cyber security teams justifiably wonder how they’ll ever build a sufficient security program.
Beyond small teams and budgets, there are many specific challenges government agencies have to address: the obligation to comply with regulations and frameworks including NIST, HIPAA, CJIS, and CIPA; offering public/guest Wi-Fi services; contending with the risks inherent in mobile and IoT devices, and lack of visibility and control over their networks. Early detection and remediation of breaches are one of the most important capabilities these agencies must develop. To achieve the necessary level of cyber security maturity, agencies must prepare thoroughly, reassess risks often, and seek assistance from trusted advisors and vendors.
Next Steps Toward a Cyber Secured Society
There are many concrete steps agencies can take immediately. Assessing third-party vendors and how they process and protect data should be a continuous effort. Agencies should work together, share stories, and communicate about vendor issues and threat intelligence to increase their situational awareness and avoid repeating mistakes others have already learned from. Basic cyber hygiene — patching, upgrades, strong passwords, multi-factor authentication, limited access privileges and other best practices — goes a long way towards protecting networks.
Comprehensive, next generation firewall solutions that aid configuration, monitoring and analytics through user-friendly dashboards make it easier for small teams to run mission-critical networks and keep valuable data private. Monitoring networks for anomalous behavior and keeping continuous watch on system logs makes it easier to detect breaches before they can cause widespread damage. Data encryption protects citizens (and agency reputation) in the event their personal information is exposed or stolen. Backup systems, preferably off-site, have become more affordable with the widespread adoption of cloud services. They are an essential defense against ransomware attacks and can dramatically reduce the cost of recovery and remediation.
Last but not least, employee training and policy enforcement is paramount. Especially with current conditions making it so difficult to recruit top cyber security talent, your staff is an important front line of defense. Many ransomware attacks can be avoided if employees know how to react to suspicious emails and follow protocol for responding to requests for sensitive information.
It can’t be emphasized often enough: cyber security is everyone’s responsibility. Local and state governments are in a tough spot. They are closely intertwined with critical infrastructure sectors, but don’t have the resources they need to harden defenses proportionate to the threats in play. Vendors that work with these agencies have a responsibility to understand their unique challenges and help make the climb to the next level of network and information security. Public institutions are built on trust. The social contract that binds citizens and government is damaged by cyber attacks and breaches. Secure local and state governments are central to society’s ability to function and thrive. Directing more focus and resources toward securing their digital systems will benefit us all.
About the Author:
Timur Kovalev is the Chief Technology Officer at Untangle, driving technology innovation and integration of gateway, endpoint and cloud technologies. He has more than 20 years of experience in network security solutions, cloud development and threat intelligence solutions. Kovalev previously led Client and Threat Intelligence at Webroot, where his team developed desktop and mobile solutions, cloud intelligence services and research automation systems. He earned a dual bachelor degree in Computer Science and Electrical, Computer & Systems Engineering from Rensselaer Polytechnic Institute, and an MBA from the Leeds School of Business at the University of Colorado, Boulder.