In Utah, Fending Off More Than 20 Million Malicious Transmissions Is Just a ‘Light Day’

Every day the state of Utah faces a bombardment of cyberattacks.

One way to measure them is by looking at “network packets,” a term that refers to small amounts of data sent over the Internet. The illicit packets blocked from the state’s computer systems on a light day might be just over 20 million. Utah’s chief information security officer, Tim Hastings, who has held that post for about two years, looks at the numbers each morning. On the worst day he’s seen, the number of packets totaled more than 4.5 billion.

“Some days are really, really heavy and some days you don’t see much at all,” he said. “But when I say ‘I don’t see much at all,’ that’s 23 million.” Automated tools stop most of the packets. But when the state experiences large or sophisticated attacks, staff members may have to step in to make sure hackers don’t find ways around those tools.

It can be hard to know how many people or groups are responsible for menacing the state’s computer systems, or where they are. One person, acting on their own, could send millions of packets from computers they’ve taken control of in countries all over the world.

“Probably if you put numbers behind it, as far as people trying to attack, or machines trying to attack, you’d at least have thousands per day,” Hastings said in a recent interview.

The motives behind the electronic assaults vary. Some people might be looking to steal data, others might have ideological reasons for wanting to embarrass a public official or crash an agency website. “We’ve got folks that constantly scan and probe anything they can to identify a vulnerability or a weakness that can be exploited,” Hastings said.

Utah is using a combination of technology and training to defend itself against the daily barrage of malicious packets, as well as other types of attacks designed to spoof employees into giving up information. The state’s work on cybersecurity offers a window into some of the challenges governments confront as they square off with increasingly resourceful online criminals.

A Critical Concern

The stakes involved in protecting a network against a big breach can be high.

Montana discovered in May 2014 that hackers had gained access to a server with health and human services records, these contained information for about 1.3 million people, including Social Security numbers. The prior year, a Washington state court system website was breached, compromising Social Security numbers for up to 160,000 people. And Utah had its own problems in 2012 when hackers downloaded personal information for as many as 780,000 people off a Medicaid server.

At a National Association of Chief Information Officers conference in April, Montana’s chief information officer, Ron Baldwin, described the 2014 attack as “humbling.” The work required just to notify people that their records had been accessed was a heavy lift. At one point the state was mailing out about 200,000 letters per day as part of that process.

A NASCIO report published in 2014, in conjunction with Deloitte & Touche LLP, found that while about 60 percent of state officials were “very” or “extremely” confident that their state was prepared to fend off external cyber threats, only about 24 percent of chief information security officers felt the same way.

Stuart Davis is Ohio’s chief information officer and the president of the association. He said in a statement issued earlier this year: “Cybersecurity is a critical concern and priority for state CIOs.”

No Silver Bullets

Cyberattacks, and the cybersecurity measures states use, are constantly evolving.

“I think the security world is moving away from silver bullet-type defense strategies,” Hastings said. “That mentality was there 10, 15 years ago.” These days, he sees cybersecurity as “a game of risk management.” This means building up layers of protection around the most sensitive data and people in an organization to lower the chances of a successful attack.

Asked to provide an example of sensitive information, Hastings pointed to human resources records. “You’ve got every employee and their salary, and their Social Security number and their home address,” he said. “In some cases you have health data as well.”

“You can paint a very detailed picture of what that person looks like and steal their identity if you get HR records,” he added.

To protect these records, Hastings said an organization might use monitoring tools that issue alerts whenever they are accessed from an IP address outside of its network. An IP address is the string of numbers that identifies a specific computer on the Internet. A further precaution would be to allow no outside IP address access to the records at all, not even for staff.

Hastings said that he would even go so far as to consider what’s called “multifactor authentication” for highly sensitive records. This means a person would need more than one credential to access a system. For instance, along with their password they might also have to use a fob-like key device, in order to unlock the information that’s being protected.

The Weakest Link

But even shielding data and networks with the best electronic armour might not be enough. Hastings explains: “People are always your weakest link in the security world.”

“Tools will execute on what you give them,” he added. “But people are still susceptible to a bleeding heart, or wanting to be helpful.”

Utah has worked for several years to strengthen the human element in their security regime with annual training to educate people about cyber threats. Hastings also takes some additional measures. “We have our own, what we call, security drills,” he said.

The drills involve Hastings sending his own phony phishing emails. Phishing is a well-known tactic cybercriminals use to try to steal information or money.

The classic version of this scam consists of misspelled promises of cash in exchange for help transferring offshore wealth into your country. The only catch is that the person making the request needs your bank account number. But, like any other part of the technology sector, phishing has advanced, and has moved well beyond its ham-handed early years.

Governments and other organizations now need to be on the look out for “spear phishing,” malicious emails that appear to come from trusted sources. These often contain proper grammar and formatting, perhaps a corporate logo, and even a legit-looking email address.

For example, an email might seem like it’s from a company that a government agency does business with. Or maybe the sender appears to be from inside the an organization, like someone from the human resources or IT department.

With spear phishing emails, government employees might get duped into entering usernames or passwords that can lead to breaches. “If it looks official, they might say, OK, I’ll click on that and update my information,” Hastings said. Less than 5 percent of respondents tend to fall for the schemes in his drills. The point of the exercises, he stressed, is not to make anyone look foolish, they’re meant to help people learn and to tighten security.

“I want to track the number of people that fall for it so that I can give a statistic,” he said. “Then I always follow it up with, ‘hey, guys, I sent this out, and here’s the 18 ways you could have spotted this was not real.’” He added: “It’s another resource of more interactive training.”

Going forward, Hastings suspects cyber criminals will use increasingly sophisticated techniques to target government employees. “Anything with social engineering,” he said. “Phishing, spear phishing, even calling people on the phone, sending them phishing texts.”

Not All Attacks Aim to Make a Profit

But governments deal not only with attackers that are trying to make off with information and money, but also those that are trying to make a point. “Hacktivists,” as they’re sometimes called, can also be a threat.

A common technique for hacktivists is what’s called a denial of service attack. This type of attack is what happened the day when the 4.5 billion packets of information inundated Utah’s computers, according to Hastings. The point of the fusilade wasn’t to breach data, it was to overwhelm the targeted computer systems, so that the services they provide became unavailable for legitimate users.

When law enforcement officers in the city of Saratoga Springs, south of Salt Lake City, shot a 22-year-old black man named Darrien Hunt last year, it set off a string of hacktivist-related incidents. “They continue to attack that local police department and the state,” Hastings said.

Why Not Fight Back?

When it comes to cybersecurity, Utah is more-or-less always playing defense. The state’s Department of Technology Services does have the option to work with law enforcement agencies, or the Defense Department, which can conduct counterattacks. But, according to Hastings, offensive moves are rare and the state does not carry them out.

“I could very easily launch a denial-of-service attack back at them so that they couldn’t execute their attack, but what I don’t know is that a kid sitting in a basement in Europe somewhere, or is that a part of the Mafia or the mob, or is it a part of a nation state,” he said.

Depending on the attacker, Hastings noted, by hitting back he could put himself, or the state at risk. “That’s a very dangerous route to go,” he said.

So for Utah, cybersecurity remains a largely defensive enterprise. One that is focused, for the time being at least, on reducing the chances of a successful attack or data breach to an acceptable level. “There’s always going to be a risk that a breach will get through,” Hastings acknowledged. “But I want to make sure that we’ve got a documented and calculated strategy for making sure that is at a low risk level. And that’s where we are now.”

Editor's Note: The headline on this story has been clarified to be more precise.