One Lax State Can Make the Other 49 Vulnerable to a Cyberattack

WASHINGTON — All states are vulnerable to cyberattacks if even one ignores National Institute of Standards and Technology cybersecurity protocols, a framework only 20 of 35 states the National Governors Association surveyed have implemented.

The other 15 states are in the process of aligning with NIST. But five governors have made no progress toward receiving regular cyber threat briefings, two haven’t initiated risk assessments, five haven’t implemented a three- to five-year strategic plan based off those assessments, and three lack a disruption response plan.

While Virginia Gov. Terry McAuliffe, who chairs the NGA's executive board, didn’t call any governors out by name Saturday during his Meet the Threat session at the association’s winter meeting in the nation's capital, he did privately issue a color-coded card to all present indicating their state’s cyber risk level.

“If you have red and yellow, you really need to do something about it,” McAuliffe, a Democrat, said.

State governments have more data than the feds, he said, and Virginia alone saw 86 million cyberattacks in 2016, he said. A recent attack attempted to access the governor’s email from a state account.

A talented hacker can use an unprotected health care provider in a smaller state as a backdoor into Virginia’s systems, and the same is true of infrastructure, power grids, water utilities and police dispatch centers. If an energy grid goes down, “that impacts our cost, our response to the state” and threatens not only government systems but those of the private sector, said Arkansas Gov. Asa Hutchinson, who chairs NGA’s Homeland Security and Public Safety Committee.

A former Homeland Security undersecretary under President George W. Bush, Hutchison said a denial-of-service attack was successful in shutting down his state’s website within the last two weeks, though no data was lost or personally identifiable information stolen.

Before being elected governor, Kate Brown served as Oregon’s secretary of state and saw its business registry and campaign finance websites hacked in 2014. Since then, she’s worked to increase Oregon’s security posture by auditing structural gaps and moving forward with a Center for Cyber Excellence to identify best practices and facilitate information sharing between agencies and other jurisdictions.

“I think we can do this in Oregon by bringing companies together like Intel and Hewlett-Packard and bringing universities together,” Brown said.

‘The Governor Was Responsible.’

Last year low-level, Kosovar hacker Ardit Ferizi was sentenced to 20 years in U.S. prison, after being extradited from Malaysia. What appeared initially to be an unsophisticated breach of a U.S. retail company’s server, yielding around 1,350 names and addresses and a $500 ransom request, took a dark turn when a federal investigation found Ferizi was in contact with British-Pakistani hacktivist-turned-terrorist Junaid Hussain.

Ferizi had combed through the names he’d obtained and placed those of U.S. soldiers and government workers on an Islamic State kill list.

Hussain was killed in a U.S. Central Command drone strike on Raqqah, Syria, in 2015. A seemingly harmless cyberattack had, in fact, been part of a larger terrorist plot spanning five countries.

“The person responsible if something goes wrong will be you,” said John Carlin, a partner with the international law firm Morrison & Foerster. “If it’s your state and your system, they’re going to say, ‘The governor was responsible.’”

"There is no internet system that is safe from a dedicated nation-state or criminal group, if they’re determined to get in right now,” he added.

“Bad actors” are exfiltrating trade secrets from state universities and companies for the benefit of other countries, and the close-mouthed approach to dealing with Cold War espionage is being traded in for public information sharing to disrupt future cyberattacks—mainly through the U.S. Department of Justice’s National Security Cyber Specialist network.

Carlin said many foreign entities have the desire, but only four are considered capable of causing a full-scale cyber incident in the U.S.: China, Iran, North Korea and, most recently, Russia. In fact, these countries prefer to avoid open military confrontation in favor of fighting online.

In Beijing, military officers work eight-hour days attempting to steal secrets from U.S. companies, and Iranian hackers could’ve caused flooding in New York in 2013 had the dam sluice gate they took control of not been down for maintenance.

North Korea’s 2014 Sony hack—thought to be triggered by “The Interview” film’s comedic portrayal of the assassination of Kim Jong Un—was an interesting case, Carlin said, because until the country was named responsible 28 days later, press coverage focused entirely on what the victim did wrong.

As a result, then-President Obama issued an executive order outlining consequences in the event of future cyberattacks. That’s what made sanctions possible when U.S. intelligence agencies confirmed Russia stole Democratic National Committee emails in 2016.

Still, the stolen emails are what people remember.

“These are vulnerable spots that will be there somewhere in your state system,” Carlin said

‘Fatherly’ Advice

Following the advent of the internet, there was a several-decades-long rush to move everything from analog to digital and get it connected to the web without any thought as to the risks. Everything from pacemakers to drones to automobiles is hackable, so the latest Internet of Things trend requires “security by design” on the front end.

For their part, states must give serious thought to what hackers might do to cause them the most harm and how quickly their backup systems can be up and running because, unlike CEOs, governors must protect not just information technology but also operational technology.

Following a state cyber incident, incomplete information will be coming at a governor fast, so decisionmaking preparedness is key, said Mary Galligan, a Deloitte managing director.

Throughout government, administrators should also practice access management.

“You should only have access to what you should have access to,” Galligan said.

That’s even true of one of the “fathers of the internet”, Vinton Cerf, who isn’t granted unlimited access as chief internet evangelist at Google.

Breaches occur because software inevitably has bugs, Cerf said, and those mistakes get exploited even when developers attempt to patch known problems. “Moral suasion” shouldn’t be underestimated by governors looking to deter cyberattacks, but in lieu of that, encouraging two-factor identification within government is also important—despite the inconvenience.

Fingerprint biometrics are being introduced as a form of identification, but governments shouldn’t rely solely on them because you can’t change your fingerprints. If a hacker gets a digital summary of an employee’s fingerprints and injects them into the system, they become them, Cerf said. Two fingerprints and a token that generates a one-time cryptovariable are preferable.

The https protocol is nice because it generates an encryption key, Cerf said, but that doesn’t necessarily securely authenticate you.

Cerf also warned against phishing emails: "If you get an email and it says, ‘Click here, this is really fun,’ don’t.”

More broadly, government agreements with outside jurisdictions are important for when governors discover a cyber attack was perpetrated outside their jurisdiction. As the “laboratories of democracy,” states and localities will be where replicable cybersecurity best practices emerge, Cerf said.

While large companies often have an in-house cyber expert for an executive or on their board, states should help educate small businesses, that lack the capacity, on proper cyber hygiene. That alone accounts for 85 percent of the issues on the internet, Galligan said, and along with patch management provides a good resiliency base.

“In addition to having a well-educated cyber workforce, it occurs to me that we ought to have a cyber fire department,” Cerf said.

By that, he meant a team of “response and attribution” experts capable of alerting companies when they’re at risk of or experiencing a breach and identifying the source. Safeguards would have to be implemented to prevent one company from sicking the department on a rival to disrupt their business, Cerf added, because “it’s easy in this space to pretend to be somebody else.”

Another tool states sorely lack is the ability to measure how well they’ve implemented the NIST framework. Internally, Google tests its disaster response once a week by running live operations off its backup systems—a metric state governments should work toward implementing, Cerf said.

Governors hoping to hear military information sharing is capable of preventing a chain of cyberattacks against states likely left dismayed. While it’s still valuable to know of a cyber attack on a neighboring state, what won’t be known or shared quickly is how the breach occurred and what information hackers sought.

“I agree that it’s not fast enough or on scale,” Carlin said.