In the past five years, hackers have gained sophistication with constantly evolving attack methods, and for state and local IT pros on the front lines, battling cybersecurity threats can seem like trying to stop a waterfall with a thimble.
“We see almost everything,” says Ricardo Lafosse, chief information security officer for Cook County, Ill.’s Department of Homeland Security and Emergency Management.
Threats range from the simple to the more sophisticated and complex and only one thing is certain: they’re not going away. Public sector agencies experienced 137 percent more incidents in 2015 than 2014, according to PwC’s “Global State of Information Security Survey 2016.” Hardly a day goes by without reading another data breach headline.
The costs of these attacks also continue to skyrocket. A system breach causes network shutdowns, reengineering of systems and security, days of lost work and, increasingly, ransom money paid out to hackers. Estimated at $400 billion in 2015, cyberattacks could cost victims more than $2.1 trillion globally by 2019, Lloyd’s CEO Inga Beale estimated last year.
Hackers’ motives appear almost as varied as the methods they use to break into systems.
When Chinese criminals succeeded in a massive hack into the Office of Personnel Management, they exposed the personnel and security files of nearly 22 million individuals. Most experts saw a clear-cut case of espionage.
At the state and local level, attacks on government networks have their own attraction. Government networks’ detailed and sensitive information about individuals make them a prime target, says Eva Velasquez, the president and CEO of the Identify Theft Resource Center.
Her analysis is echoed by state and local security officers on the front lines, like Stanton Gatewood, CISO for the state of Georgia and leader of the Georgia Technology Authority’s Office of Information. A former Air Force cryptologist, Gatewood has dedicated his career to keeping information safe. These days, he has watched hackers take a more intentional approach.
“Some are just looking for a challenge or for bragging rights,” Gatewood says, “but now we’re seeing a change. People used to take a big net and cast it out and take just about any information they could get. Now they’re aiming directly for individuals who may have access or authority on certain systems.”
His department pays close attention to the systems that control public utilities such as the water system and the energy or power grids. Attacks on such systems haven’t been an issue in Georgia yet, but it could in the future.
“Everything that has a computer behind it could be a vulnerability,” he says.
Illegal infiltration of organizations takes a deft touch — one that perpetrators have a knack for. One of the most prolific tactics is phishing, or creating false emails or websites to trick employees and other users into providing information or downloading malware and applications.
A 2016 cybersecurity survey from the National Association of State Chief Information Officers (NASCIO) reveals that CISOs consider phishing and similar threats the most dominant cyber danger.
“When did a computer ever attack a computer on its own?” Gatewood says. “The most vulnerable thing is people. We click on a link, and then all sorts of things can happen.”
Today’s schemes are a lot more professional than some of the more laughable phishing attempts of the past. Highly targeted phishing scams — called “spear phishing” —directed toward specific employees, are becoming more common. If phishing is the bait, the hook, line and sinker are becoming more treacherous as well.
A new form of malware — ransomware — is rising in popularity among cybercriminals.
“Malware used to be the biggest threat, but over the past year and a half, perpetrators have gotten more sophisticated with the introduction of ransomware,” Lafosse says. “You’re starting to see it in the news.”
Earlier in 2016, when Hollywood Presbyterian Medical Center paid more than $17,000 to hackers who took over its systems, staff members were blocked from accessing patient records, Lafosse points out.
Ransomware typically downloads through a phishing scheme. Once the illicit application is active, it can block records or gum up critical government operations. Cybercriminals can also threaten to release sensitive records or prevent access to devices unless a ransom is paid.
In the first quarter of 2016, PhishMe, a company that delivers anti-phishing solutions, analyzed more than 600 threats and found that half of all phishing attempts contained ransomware. And the number of ransomware attacks is only expected to increase because it’s such a lucrative business: The boss of a Russia-based hacking ring can make about $7,500 per month, well above that country’s average monthly salary of $500, according to a recent report from Tech Insider. Government entities are particularly vulnerable to ransomware. A report by Bitsight, a company that calculates cybersecurity ratings for businesses and other entities, calculated that about six percent of agencies at all levels of government experienced ransomware on their networks — triple the amount they experienced last year.
Despite the growth and sophistication of cyberattacks, state and local governments continue to adjust and find ways to keep costly and malicious acts at bay. A significant development in the past year noted by the NASCIO survey is that, after years on the backburner, cybersecurity finally has the full attention of state and local leaders.
“When I started here we had to make a huge shift from a decentralized, ad hoc effort,” Lafosse says. “Now, governments are realizing cybersecurity is a real threat with a real public safety impact. People understand the risk. It’s a good trend.”
CISOs throughout the country are hard at work on strategic plans and asking for bigger budgets to keep data safe. And it’s encouraging that the executive branch is becoming more aware of threats thanks to more regular briefings from CISOs, says Agnes Kirk, CISO for the state of Washington.
At the NASCIO 2016 conference in Orlando, she also pointed out that it’s just as important to inform the legislative branch, which decides where a state’s budget goes. Security efforts must be funded; if a legislature isn’t briefed on a state’s security needs, it won’t fund it.
“We try to educate the legislature that if they don’t invest in prevention, they will be investing in cleaning up messes from breaches,” Kirk says.
Additional data from the NASCIO survey reveal that in 2015, CISOs were more confident in their ability to protect digital assets across a number of fronts, ranging from internal threats to threats originating from applications.
Most CISOs agree that since threats can come from anywhere, education and training of employees remains a critical implement in the cyber toolbox. Back in Georgia, Gatewood is building the Georgia Cyber Academy, a comprehensive awareness, training and education resource for state employees and agencies.
“Education has the best return on investment for cybersecurity,” he says. “These are ongoing, hands-on, participation-based workshops.”
Gatewood intends to roll out the program first to agency ISOs to provide them with the tools to keep their data safe and react in a crisis. In Cook County, Lafosse has basic programs in place for all county employees, which includes information about password safety and how to detect phishing communications. His team offers more specialized training for IT staff, such as teaching email engineers how to properly configure communications for maximum security.
To protect systems from cyberattacks, detailed infrastructure planning is key. That means setting up redundant systems, means for backups and recovery, incident response procedures, and continuity of operations plans. In many cases, firewalls, anti-virus software and spam-filtering solutions are already fully deployed. As their capabilities improve, CISOs may find upgrades essential. Many IT security pros are also testing new tools and protocols, including multifactor authentication and automatic network behavior analysis.
About 80 percent of the threats Lafosse’s department sees are easy to spot, he says, such as rudimentary scripts that can be found online; however, the other 20 percent are much more difficult to detect. He’s put several controls in place that have been extremely effective, such as advanced malware protection for web requests and applications that can detect and defuse attacks to the system.
Both Lafosse and Gatewood deploy newer technologies that rely on Big Data analytics to continuously monitor for incidents or advancing threats. They’re not alone: PwC’s survey notes that continuous monitoring was the top security priority for public sector data professionals.
As states and localities produce more and more data and shift move services to the cloud, Big Data analytics grows as a powerful cybersecurity tool. Constant analysis and reanalysis of all of the data produced by users and applications help machines learn the difference between normal patterns and anomalies, which may be the first signal of a system breach.
As more public entities roll out advanced, cloud-based data analytics, they’re also dealing with the complexities of integrating older legacy systems into their data security net. Protecting those vulnerable systems often requires a more creative approach.
Encrypting data represents one tactic, but legacy systems in constant use are more difficult to encrypt. That was the case with the Office of Personnel Management break-in by Chinese hackers. The federal agency continued using an older system that didn’t have the capability to encrypt the data.
For certain legacy systems in Cook County, Lafosse has taken steps to keep them separate from the larger network.
“We’ve created a security enclave,” he says. “We isolate the system as much as possible by allowing it to talk only to a single server on the network. That reduces the attack surface.”
In many ways, the state of security in state and local agencies has started to move in a positive direction. Security professionals are gaining skills and utilizing more technology that helps teams anticipate and halt many hacking attempts before too much damage occurs.
Although government officials understand the importance of data security, their support isn’t quite enough. Two-thirds of state officials say they are confident that the data and systems within their jurisdiction are safe, but just 27 percent of state CISOs agree, NASCIO’s survey also revealed.
Along with a lack of sufficient funding — the number-one barrier to cybersecurity challenges — the difficulty in hiring cybersecurity professionals, often due to salary caps, results in yet another challenge.
In the end, the greatest threat to state and local systems may not be hackers’ ingenuity, but the fact that there aren’t enough resources to implement the plans that will help keep systems and data safe.
“The biggest threat to the system? It’s not the latest malware or a virus,” Gatewood says. “It’s funding, budgeting, support and strategic planning. If we don’t have those things, we’ll remain vulnerable.”
But given the increased awareness of government leaders about cybersecurity, state and local government officials appear to be headed in the right direction. Support at the budget level plus effective, formal strategies to combat cyberattacks are more likely to receive the funding necessary to keep data, and people, safe.