Organized crime, a rogue nation-state and the person in the office next to you all have something in common: Each can pose a risk to your county’s computer networks and cybersecurity.
Recent news headlines tell only part of the story. In Colorado, Washington and South Carolina, government data systems have been breached or attacked at the county, city and state levels, respectively.
“Former Fort Collins Resident Indicted for Denial of Service Attack on Larimer County Government” — FBI
“Burlington city bank account hacked, $400k stolen” — KOMOnews.com
“3.6 million Social Security numbers hacked in South Carolina — Tax returns, personal data compromised in ‘massive’ breach” — The State
In this Hot Topics special report, County News takes a look at cybersecurity from the inside out: the threats counties are facing, what they’re doing to protect themselves and what role each individual can play in securing cyber assets.
How Big Is the Problem?
Though figures vary — and many cybercrime-cost studies have been sponsored by software and computer companies — the impact is considerable. The 2012 Cost of Cyber Crime Study, conducted by the Ponemon Institute and sponsored by HP, found that cybercrime cost U.S. businesses $8.9 million on average. It also reported a 42 percent increase in cyberattacks, with organizations experiencing an average of 102 successful attacks per week.
Roberta G. Stempfley is the U.S. Department of Homeland Security’s (DHS) deputy assistant secretary of cybersecurity. “The cybersecurity threats that local governments see are in part because we’re all a part of this interconnected network,” she said. “And so we’re all vulnerable in some ways to the threat environment that comes with that interconnectivity.”
President Barack Obama has called cybersecurity “a matter of public safety and national security.”
It’s Everyone’s Job
Just whose responsibility is cybersecurity? The federal government, states, localities? Individuals?
All of the above.
By and large, county commissioners aren’t cybersecurity experts. So, counties hire top-notch information security people and IT professionals — if they can afford them — to operate, protect and maintain their computer infrastructure. That should be enough, right?
“I think we depend on them, but then it becomes the issue of how educated are we that we even know what to we’re supposed ask or look for?” said Mary Ann Borgeson, a Douglas County, Neb. commissioner, who chairs NACo’s Cybersecurity Task Force. “We may not have all the intricate details as the technology people would, but we’re the ones who are forming policies.”
Ed Sherman is in charge of cybersecurity for Kitsap County, Wash., where the IT department reports to the County Board. “More and more, the county depends on technology to function,” he said, “whether it’s someone at the front desk wanting to get a marriage license, or a cop on the street needing to get information on someone they’ve just pulled over. It’s all technology-driven.”
Threats to Data and Infrastructure
While theft of data, as in South Carolina, is headline-grabbing and not to be minimized, cybersecurity is more than keeping records secure. Counties have another key directive: to protect the lives, health and safety of their residents.
Mike Hamilton is Seattle’s chief information security officer and has created a system — comprising the city, counties, municipal utilities and hospitals — to assess cyber-terrorism threats regionwide. “It’s a neighborhood block watch, essentially,” he says of the Public Regional Information Security Event Management system, PRISEM for short (see related story below).
“All of the news that you read is all about loss of records; and wow, it’s a bummer to lose those Social Security numbers; and wow, it’s expensive to comply with data-breach reporting statutes,” he said. “On the other hand, if the control systems that move clean water in and sewage out for treatment stop working for 48 hours, there will be absolute mayhem in the streets.”
Local government computers don’t just store and process data, they also run and monitor systems, including water treatment plants, electric utilities, and the like. Already, there are documented cases of hackers accessing industrial control systems (ICS). Last month, the FBI confirmed a report that a New Jersey company had remote control of its HVAC system taken over by a hacker; no harm was done. Cybersecurity experts believe if it can be done, it will be done, next time perhaps with intent to sabotage.
In an October 2012 report, DHS’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned of an increased interest in hacking industrial control systems by so-called “hacktivists” (hacker activists). These are ideologically motivated hackers who attack networks to promote change or make a political statement.
“Hacktivist groups are evolving and have demonstrated improved malicious skills,” ICS-CERT wrote. “They are acquiring and using specialized search engines to identify Internet-facing control systems, taking advantage of the growing arsenal of exploitation tools developed specifically for control systems.”
SHODAN is one such specialized search engine. Its freely accessible homepage (www.shodanhq.com) proclaims: “Expose Online Devices. Webcams. Routers. Power Plants. iPhones. Wind Turbines. Refrigerators. VoIP (voice over Internet) Phones.”
Seattle’s Hamilton said while counties need to be concerned about their “key information resources,” control systems exist in every local jurisdiction in the United States.
“Everybody manages transportation; everybody moves water around. These are what we ought to be focusing on here,” he said, “and this is where either the federal government needs to step in and provide some grant money for local jurisdictions to get after the business of securing this stuff, or regional innovations like the PRISEM system are going to have to step up and pick up the slack.”
Whether protecting infrastructure or information, the biggest challenge for cybersecurity professionals is aiming at a moving target.
“Cybersecurity is a journey. There is no such thing as perfect security, and the weakest link is people,” said John Lainhart, an IBM cybersecurity expert who is an industry representative on NACo’s task force. This is true regardless of what protective systems are in place.
Aside from the occasional inside job, most malicious threats to computer network security originate outside a county government center’s walls. But many breaches — South Carolina’s included — probably would not have been as successful for the intruders if it weren’t for an employee’s seemingly innocent mouse click on a link in a “phishing” email. Cybercriminals phish for information — usernames, passwords and financial account information, for example — by posing as a trusted entity.
In a report on the South Carolina incident, Mandiant, the company hired by the state to assess what happened, was able to determine that a malicious email was sent to several Department of Revenue employees last Aug. 12. At least one of them clicked on a link in the email, launching so-called malware (malicious software) that likely stole the person’s username and password.
According to Microsoft, cybercriminals often use “social engineering” — appealing to a person’s fears or emotions — to convince computer users to install malware or give up personal information under false pretenses. It could be via email or a phone call to convince you to download something from a website. Social engineering techniques can include threats of account suspension or the promise of something of value for free.
Federal Resources Available
The Department of Homeland Security’s Stempfley said federal resources are available to help counties with cybersecurity. They include the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the State, Local, Tribal, and Territorial (SLTT) Engagement Program (see Resources, page 8).
“Several of the programs that we’re putting forward such as the continuous diagnostics and mitigation program for the federal government, we’re procuring in a way that will enable state and local governments to procure off of it as well,” she said, “thereby buying at a lower price point … because the federal government has helped to meet an initial bar for purchasing to get a volume discount.”
Cyber threats come in many forms, as the previous examples have shown. A distributed denial of service (DDoS) attack, like the one that affected Larimer County, Colo., is one in which a network or website is flooded with incoming requests that overwhelm the system, making it unavailable to legitimate users. The September 2010 attack left county employees unable to access email or use the Internet for two days.
Sheriff Justin Smith said, “It had a significant impact on Larimer County both operationally and financially.”
The attack didn’t come from Kazakhstan. According to the FBI, it was launched by a 27-year-old former county resident who allegedly was retaliating for receiving a DUI citation from the sheriff’s department.
In Pacific Northwest, counties participate in PRISEM system to identify cyber threats
By Charles Taylor
SENIOR STAFF WRITER
“There’s strength in numbers” could be the mantra of counties and cities in the Seattle area that are collaborating to assess cyber threats regionally.
The Public Regional Information Security Event Management (PRISEM) system is led by the city of Seattle. It is equivalent to a private sector firm known as a managed security service provider, which reviews computer network event logs for unusual or unauthorized behavior.
King, Kitsap and Thurston counties are among its members, along with the Shonomish County Public Utility District (an electric and water utility), several cities, maritime ports and a local children’s hospital.
“The real focus is protecting critical infrastructure,” said Mike Hamilton, Seattle’s chief information security officer, who led the effort. Each participant’s logs are sent to a central entity for review to provide a regional view — look for patterns and irregularities — rather than just looking at each individual network. The data is analyzed for potential threats.
Individual incidents such as a compromised desktop communicating to Ukraine — a known center for cybercrime activity — typically would be handled by the targeted jurisdiction, he explained. But PRISEM can determine whether other participants are experiencing the same threat.
The project is being funded by grants — about $500,000 from the U.S. Department of Homeland Security — and state and port security grants, Hamilton said.
PRISEM has been able to show that a cybersecurity attack targeted at Seattle was actually trying to steal medical research data from the University of Washington. “Why would they attack the city of Seattle for that?” Hamilton asked. “Because we share networks; we have trust established between us, and so they’re looking for the unlocked door to be able to get in.”
Kitsap County’s cybersecurity honcho, Ed Sherman, explained the system’s value to his county. “If someone is trying to get into Snohomish County’s system — it’s just a few hits — it’s not a big deal,” he said. “But if Kitsap County or Thurston County or some of the other entities in the area are getting the same types of hits from the same locations, then all of a sudden it becomes much more visible as this is a valid and probably dangerous attack.”
Hamilton said PRISEM also gives the region the ability to predict areas of vulnerability. “There are certain things that can occur as well that we need to tell the federal government about,” he said, “and another one of our R&D projects is automating event escalation to the federal level.
“If you think about it, there could be events that we can predefine that are pretty easy to define, actually, like all of the energy utilities in the region are under attack by this threat actor in North Korea, whatever.
We’re going to have our problem to solve here, and we’re going to have to fend that off. But that is something that the federal government needs to know, because they can push down that information elsewhere and give that situational awareness to utilities that might not have been aware of that problem, and they can raise their defenses,” he said.
Educating County Policymakers about Cybersecurity Threats
NACo President Chris Rodgers has made cybersecurity a key initiative of his term in office, hoping to get county policy makers engaged, educated and empowered to prepare them for this evolving, shape-shifting threat to their operations.
“For years, counties have been at the forefront of emergency management. We have prepared for floods, hurricanes, tornadoes, and more,” Rodgers said. “But for one of the most destructive issues of our time — cybersecurity threats — we are ultimately vulnerable.
“County IT staffs have known about this for years, but the elected county policy makers are way behind.”