Tag Archives: hacking

Cyberhacked – Again

Hacked!In the face of continuing breaches, what are Governments to Do?

The depressing news made headlines in Washington State and nationwide last week – the Washington State Courts systems had been hacked, and about 160,000 social security numbers and the information from a million driver’s licenses was potentially exposed to hackers. This announcement was almost coincident with the news of $45 million stolen from the world’s cash machines, a problem with weak security in several private banks.

Plenty of similar news abounds – South Carolina’s Department of Revenue had a data breach which affected 6.4 million businesses and residents and has cost the state $25 million, so far. The State of Utah had the personal information (social security numbers, healthcare information, etc.) of 780,000 residents compromised in 2012. Indeed, 21 million people have had their health records lost or stolen or breached in the last three years, and millions more have been victims of identity theft, loss of credit card or personal financial information, and similar issues. Even law enforcement is not immune, as the Salt Lake City police department itself was hacked and information lost in early 2012, and the Honolulu Police Department revealed a breach this past week as well.

Believe me, these reports are just the tip of the iceberg in terms of lost or breached data in government and the private sector.

What’s a government to do?

I have several practical suggestions:

1. Hang together, don’t hang separately.

In every government, departments are silos. Each department wants to assert its independence from the others and manage its own data, technology and IT systems. At another level, there are three branches of government – judicial, legislative and executive. For the Federal government these are the federal courts (e.g. U.S. Supreme Court), Congress and the President. Each branch asserts its independence from the others. And, of course, cities are independent of their counties who are independent of their states and everyone mistrusts the Federal government.

When it comes to cybersecurity, this is bullshit.

The “bad guys” are incredibly well-organized. Bad actors could be a criminal syndicate, as in the ATM hack earlier this week, or Anonymous, or even nation-states. Several national governments – China, Israel and the United States – are widely cited as developing cyber weapons.

To respond to these threats, cyber defense teams have to work together, ignoring their organizational silos. There might be separate teams in separate branches or departments, but they need to support each other, probe vulnerabilities in each others’ systems, and actively share information. Every government should have cross-agency cyberincident response teams and forensic investigation teams which are activated at a moment’s notice whenever an incident – even a single infected computer – occurs.

2. Actively use private sector resources.

Many private companies will handle credit card processing, perform vulnerability scans, and do risk assessments. They’ll even manage a network on behalf of a government. No government should be doing its own credit card processing or holding/securing citizen credit card information. At the very least governments can contract with private companies to scan their networks and websites for vulnerabilities, do audits of internal systems, and similar work. Private companies will have much more expertise than most governments can hope to hire directly.

3. Consider the “cloud”.

Amazon, Microsoft, Google, and a number of other companies offer to store data or manage applications at their data centers and sites, in their “cloud”. These companies have teams of information security experts to protect this data. Governments should actively think about using such services. One problem is contractual – most cloud providers want to limit their liability in case a breach occurs. Unfortunately, I’m not aware of contract language with a cloud provider which would satisfy all of a government’s concerns about breaches and loss of personal information, and I encourage your comments about this.

However, another alternative is for one government to create and host cloud services for others, again using joint cyber protection and response teams. Such a technique might also address other concerns such as the need for backgrounding data center employees for CJIS or HIPPA compliance.

4. Use hackers.

Every state has a major university. A friend of mine, CISO at a university, has described the school as having “35,000 potential hackers”. Governments could create special relationships with their colleges and universities to employ students and student interns in a wide variety of tasks to manage, monitor and audit/probe their government systems. This technique has the added advantage of helping to train these students – give them practical skills necessary to solve the shortage of information security workers.

There are, undoubtedly, many other protection techniques governments should adopt. A major problem in my experience, however is complacency. “Our techniques are working.” “It can’t happen here.” “We passed a cyber security audit last year.” Again, such complacency is bullshit. Cyber attacks, vulnerability discovery and the application software we use changes too rapidly.

This underscores the most important of my suggestions – the first one – working together. Too often we government employees put our department first, or believe we “work for the xxx independent branch of government”, not the governor or mayor or legislature or (fill in the blank). Maybe we’re afraid of losing our jobs or fear what the results of an audit might disclose.

In the face of the attacks above, this attitude, this culture absolutely must change. We all work for the citizens of our city or our state, who entrust us with their sensitive data. And we absolutely must cooperate much more to safeguard that information.

After all these data breaches, have we learned our lessons?

Sadly, I doubt it. I expect that, over the next 12 months, I’ll be tweeting and reporting further breaches and potential losses of citizen information.

When will we really learn?

(Full disclosure:  I now work for the State of Washington.  However I have no “inside” knowledge of the breach at the State of Washington Courts.)


Leave a comment

Filed under cybersecurity, homecity security

– Can a City be Hacked to its Knees?

we-are-anonymousThe New York Times had the audacity to research and write a story critical of Chinese Prime Minister Wen Jiabao’s family.    In return for its journalism, the Chinese government apparently unleashed a four-month long hacker attack against the Times stealing, among other data, every one of its employees’ passwords.  This effort was apparently searching for the sources for the story.  Ars Technica has a short, frightening, account of the hack.   And, of course, the Chinese government succeeded – would people crticial of the regime dare to talk to the New York Times now, knowing its technology can be hacked?

There are many related and frightening stories – the Wall Street Journal was attacked, a power station in the United States has been offline for three weeks due to an attack based on a USB drive, and, of course, Anonymous (or someone) has been hard at work with denial of service and web defacing attacks on banks and government agencies.

Could a City, County or State government be subject to a similar attack ?

A few years ago, when I was CIO in Seattle, I would have dismissed the notion out of hand.  A City government does not hold the secrets to making a nuclear weapon in its digital vaults, nor do cities have active networks of foreign spies (with the possible exception of my friends in the Big Apple) whose identity needs to be uncovered by foreign powers.

Today I feel exactly the opposite.

Cyberwar is real.  Cyberwar is happening today, even as I’m writing this.   And the New York Times attack is only the latest.

The evidence is everywhere.  Nation-states (and perhaps others) are creating malware with the express purpose of attacking other nations or private company.  Stuxnet is one example, as is the malware which fried 30,000 computers at ARAMCO in Saudi Arabia.   Many governments have been compromised with malware to steal money from their accounts by stealing finance officers passwords.

Why would anyone – other than a criminal botnet out to hack finances and bank accounts – target a City or County or State government?

The New York Times attack highlights the reasons clearly.

Suppose a Mayor or Governor publicly opposed allow trainloads of coal to pass through their city or state, in order to be loaded onto ships, sent to China, and used to power the Chinese electrical grid.  Wouldn’t such opposition essentially constitute economic warfare and potentially provoke a cyber response?

Suppose a Mayor or County Executive, hoping to combat a rash of gun violence, initiates programs for a network of video surveillance cameras and gunshot detection technology (read:  microphones) in a City.   Could that provoke Anonymous or a similar organization?

Defacing a City or County website is bad.   Stealing taxpayer money from government bank accounts is worse.   Compromising SCADA systems to shut down a water supply or electric grid is dangerous.  But we haven’t yet seen the worst potential attacks, such as bringing down a 911 telephone network or freezing a police or fire computer-aided dispatch system or perhaps crashing a public safety radio network.

And these overt acts pale by comparison to covert actions which may be occurring undetected – systematically compromising and falsifying utility bills, or hacking into and changing criminal and court records.    We have no evidence such covert acts have ever occurred, but given the myriad of different levels of government and many repositories for the information, such databases must represent a juicy and lucrative target for criminal networks, Anonymous and even nation states.

All these potential threats indicate cities, counties and states cannot be complacent, but rather need active cyber security programs, preferably in cooperation with other agencies.

Yes, Dorothy, a City could be hacked to its knees.   Worse yet, it might not be discovered for months or even years after the act.

Leave a comment

Filed under cybersecurity, homecity security