SALT LAKE CITY — While Americans were busy watching the outcomes of hotly contested races across the country last night, a team of specialists was watching global cyberthreats stream in from a basement on Utah’s Capitol Hill.
To call it a basement should only indicate where in the building Utah’s Cyber Center is located, because it is a far cry from the dank, mildewy imagery the word conjures up. The center is the result of roughly three years of forward momentum and what state officials acknowledge as a substantial priority at a time when so-called “knocks on the door” can top a billion a day.
Beyond a set of security doors, visitors find a bank of screens, workstations, analysts and law enforcement from the state’s Department of Technology Services, Department of Public Safety and the U.S. Department of Homeland Security. A map on one of the screens shows potential threats as blue and yellow bolts — medium to high threats — with the occasional red bolt indicating a more serious issue. The number of bolts is difficult to comprehend at first glance, but the challenge of thwarting these threats becomes even harder to imagine when officials lay out the daily numbers.
No less than 200 million to 300 million attacks come in on a normal day. During a midterm election night — like last night — that number doubles to around 500 million to 600 million. And during the 2016 presidential primary elections, the state reached a billion knocks in one day.
But officials seem confident in the abilities of the fairly new center and its full-time staff. It officially went live during the 2016 presidential primaries but has continued to evolve ever since, getting more advanced with each iteration. Where agencies once worked from their respective offices, they now use the center as a central location for all threat intelligence and monitoring.
Despite the daunting traffic, state Chief Information Security Officer Phil Bates seems calm. Relaxed, even. He jokes that hardly any of the real threats are coming from the “kid in mom’s basement out trying to do something.”
“We just see it every year going higher and higher and higher, and that’s because you have more players using more infrastructure, and there’s money in it, so you have more people doing it,” he explained. “Throughout the day, we are going to turn back 500 million things we don’t want talking to us for a variety of reasons, either where they are coming from, what’s in the payload, a lot of different things.”
The attacks he worries about are coming from bigger, more sophisticated players — nation states looking for a way to disrupt things like elections and criminal organizations out to make a buck.
“All this stuff is a commercial service now,” he said. “A lot of what we see now is, you’ve got a very sophisticated infrastructure that criminals, nation states, you name it, use. Basically they hit you with a lot of traffic and basically what they are looking for is ways in. A lot of this is just automated routines that you get, and a lot of it now ... those routines identify something and another automated routine will try to exploit whatever that is.”
Countering the onslaught goes beyond what state CIO Mike Hussey called a constant “game of cat and mouse” and relies on proactive tools — effectively the same ones used by hackers — to cut them off before they find a foothold or way in.
To help their systems keep up with the traffic, the state has blocked about a dozen nation states, places like the Seychelles. The small country off the coast of Africa was one major source of incoming activity because of the massive investment in so-called Pirate Bay and infrastructure initially used to pirate movies. It has since turned to a hacking hot spot, Hussey said.
“That was probably our No. 1 country from hitting us, so we just blocked it … So, you don’t want to go there and try to enlist a bunch of state services, because you won’t get in,” he explained. “It’s basically a lot of infrastructure sitting there, and whether the bad actor is sitting there, that’s probably not the case, but because of that infrastructure, they can jump in and that’s their vector in.”
“The same type of infrastructure they are using to try to find things, we are doing to ourselves,” Bates explained. “We have systems that we turn on ourselves to try to find those vulnerabilities and we want to address them before they get them.”
The center also follows social media to look for less sophisticated misinformation attacks. Say, for example, a Twitter account starts using the “vote” hashtag and falsely reporting poll closures in key districts. In such a case, staff would report the issue up to the lieutenant governor’s office so that government accounts could rebuff the claims.
“They would put it out through legitimate accounts on that same hashtag to try to kill it,” Bates said. “If they hit these hashtags, there’s enough following those that we know that’s where the big volumes are.”
Prior to election night, DHS and DTS coordinated on penetration testing the overall election systems, a move that would not have been as effective in the pre-cyber center days.
“We have resources now, like this, that we didn’t have before where we have a place to hunker down together with all the data you need,” Hussey said.
From his perspective, the center’s purpose is all about coordinating between agencies that need to be aware of threats and other states that might also be in the crosshairs of hackers. It’s also about cutting through the noise to tell the reasonable traffic from threat traffic, which is a challenge, but often times, Hussey said, it takes examining behavior to tell the difference between the two.
“That’s an art, that’s exactly the crux of the issue here,” he said.
Because the center monitors threats to all state systems, Hussey said criminal investigations vary by where in the world they come from and whether or not law enforcement can act on the information passed along.
“If it turns criminal in the cyber center, we hand it off to the Department of Public Safety. A lot of times, they are not going to go after the [Seychelles] islands, but certainly, if there is something going on here, we protect all state systems, not just election systems. So, if we have someone coming after our payroll systems from another state, we would go after them, and that’s when we engage public safety.”
The midterm election also marked the first time Lt. Gov. Spencer Cox visited the center. Cox is responsible for elections in the state and said he was more concerned about having enough voting machines accessible to residents and long lines than cybersecurity — alluding to the fact that the center was doing exactly what it was intended to do.
“I can tell you that it’s been a huge priority for the state of Utah for several years, we had a couple kind of high-profile hacks that happened before I got in this position, that really elevated the discussion,” he said. “In fact, Homeland Security will tell you we were one of the first states, and the FBI as well, to really start coordinating with the federal government on that level. From an elections standpoint though, I can tell you that the last year and really the last six months, it has been our No. 1 priority and focus.”
The 2016 elections and reports of tampering on the part of Russia, as well as false reports of millions of illegal immigrants voting, underscore the importance of the center’s mission, Cox said. While those on the left and right continue to believe some of these reports, he said remaining credible and in front of potential threats is essential.
“Of course we saw what happened nationally in 2016 and the concerns that came out of that, we also knew we had a very high-profile race with ... [Mitt] Romney on the ballot, somebody that has been critical of Russia and foreign actors, and so we knew there was potential for us being a target,” Cox said.
As for the road ahead, officials said the center will continue to keep up with the advancing threats, evolving as needed with support from the state’s highest office.