The annual state-sponsored cybersecurity training for agency staffers by the Florida Agency for State Technology (AST) — which survived another defunding attempt this spring — has doubled in attendance in three years. The state has adopted a cybersecurity framework designed to National Institute of Standards and Technology (NIST) specs.
In the latest training exercises, held from Aug. 14 through Aug. 17, AST in collaboration with the Florida National Guard (FNG) educated more than 40 staffers from 12 state agencies, up from around 20 trainees in 2015, the first year the exercise was held. Goals included testing incident response and internal communication procedures; and identifying best practices, and existing gaps and redundancies. Other participants included the Florida Fusion Center, a state-federal collaboration aimed at sharing resources to improve detection, identification and prevention of criminal and terrorist activity.
The sessions weren’t entirely lecture-based — but instead, confronted participants with a “real-life” scenario based on simulated reports and threats of denial of services (DOS) attacks, Web defacement, and misinformation campaigns from “hacktivists/cyberterrorists” during a Category 5 hurricane.
It asked staffers to join “Cyberspace Defensive Operations” to “monitor and protect the state’s network infrastructure in order to ensure continuity of operations during relief efforts.”
This year’s hurricane season, some meteorologists have predicted, could be one of the nation's busiest in seven years.
A portion of state statute known as the Information Technology Security Act mandates AST, which was created in July 2014, to provide cybersecurity training for state information technology professionals. The agency provides training and outcomes annually to the Legislature.
But the real goal is to take people who wouldn’t normally have an opportunity to work with these types of IT systems through the experience of defending against an attack, AST Executive Director and state CIO Eric Larson told Government Technology.
Doing so “really prepares them not only for the tactical functions of fixing and addressing the issue, but it hopefully will give them some confidence and some ability to react well if it were to turn into a real-world scenario,” Larson said.
FNG provided the cyber-range for the training, the CIO said, deploying computers with known vulnerabilities, along with an engine executing scripts to exploit those vulnerabilities. The exercises began with a DOS attack, followed by a website defacement — compelling participants to not only combat the attack scenario, but to dialogue with others.
“Hurricanes are kind of par for the course out here. From a security perspective, though, it’s just to raise awareness that it’s not going to be convenient. It’s going to be Christmas Day, it’s going to be during a hurricane, it’s going to be at night,” Larson added.
Erin Choy, AST spokesperson, said via email the training offers “numerous solutions that may or may not mimic the technicians' environment, adding to the complexity of response activities.”
“In addition, the environment is open, or not secured, in an effort to demonstrate cyberattacks in an effective manner. This openness requires reverting to alternative techniques for stopping the attacks, as this openness differs from the controls commonly present in enterprise environment ... it can introduce challenges,” Choy said.
Larson said measuring the extent to which the state’s exact response to threats and incidents has been improved is “challenging” because it’s difficult both to determine a baseline level of response prior to training, and to ascertain how employees’ reactions have changed.
“I think it’s a great opportunity to learn different skill sets, to understand another individual’s background and how they’ve learned to handle some of these exploits,” Choy said, adding she heard from participants “that partnerships and building those relationships across agencies and statewide has been really important."