Idaho Lawmakers Brush Up on Cyber Threat

In a presentation to the Senate State Affairs Committee, Idaho's director of homeland security said potential threats range from defaced or misleading websites to data theft and disruption of public services.

by William L. Spence, Lewiston Tribune / January 21, 2015

(TNS) - Despite high-profile computer attacks on Target, Sony and other major corporations, Idaho's director of homeland security said cyber threats remain the "most important and least understood risk" to government and the private sector.

In a presentation Tuesday to the Senate State Affairs Committee, Brig. Gen. Brad Richy said the potential threats range from defaced or misleading websites to data theft and disruption of public services.

"The vulnerabilities are extreme," Richy said. "A breakdown in IT (information technology) services could take it from that sector into our industrial sector, to our water supply or electrical supply."

Cyber attacks are "a trend that's been going in the wrong direction for quite some time," said J.R. Tietsort, who heads up Micron Technology's global security efforts.

"The thing I worry about is the theft of trade secrets or other intellectual property that isn't discovered until much later - sometimes not until a competing product appears in the marketplace," he said.

The attackers can generally be divided into three groups, Tietsort said, each with different interests and capabilities.

The first are anonymous "hack-tivists" who pursue some type of vigilante justice by harassing or embarrassing their targets.

"They're more of a nuisance than a threat," Tietsort said. "They're motivated by a social agenda."

The second are cyber criminals, he said. These are organized groups - the 21st-century equivalent of the Mafia - who buy and sell system vulnerabilities on the black market and are primarily interested in making a profit.

"The third group, the one I spend the most time thinking about, are nation-states interested in acquiring intellectual property or technology," Tietsort said. "They're typically very well funded and have advanced skill sets. Their motives tend to be military or technological advantage."

While private individuals are an unlikely target for nation-states, Tietsort said, that could change depending on where they work. If they're employed by a high-tech firm or government agency, they could be targeted as an unwitting source of information.

National Geographic, for example, premiered a new television series Monday called "Hacking the System." Richy said the first show demonstrated how work and personal data could easily be captured from unsuspecting individuals.

Hackers "are going to look for the weakest link," Tietsort said. The basic lesson is that "an attacker with sufficient skill and resources will find gaps through network defenses. As an industry, we've come to realize that perfect security is an elusive goal."

That makes it imperative, he said, that organizations focus not only on defense, but on detection and mitigation.

The recent attack on Sony Pictures, for example, only came to light when a virus was released and began deleting information and shutting down computers. Hackers may have actually penetrated the company's system months ago.

Richy said the Bureau of Homeland Security is in the process of updating Idaho's emergency operating plan, providing policies and procedures for state agencies to follow in the event of a major cyber attack.

The update should be completed by spring, he said. The bureau, together with the Pacific Northwest Economic Region, has also sponsored training workshops. The intent is to help companies better understand the vulnerabilities and learn how to respond.

Recommended steps for companies include educating all employees on the importance of cyber security, linking physical and computer security measures, holding regular exercises to simulate computer outages or attacks and using the same tools hackers use to identify gaps in the computer defenses.

©2015 the Lewiston Tribune (Lewiston, Idaho)