As new reports surfaced about hackers targeting nuclear facilities and as significant cyberattacks continue to escalate in 2017, what lessons can governments learn from recent events? Most important, how can states prepare for this ‘new normal’ in cyberspace? Here are seven actions to reconsider.
Another week, and another round of major hacking stories that grabbed global headlines. A quick cybernews roundup from Friday revealed the dramatic rise in scope that cybersecurity issues have taken over the past year, and there is no end in sight.
Nevertheless, there are certainly lessons that the public and private sector can take away from these global hacking events to prepare for the future. Most experts believe that the worst is yet to come in cyberspace, so after providing a brief recap of top stories, I want to focus on seven actions that state and local governments need to be addressing right now.
The world watched closely as U.S. President Trump met with Russian President Putin for the first time in-person on July 7, 2017.
Questions going into the meeting included: Who would have the upper hand? What does the body-language tell us? Would Putin’s years of diplomacy outmaneuver the new president? Perhaps most important, would the election-hacking issue be openly addressed?
Shortly after the two-plus hour meeting ended (which was supposed to be 30 minutes), The Washington Post reported that Putin denied election hacking after Trump pressed him. Here’s a quote:
Secretary of State Rex Tillerson, who attended the two-hour-and-fifteen-minute meeting, said it did not focus on the United States moving to punish Russia for the allegations that it hacked and leaked information that would help Trump win the election. Instead, Tillerson said the two leaders discussed “how do we move forward from what may be simply an intractable disagreement at this point” regarding the election-hacking issue.
“The president pressed President Putin on more than one occasion regarding Russian involvement,” Tillerson said. “President Putin denied such involvement, as I think he has in the past.”
Tillerson said the White House was not “dismissing the issue” but wanted to focus on “how do we secure a commitment” that there will not be interference in the future.
Meanwhile, news headlines on Friday morning focused on another potential Russian (or other nation-state) hacking incident and ongoing threat. The Huffington Post, New York Times and numerous other national news organizations led with story that: “Hackers Are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say.” Here’s an excerpt from The NY Times:
"Since May, hackers have been penetrating the computer networks of companies that operate nuclear power stations and other energy facilities, as well as manufacturing plants in the United States and other countries.
Among the companies targeted was the Wolf Creek Nuclear Operating Corporation, which runs a nuclear power plant near Burlington, Kan., according to security consultants and an urgent joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week.
The joint report was obtained by The New York Times and confirmed by security specialists who have been responding to the attacks. It carried an urgent amber warning, the second-highest rating for the sensitivity of the threat. …"
Bloomberg News was even more direct, stating that Russians are suspected in nuclear site hackings, according to sources.
And these cyberstories were just from Friday. So when we add in the recent ransomware and wiper attacks, along with other cyberstories from 2017 like ongoing attacks against the power grid, there are definitely some wider messages for all of organizations regarding needed protective actions. Here are seven that I strongly urge state and local governments to consider.
Cybersecurity Actions for States to (Re)Consider
1) Back To Cybersecurity Basics — The hacking actions at the nuclear facilities targeted traditional vectors like websites, emails and Microsoft Word documents that were infected as the method for their cyberattacks. It needs to be back to basics of “security blocking and tackling” for many, and consideration of even traditional cyberthreats.
The government reports on recent cyberattacks described hackers writing targeted email messages containing fake resumes for control engineering jobs and sent them to the senior industrial control engineers. The fake resumes were Microsoft Word documents that were laced with malicious code to steal credentials and access.
Also, the hackers compromised legitimate websites that they knew their victims frequented with malware — called a watering hole attack. And in other cases, they deployed what are known as man-in-the-middle attacks in which they redirected their victims’ Internet traffic through their own machines.
Ask: Are we prepared for these ongoing attack vectors? Do we need to go back to basics? These attacks are common techniques that all organizations need to be prepared for.
2) Do Your Network Cyberthreat Homework — Apply your new fiscal budget to a cyber plan. After understanding what threats are happening in these high-profile online attacks like WannaCry and NotPetya, ask: What are your network alert tools telling you about ongoing attacks you are facing? What cybermetrics are we compiling? Do we have a dashboard? Is it helping to respond to and prepare for future attacks?
Ask law enforcement and the Information Sharing & Analysis Centers (ISACs) in your industry: What attacks are my public- or private-sector colleagues seeing? What pragmatic protections should I be putting in place now with FY2018 budgets?
3) Re-examine If Critical Infrastructure Is Protected — There is no doubt that many recent attacks are specifically going after critical infrastructure. Ask: Do you know what data is most critical? Are you working with private-sector partners in these areas? This blog from early in 2017 points the way on studies, questions to ask and some potential answers on smart grid security.
Paul Edon, director of international customer services at cybersecurity firm Tripwire, offered this commentary:
“With most industrial control systems now connected to the Internet, they have become vulnerable to targeted cyber attacks and cyber espionage campaigns. However, because the systems were not designed with security in mind, they are largely unequipped to deal with these attacks.
For any business that has an industrial control system footprint, whether in manufacturing, transportation or energy, now is the time to evaluate how the environment is being secured. Failure to do so could result in a devastating attack, which could cause serious damage or even endanger public safety. The first step is to review one of the available ICS Cyber Security Frameworks i.e., ‘NIST Guide to Industrial Control Systems (ICS) Security’ or ‘CPNI — Security for Industrial Control Systems Framework.’ This will assist organizations in better understanding the challenges, requirements and responsibilities with regards to Governance, Business Risk, Managing ICS Life Cycle, Education and Skills, Security Improvements, Vulnerability Management, Third Party Risk, and Response Capability.”
4) Cyber Assessments and Audits — One good place to start is with current audit findings and known security vulnerabilities, especially in areas such as patching known cybervulnerabilities for critical systems.
In my experience, some government organizations spend more time and energy fighting the auditors than on fixing known cyberproblems. This is a big mistake and a losing strategy.
I have even heard some technology pros say things like, “Since breaches are inevitable, we are just focusing on incident management and data breaches and not prevention.” This is also shortsighted.
As I point out in this Peerlyst article last year, focus on the National Institute of Standards and Technology (NIST) Cybersecurity Framework to make your case. The framework includes five core functions: identify, protect, detect, respond and recover.
5) Partnerships, Partnerships, Cyberpartnerships — Security teams that do not partner, each and every day, will fail. The theme of partnerships, especially in gaining actionable threat intelligence, has been a constant theme of mine for years, but has never been more important than now with foreign nation-state attacks and the need for help rising globally.
The Aspen institute and Intel Security offered these reports on needed cyberthreat actions a few years back, and their updated priorities for 2017 can be found here.
One of their new priorities in 2017 is addressing vulnerabilities in voting machines and registration databases. This is certainly an area that needs more attention as we head toward 2018 and 2020 elections. I touched on these election topics in 2017 here.
Ask: Who are our partners in the public and private sector? Have we practiced responding to incidents together in cybertabletops? Who can you rely on in federal, state and local governments — including law enforcement? What vendors do you rely on?
6) Prepare for Ransomware or Not? — There are conflicting views on how much time government security teams should be spending on ransomware prevention. But my view is that addressing ransomware needs to be a priority, and the same cyberdefense tactics that are general best practices can help with ransomware. These actions include ensuring backups are performed and tested and other good cyberhygiene is applied enterprisewide.
Ask: What is your incident management plan? Are you ready for ongoing attacks, with clear levels of response? Also, examine your current plans and the Presidential Executive order for cyberpriorities and potential federal funding.
7) Cybertraining — Health IT News highlighted the importance of end-user training again this week. New attacks keep popping up using legacy apps. Here’s an excerpt:
“Cybercriminals, in fact, are using Powershell, or .LNK, files to run malicious code and serve up ransomware including Locky, while the WORM.RETADUP.A code has been used to target hospitals in Israel lately and campaigns based on web browsers, Windows updates and a 3D creation tool were spotted in the wild.
Then there’s the newfound threat inherent to PowerPoint, believe it or not. “Malicious code may run merely by hovering over a malicious URL with one’s mouse pointer. Visual Basic for Applications macros do not need to be enabled in order for this to work.” And, yes, the same technique can be used in e-mail spam campaigns — meaning, of course, that it’s time to make sure end-user education programs include the dangers of merely hovering over a nefarious link.”
End users may not be thinking about background checks for detecting insider threats during the hiring process or even checking for resumes that are infected with malware. However, updated training can help in these related areas.
Keep in mind that phishing and other social media attacks are evolving, so improved end user awareness training is a quick win — like in Missouri. Nevertheless, don’t make training a punishment for staff.
Final Thoughts — Don’t Wait
Amid all of these ongoing cyberheadaches, I never cease to be amazed by companies and governments that still say, “It won’t happen to us.” Or “We’re all set, we have a cyberprogram.”
(My response: OK, but is your plan based on 2012 or 2017 data and cyberattacks?)
If you are still waiting, now is the time to get serious about cyberprotections, even if you are a small government office.
One evidence of the impact of these cybersecurity incidents during the first half of 2017: Security stocks are up after the Mondelez hacking led to them reporting 3 percent drop in profits due to hacking.
Yes, there have been many calls to government action on cybersecurity over the past decade, but the first half of 2017 shows that those calls were definitely needed.
As Michigan Gov. Rick Snyder said in 2011: “If people walk away tomorrow saying that we had a nice conference with good speakers, we will have failed. We need everyone walking away saying that it is time to act now on cyber, whatever their role."
So one more time: What’s your cyberplan?