The ransomware cyberattack against the Colorado Department of Transportation earlier this year was an impactful event but reinforced useful best practices.
The ransomware cyberattack against the city of Atlanta in March was arguably the year’s most devastating cyberattack against a municipality, but the state of Colorado suffered a significant attack one month earlier that remains a source of valuable lessons for the public sector.
The Colorado Department of Transportation (CDOT) was hit by a brute-force attack in late February by a variant of the SamSam ransomware that penetrated a temporary system being tested without full security. (Officials strongly recommended securing even systems being tested or in limited deployment.) Once inside, bad actors used it to access CDOT, ultimately affecting roughly half its computing environment, around 400 servers, all databases and applications and around 1,300 workstations.
The event impacted CDOT’s financial system, which processes around $100 million of financial payments monthly, forcing officials to find other ways including workarounds to pay vendors and employees. And while good network segmentation contained the outbreak, the malware reactivated roughly one week after the initial attack, prompting officials to seek additional resources from the Office of Emergency Management (OEM). Ultimately, Gov. John Hickenlooper issued an executive order making the event the first-ever state emergency declared for a cybersecurity incident.
At the annual National Association of State Chief Information Officers (NASCIO) conference last month, Colorado Chief Technology Officer David McCurdy praised the governor and Legislature for being very supportive of efforts to stay ahead of cyberthreats and maintain a layered approach to cybersecurity. A criminal investigation by the FBI is believed to be ongoing, and while state agencies have recovered from the incident, state and local officials say it impressed upon them several key lessons about preparing for a cyberattack.
Boulder Chief Information Security Officer Ben Edelen praised the state’s live, dial-in threat briefing for nearly 800 officials following the event, and said candor expressed during that call underscored the event’s significance. Edelen said he took two main actions to improve Boulder’s resiliency, during a panel discussion at the Colorado Digital Government Summit on Oct. 1. He did a hardening project to confirm the city had its basics in place and would be able to react if confronted with the types of indicators state officials had seen and led another initiative focused on backups.
“I think one of the things that differentiated success in resisting this attack and many cryptoware attacks, and not having to pay for ransom ever, is having really good backups that are inaccessible to someone who has gained access to your core environment,” Edelen said. The state did not pay a ransom following the SamSam penetration.
Brandi Simmons, chief communications officer in the Governor’s Office of Information Technology, recommended brushing up on cybersecurity, considering plans available to ensure appropriate response strategies are in place and educating stakeholders proactively on good cyberhygiene. An agency’s biggest threat to cybersecurity, she said, may well come from within.
Regardless of rank, panel participants agreed agency employees are stronger and can go farther together. Simmons stressed reinforcing one’s communications team, attending all the meetings and not being afraid to work with counterparts at other agencies. During the incident’s second week, Simmons said she forged a crucial connection with fellow panelist Micki Trost, strategic communications director at the Colorado Division of Homeland Security and Emergency Management.
“She was just a good sounding board because she has a wealth of experience in emergency response and management,” Simmons said of Trost.
State CISO Deborah Blyth, the event moderator, agreed, pointing to the Colorado National Guard’s participation in the state’s response to the incident as proof positive of an existing relationship.
“It was very natural for me to want to reach out and ask for the Colorado National Guard to be on-site because I was very familiar with their capabilities, with the knowledge and with the types of skills and resources and help that they could bring,” said Blyth, chairwoman of the Secure Colorado project.
Officials urged listeners to recognize that during a high-profile event, word may get out — but that through maintaining a single point of contact, logging media questions and building relationships with reporters, an agency may be able to shape the message and ensure its perspective is heard. Sharing information in understandable language is the best way to reassure the public, Trost said, recommending officials use “plain language” that one’s parents would understand.
“Simply stating that we know about it and we’re still on it and we haven’t given up and you still are safe — we can talk all day long about we’re here and we’re working without ever giving away anything that’s happening,” Trost said.
Simmons recommended officials be aware of the sensitivity of a situation before discussing it; and communicate internally to inform the agency’s external message, speaking with caution to ensure an appropriate, consistent voice.
There’s also value to conducting a final review when an agency has recovered from a cyberincident, speakers said. Colorado’s report, Blyth noted, is a public document spearheaded by her office in conjunction with OEM. Having it available helped create regional stability, Edelen said, calling reporting to peers “part of being a good citizen.”