Cyberhacking: A Threat That Won’t Go Away

One rainy, windy Friday in mid-May, I went into a chemistry department auditorium at Tufts University outside of Boston where I was attending my 45th reunion. The room, with its oversized wall illustrations of the periodic table, was familiar turf. I had been through chemistry lectures there as an undergraduate.

That morning, the topic was cybersecurity. The lecturer was Dr. Arthur House, a former intelligence official in the Obama Administration and now is Chief Cybersecurity Risk Officer for the state of Connecticut.

Plenty of what he said was chilling. Hackers, some from Iran or Russia and others from third world countries, have run the gamut of IT abuse, from ransomware attacks, to collecting confidential personal information, to taking dangerously aggressive measures, such as trying to remotely open the floodgates of a New York dam.

“We are extremely vulnerable,” House said to me later. “The Feds deal with interstate abuses but the real problem is at the local level.” The State of Connecticut has undertaken strong measures to deal with the threat. So has Virginia, although it isn’t easy getting information about what it has been doing recently.

Underscoring his point, several days before his May talk, the City of Baltimore found its IT system completely hacked by cybercrooks who are demanding a ransom of more than $76,000 in bitcoins to turn the system back on. Baltimore’s police and emergency medical response numbers had been hacked and switched off the year before.  

More attacks followed in June of this year. The City of Riviera Beach, Fla. paid $600,000 in ransom after its system was remotely shut down. Also that month, Lake City, Fla.’s telephones, emails and online utility payment system was shot off. The ransom is $460,000.

Virginia has had its share of attacks. In 2017, the Virginia State Police found its email system shut down. In 2018, hackers hit the Petersburg police. Also that year, Hanover County’s system handling credit cards was compromised, forcing the county to replace its software system. Richmond reported two or three ransomware attempts in 2018, according to the Richmond Free Press.

House says that local and state governmental agencies are in special jeopardy because they often don’t have the funds to toughen up their protection. When a ransomware attack occurs, many localities simply pay up. “The simple pattern is denial,” he says. “They say it is just too big a problem. American towns and cities are targets for easy money. You can get $10,000 or $20,000 from them.”

Connecticut’s approach has been a two-year-old program to have potential victims – including local governments, natural gas and electric utilities – meet confidentially and identify weak points. They also run through ‘what ifs’ should an attack occur, be it ransomware or attempts to compromise essential infrastructure.

To get an idea how that might occur, look at the authoritarian countries of Iran and Russia.

Russia, which top intelligence and law enforcement officials say thoroughly compromised the 2016 U.S. national election and is a threat in 2020, has been using cyberattacks as a prelude for other offensive efforts.

House notes that in 2008, Russia shut down much of Estonia’s financial and electrical structures to protest the movement of a pro-Soviet memorial.

In 2015 and 2016, Russia also severely damaged the electrical grid of Ukraine, from which Russia seized Crimea and then started a limited war on its eastern border.

Russia’s intelligence operatives were so good, House says, that they were actually able to identify the names and email addresses of operators of Ukraine’s electrical system. Those working at command centers found that their systems had been thoroughly compromised. They sat in amazement as the mouse arrows on their screens moved independently to shut down substations needed for electricity distribution.

The only solution, he said, was to reboot the entire system manually. But only a few operators, some of them retired, knew how to do that. “So, armored cars were sent out to bring them in. They managed to restart it,” House said, adding that one of Connecticut’s goals is to collect the names and addresses of system operators and practice reboots.

Another event happened in 2013 when a group linked to Iran’s Revolutionary Guards attacked the Bowman Avenue Dam in Rye Brook, N.Y. north of New York City. They targeted the dam’s floodgates although they may have miscalculated. Their signals were sent to a floodgate motor that was down for maintenance. It also seemed odd that the target was a small dam. Some officials believed the Iranians meant to attack a much-larger dam also named Bowman in Oregon.

So what’s Virginia doing? It’s a good question. House says under former Gov. Terry McAuliffe, “Virginia was very active in cybersecurity.” McAuliffe tried to parlay Virginia’s strength as a global data processing and Internet center along with robust IT protection as a way to draw in new business.

When I tried to find out what is doing today, I struck out. I contacted the State Police, which said the issue is handled by the Virginia Information Technologies Agency. I tried VITA several times and got an anonymous email that they would be in touch. An email query to Dominion Virginia Energy brought no response. I emailed and called Gov. Ralph Northam’s press secretary and got no response.

Thus, I can’t say what the state is doing to protect from a threat that seems to be growing worse.

There are currently no comments highlighted.

15 responses to “Cyberhacking: A Threat That Won’t Go Away

  1. I’m always curious about the other side of this story, what our wunderkind are doing to their systems. This whole area seems ripe for a cyber disarmament treaty….I suspect we won’t do that because as badass as they are, we’re worse.

  2. Great and important post, Peter. Thank you.

    Also, of course, it’s growing ever more likely that our next major international war will be decided over the internet, instead of across traditional battlefields. And in this new cyber battlefield space, who strikes first effectively might well decide the winner.

    Are we well prepared defensively? Obviously not, one must conclude. Given our enormous reliance on cyberspace, we are by definition extremely vulnerable, most particularly our civilian population. Particular in our large urban and suburban centers.

  3. This is extremely important and timely. For a deeper dive:
    “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age” by David E. Sanger. Just read it! You will not sleep well for many nights after.

  4. A business where some friends of mine work used a cloud provider for its documents and systems. The cloud provider was hacked and documents encrypted by ransomware. The business’ insurer paid a ransom and the business is getting access to its records and documents after about a two-month period without them.

    Investigation showed the cloud provider had failed to update its server software for a considerable period of time and also keep its customers’ documents/records/systems and their back-ups on the same server. Basic negligence. I wonder whether many governments, businesses, nonprofits and cloud providers are even following basic cybersecurity 101 principles. How much of the American economy is simply low-hanging fruit?

  5. This has been a big and building issue for over 10 years, since I last looked at it with DHS (and US Navy-NAVFAC) my then client.

    Here is a 2 year old DHS/NASCIO study (have not read it) that looks at Virginia’s approach to governance to address how to “manage investments in strategic cybersecurity priorities as part of budget and acquisition processes across multiple organizations?”

    https://www.nascio.org/Portals/0/Publications/Documents/2018/DHS/State%20Cybersecurity%20Governance%20Virginia%20Case%20Study.pdf

  6. Good article Peter. Thank you!

    Quite a bit of the ransomware is done by low level hackers with rudimentary cyber skills who basically hack into your system and encrypt your file system which effectively freezes it and they will then sell you the decryption key for a price they calculate you are able and willing to pay – not too much such that you flat refuse.

    This is DIFFERENT than nation-state espionage to break into government and critical industry infrastructure not for ransom but sorta “counting coup” and just plain vandalism and mayhem.

    It’s an interesting issue because one would think that by now – most governments would have taken sufficient measures and to have not done so is the equivalent of not fixing the roof or having broken plumbing or lights or heat that don’t work, etc.

    Don’t really buy the “not enough money”. It’s always about priorities and clearly many companies are learning just how important “cyber” is.

    And it’s little bit laughable because on one hand, we have all these smartphones, gps, drones, technology out of the wazoo … then we have this…knotty problem that we are still struggling with.

  7. Thanks, all, for the comments. Jim, I read the document you attached and wonder why no one would discuss it with me. Larry The G, you are right that holding systems ransom can be done in fairly primitive ways.

  8. Something else to worry about: Deepfakes ……. can you believe what you seeing in a photo or video ?

  9. There’s an interesting Netflix documentary, The Great Hack, describing what the election hacks are about so far. It’s a bit slow but very interesting information from a journalist at the Guardian and a former employee at Cambridge Analytical and others.

  10. I will add my thanks for bringing up this critical issue. Apparently, the Virginia General Assembly does not believe that this is a pressing issue.

    The Virginia National Guard has a unit dedicated to cybersecurity. That unit supports the U.S. military’s cybersecurity unit at Ft. Belvoir. In the past, it was also available, through discretionary funding through the state’s office of the Secretary of Technology, to assess cybersecurity threats to Virginia state agencies and local governments. That funding pot with the Secretary of Technology was eliminated through budget cuts . For the 2018-2020 budget biennium, the Dept. of Military Affairs requested $100,000 each year for its cybersecurity unit and the Governor included that request in his introduced budget.

    The General Assembly did not approve that request, indicating that the department should continue getting its funding from the Technology Secretariat, although it also eliminated that secretariat in the budget and transferred funding for those sections to several other secretariats.

    In the most recent session, the Governor included $150,000 in his introduced budget for the Department of Military Affairs to assist state agencies and local governments in FY 2020 with cybersecurity assessments. The General Assembly turned down that amendment with no explanation. (https://budget.lis.virginia.gov/get/amendmentpdf/3816/
    amendment to Item 416 #1c)

    One would think that, with all the additional funding available to the legislature last session, it could have found $150,000 to help protect state and local governments from cybersecurity threats.

    • First, I’d like to see a confidential report prepared by all Virginia localities and agencies/entities that shows what cybersecurity measures are presently in place. I suspect many use minimal protections and could easily upgrade by utilizing basic best practices.

      While I would support additional state funding for cybersecurity, using basic tools should be a prerequisite for getting more financial or technical assistance. My gut tells me that there are many instances of simple failure to do basic Dick and Jane security measures.

      • TMT, that should bring needed local attention to the issue. That would also provide a roadmap to cyber attackers, and another juicy target for hackers, ransomware vendors, foreign bad actors, cyber muckrakers. They will go after it. A copy of each local report would reside on computers in the originating jurisdiction with all its weak defenses, on computers in the relevant state agencies, and of course in dozens of federal offices. Do we think all those copies will remain secure? Seems to me, the widespread distribution of such a detailed list of all our local government cyber weaknesses poses a far greater risk than any benefit from assembling it.

        • It shouldn’t take a visit from the State for local governments to sit down with their tech people and, if applicable, tech provider(s) to make sure that the basic security practices are being followed. Every month we see more and more evidence that governments, be they run by Democrats or Republicans, simply cannot fulfill their basic functions even as they seek to expand their responsibilities and suck up more tax dollars.

          If government cannot ensure basic safety against cyberattacks, why are they trying to fix climate change?

      • I agree with the implication that many local governments probably do not use basic best practices. Don’t forget, there are also public utility authorities that operate water and sewer facilities that are quasi-independent entities that provide vital public services. The funding requested for the Dept. of Military Affairs was intended to provide assessments of these entities’ vulnerabilities and to make recommendations for upgrading. The funding for the actual upgrades would be the responsibility of the local government or authority.

  11. The grid has a secure communications network of its own, embracing all generators and LSEs on the grid. The big utilities have senior-vice-president level executives in charge of cyber security and budgets running into the $millions. In a recent survey of cyber security practices among the smaller generators connected to the grid, one investigation turned up a little hydroelectric facility in New England which (as a generator occasionally supplying the grid) necessarily had full access to the grid communications network, but where the IT person, who also was the only employee of this little hydro plant, and ran the place part-time (he had other duties with the municipal electric company that owned the dam), left his municipal laptop computer in the dam’s control room during the day when he was working elsewhere. The lake had a fence around it but the dam’s control room was not normally locked. His computer password was “password”.

    Cyber security, especially of special networks like those linking utility systems, can be no better than the weakest link.

Leave a Reply