One rainy, windy Friday in mid-May, I went into a chemistry department auditorium at Tufts University outside of Boston where I was attending my 45th reunion. The room, with its oversized wall illustrations of the periodic table, was familiar turf. I had been through chemistry lectures there as an undergraduate.
That morning, the topic was cybersecurity. The lecturer was Dr. Arthur House, a former intelligence official in the Obama Administration and now is Chief Cybersecurity Risk Officer for the state of Connecticut.
Plenty of what he said was chilling. Hackers, some from Iran or Russia and others from third world countries, have run the gamut of IT abuse, from ransomware attacks, to collecting confidential personal information, to taking dangerously aggressive measures, such as trying to remotely open the floodgates of a New York dam.
“We are extremely vulnerable,” House said to me later. “The Feds deal with interstate abuses but the real problem is at the local level.” The State of Connecticut has undertaken strong measures to deal with the threat. So has Virginia, although it isn’t easy getting information about what it has been doing recently.
Underscoring his point, several days before his May talk, the City of Baltimore found its IT system completely hacked by cybercrooks who are demanding a ransom of more than $76,000 in bitcoins to turn the system back on. Baltimore’s police and emergency medical response numbers had been hacked and switched off the year before.
More attacks followed in June of this year. The City of Riviera Beach, Fla. paid $600,000 in ransom after its system was remotely shut down. Also that month, Lake City, Fla.’s telephones, emails and online utility payment system was shot off. The ransom is $460,000.
Virginia has had its share of attacks. In 2017, the Virginia State Police found its email system shut down. In 2018, hackers hit the Petersburg police. Also that year, Hanover County’s system handling credit cards was compromised, forcing the county to replace its software system. Richmond reported two or three ransomware attempts in 2018, according to the Richmond Free Press.
House says that local and state governmental agencies are in special jeopardy because they often don’t have the funds to toughen up their protection. When a ransomware attack occurs, many localities simply pay up. “The simple pattern is denial,” he says. “They say it is just too big a problem. American towns and cities are targets for easy money. You can get $10,000 or $20,000 from them.”
Connecticut’s approach has been a two-year-old program to have potential victims – including local governments, natural gas and electric utilities – meet confidentially and identify weak points. They also run through ‘what ifs’ should an attack occur, be it ransomware or attempts to compromise essential infrastructure.
To get an idea how that might occur, look at the authoritarian countries of Iran and Russia.
Russia, which top intelligence and law enforcement officials say thoroughly compromised the 2016 U.S. national election and is a threat in 2020, has been using cyberattacks as a prelude for other offensive efforts.
House notes that in 2008, Russia shut down much of Estonia’s financial and electrical structures to protest the movement of a pro-Soviet memorial.
In 2015 and 2016, Russia also severely damaged the electrical grid of Ukraine, from which Russia seized Crimea and then started a limited war on its eastern border.
Russia’s intelligence operatives were so good, House says, that they were actually able to identify the names and email addresses of operators of Ukraine’s electrical system. Those working at command centers found that their systems had been thoroughly compromised. They sat in amazement as the mouse arrows on their screens moved independently to shut down substations needed for electricity distribution.
The only solution, he said, was to reboot the entire system manually. But only a few operators, some of them retired, knew how to do that. “So, armored cars were sent out to bring them in. They managed to restart it,” House said, adding that one of Connecticut’s goals is to collect the names and addresses of system operators and practice reboots.
Another event happened in 2013 when a group linked to Iran’s Revolutionary Guards attacked the Bowman Avenue Dam in Rye Brook, N.Y. north of New York City. They targeted the dam’s floodgates although they may have miscalculated. Their signals were sent to a floodgate motor that was down for maintenance. It also seemed odd that the target was a small dam. Some officials believed the Iranians meant to attack a much-larger dam also named Bowman in Oregon.
So what’s Virginia doing? It’s a good question. House says under former Gov. Terry McAuliffe, “Virginia was very active in cybersecurity.” McAuliffe tried to parlay Virginia’s strength as a global data processing and Internet center along with robust IT protection as a way to draw in new business.
When I tried to find out what is doing today, I struck out. I contacted the State Police, which said the issue is handled by the Virginia Information Technologies Agency. I tried VITA several times and got an anonymous email that they would be in touch. An email query to Dominion Virginia Energy brought no response. I emailed and called Gov. Ralph Northam’s press secretary and got no response.
Thus, I can’t say what the state is doing to protect from a threat that seems to be growing worse.
