On this week’s episode of the SecurityIntelligence podcast, hosts Pam Cobb and David Moulton shift the government security lens from maintaining municipal safety to the developing challenges of state and local defense. Joined by Claire Zaboeva of the IBM X-Force Incident Response and Intelligence Services (IRIS) Threat Intelligence Production Team and Melissa Frydrych of the X-Force IRIS Threat Hunt and Discovery Team, our intrepid interviewers tackle current threats, evolving states and strategies to veto emerging attack vectors.
Mapping the Security Surface
According to Zaboeva, the IT infrastructure of state and local agencies is “currently in a state of what we would call transformative change” as governments deploy citizen-facing apps at scale, leverage digital platforms to manage basic utilities such as water and electricity, and support strategic communications initiatives. The result is a “distributed attack surface” that provides multiple routes for malicious actors to compromise key systems.
Vast amounts of stored personal data — including birth certificates, criminal records and tax information — combined with access to physical infrastructure controls make these systems high-value targets that can satisfy multiple attacker objectives, “from cybercriminals looking to turn a profit to state-sponsored threat actors who are looking to collect confidential information or even to disrupt or potentially destroy critical infrastructure.” Attackers also vary across skill level and motivation; Zaboeva notes that criminal actors include “script-kiddies going after low-hanging fruit to highly sophisticated actors.”
As a result, local and state networks are under “very frequent assault.”
The State of Cybersecurity
Current security postures vary across states, according to Frydrych. She notes that “many of them are struggling to modernize outdated information technology systems, and they’re also having difficulty hiring.” In Minnesota, the state allocated more than $19 million for government security in its 2019 fiscal budget and outlined a five-year plan to both replace aging legacy systems and improve cyber defense education.
From the public’s perspective, meanwhile, recent Pew research data found that 83 percent of Americans are concerned about the potential damage of government cybersecurity compromise. New approaches — such as Ohio’s recent push to improve infosec awareness and impact by engaging with local governments and school districts — are now critical to improving overall cybersecurity confidence.
Vetoing Attack Vectors
For Frydrych, reduced attack risk is predicated on three best practices: intelligence data sharing, incident response and in-situ testing.
Intelligence Data Sharing
According to Frydrych, “with knowing the environment comes knowing the threat.” By sharing attack data with other state and local organizations along with federal agencies and post-secondary institutions, governments can gain critical insight. This is especially important as digital voting systems become more commonplace — Zaboeva notes that governments need to ensure “there’s enough of a budget to make sure that different digital platforms, paperless voting systems are up to snuff in order to make sure that those elections are secure.”
Incident Response Research
Frydrych also recommends researching potential third-party providers capable of handling incident response at scale, creating comprehensive cybersecurity guidelines or providing actionable threat intelligence.
Finally, it’s worth implementing wargame and “fire drill” exercises to test current government security practices. Regular use of in-situ testing helps governments identify previously unknown vulnerabilities, shore up critical weak points and help veto the most common attack vectors.
State and local government IT infrastructure is transitioning away from insular, isolated systems toward public-facing, cloud-connected networks. But with valuable data and distributed attack surfaces comes increased cybercriminal curiosity. To protect citizens’ data and safeguard critical operations, governments must build in budget allocations that empower threat intelligence sharing, permit third-party providers and support in-situ infrastructure testing.
David: Pam, we’re a couple of months away from 2020. Anything big happening from a cybersecurity perspective?
Pam: Well, you know, there’s the US CCPA regulations. There’s, you know, a few elections happening here in 2020, the most dangerous celebrity on the internet, Alexis Bledel, and I don’t even know that ransomware is out of the picture, so probably not really.
David: Yeah, right, minor things. So, you know, joking aside, this is exactly what I had in mind. Events in the year ahead will put state and local government security in the spotlight. So how prepared are they?
Pam: This is the “Security Intelligence Podcast” where we discuss cybersecurity industry analysis, tips, and success stories. I’m Pam Cobb.
David: And I’m David Moulton. Last time, we talked about why municipalities have been targeted by ransomware attacks, especially in the last couple of years with the examples of Baltimore and Atlanta. This episode, we’re going to dive into the cybersecurity landscape for states and local governments, a little different. And luckily, we have two experts to take us on this journey who are going to share their brand new research. Here’s our conversation.
Claire: My name is Claire Zaboeva. I’m from X-Force IRIS’ Threat Intelligence Production Team where our job is to identify and assess cyber-based threats to a particular industry or entity. We particularly focus on the geostrategic context that is applied to different advanced persistent threat actors, as well as some of the vulnerabilities that impact the attack surface.
David: Okay, so you’re saying that depending on your geo, there are different realities because the threat actors that are in operation in that space vary, and then your attack surface, so your enterprise, the type of setup you have, the type of business you’re in changes how those threat actors work?
Claire: Absolutely. So it really comes down to activity always happens within a multitude of different contextual factors that impact that overall landscape. So, those can be anything from what’s going on in the world to the different actors at play, whatever state goals are coming to bear upon those industries, particularly those that have an economic or national security impact. So it’s really a conglomeration of factors that shape that overall targeting trajectory.
David: When I joined IBM a couple of years ago, one of the stories that somebody told me was that when the weather in a country with a lot of active attackers got nasty, the number of attacks went up. Is that something that you’ve seen? Is that true?
Claire: So maybe not to weather, but certainly for holidays. When a particular national holiday comes to bear, we will see a downplay in activity from a different region that really goes with that, you know. No one wants to go to work on Christmas or the Fourth of July. And the same goes for a different advanced persistent threat actors. Even criminals need a day off and even state actors do as well.
David: Melissa, if you were to give me your elevator speech as if I were, you know, your six-year-old nephew, how would you explain what it is that you do?
Melissa: My name is Melissa Frydrych, and I work for X-Force IRIS’ Threat Hunt & Discovery Team supporting cyber threat intelligence. We look for unique intelligence, you know, stuff that other agencies haven’t reported on. A lot of times, we are tasked to specific, persistent threat groups. And so we’ll monitor them. We’ll use open source tools, as well as internal tools to find maybe new techniques that they’re using or new malware that they’re deploying. We also support our Incident Response Team with intelligence on their side.
David: That’s great. So you and Claire do have opportunities to crossover and work together. Sounds like your role is that deep research and finding the insights that help the teams that are in the field?
Melissa: Right. Yeah.
David: That’s awesome. So Claire, if you can, what does the current threat landscape look like for state and local governments?
Claire: So state and local governments’ IT infrastructure is currently in a state of what we would call transformative change, meaning that they’re moving with advances in technology and increasingly furnishing constituents with consumer quality experiences and introducing more and more citizen-facing applications, making information technology now a primary medium for citizens to interact with their local government. Meanwhile, critical infrastructure is increasingly running in a fix to digital platforms, and that helps to ensure basic utilities are accessible like clean water and electricity, and strategic communications are transmitted like emergency calls to first responders.
But this accelerated adoption of digital applications and integrated architecture really provides what we call a distributed attack surface to malicious actors looking to compromise state and local governments, meaning they have multiple vectors for conducting malicious activity.
David: Okay, when you’re talking about basic utilities being threatened, and/or you’re talking about the ability for first responders to get the information that they need in an emergency under attack, why would a threat actor go after a city or a local government?
Claire: For state and local government systems, they house vast amounts of personally identifiable information, everything from birth certificates, to death certificates, to criminal records, financial data from tax and insurance information, to parking tickets, and even sensitive electoral data. They also provide a safe repository for public records like leases and licenses and fundamental access to utilities like water and electricity.
Combined, these features make state and local government networks. They’re really high-value target that may satisfy multiple objectives for malicious actors from cybercriminals looking to turn a profit to state-sponsored threat actors who are looking to collect confidential information or even to disrupt or potentially destroy critical infrastructure. And as a result, these networks are under, you know, very frequent assault.
David: So let’s talk about the attackers’ motives. If they’re going to put the level of effort into that type of sustained attack, is there a financial motive that’s sticking out? Is there some other type of reasoning that they have for being so persistent?
Claire: So, for criminal actors, they come from all walks of life, all corners of the earth, and they really do vary from low-level script kiddies going after low hanging fruit to highly sophisticated actors that are able to carry out very prolonged and virtually silent operations. And that usually really reflects the kind of operations that they will conduct. If you have a legacy or outdated system that is using very old software and it’s exposed to a publicly faced network, that’s easy pickings for criminal. And they’ll use that for, you know, stealing that information, harvesting it up, putting it on illegal underground forums like the dark web for sale and there another criminal actor can buy it, and they can create a fraudulent persona, file a fraudulent tax claim, or open up another bank account or credit card accounts. So that’s the kind of activity that we expect from the criminal community.
For advanced persistent threat actors, those targets are really dictated by state interests. So if a nation-state wants to collect on the strategic intentions, or monitor the movement of citizens, or where they live, or what they do, things like that, then harvesting that information off of a state and local network would be potentially more difficult, but would be something that they would spend more time looking to collect on. So their motives really and their capabilities really change. And they really do vary depending on what that goal will be.
David: Okay. So we’ve set the stage, we’ve got some criminals, some state actors, some script kiddies, that always just makes me chuckle when I hear that term, and we’ve got our local and state governments under siege, under attack. It sounds like some more than others. But what I’m interested in is how are our state governments, how are our local governments defending themselves or who’s helping them out?
Melissa: It kind of depends on the state, and it varies between states. Many of them are struggling with trying to modernize outdated information technology systems, and they’re also having a difficulty hiring. There’s a limited pool of qualified cyber professionals, so trying to come up with the funds to modernize outdated IT systems coupled with, “Okay, we need people who are actually qualified and know what they’re doing,” is a real challenge for different states. But there are some states who are investing heavily into cyber capabilities. For example, in 2015, California had signed an executive order which created the California Cyber Security Integration Center. And this center is aimed at reducing the likelihood and severity of cyber incidents that could damage their economy or their infrastructure.
Also, for example, Minnesota, they developed plans to enhance their cybersecurity. And then last year, they had released a five-year plan, which included several projects to strengthen security and increase education on cyber defense. In their 2019 fiscal budget, they had allocated $19.7 million to their cybersecurity, and they hope to replace their computer systems, some of which are coming up on 15 years old, so they’re definitely trying to modernize their IT infrastructure. But it really depends on each local government’s budget and their priorities. And, you know, that will impact how prepared they are for cyber defense.
David: So it sounds like there’s got to be enough motivation in the local government or the state government to pass some of these laws and to fund some of these ideas. That’s going to come from the voters, right? I’m wondering if you and your research or your work with some of those entities have a good sense of the opinion or the temperature of the American citizen to support these types of initiatives.
Melissa: Yeah, so actually, there was a study conducted in early 2019 by Pew Research, and they had discovered that about 83% of Americans think that it’s actually somewhat to very likely that a malicious cyberattack would result in damage, especially to their public infrastructure. So I think that’s a pretty high rate of concern. Their states are definitely, you know, being prepared and trying to, I guess, calm the citizen’s nerves. We all know that there’s a risk to public infrastructure, and I think different states budgets will kind of reflect that.
David: So you’re saying with Pew, it’s about four out of five citizens think that there’s going to be something that could damage the state’s infrastructure through that cyber vector. Do they care or want the governments to then protect that infrastructure? Are they giving up, say, expansion of roads, or libraries, or schools, or tolerating increased taxes? How does that look?
Melissa: I think for citizens, when local governments experience a breach, it definitely can have cascading effects. You know, there might be the concern of hospital blackouts during an emergency. You know, when trying to reach the police through 911, there might be an empty dial tone because, you know, there’s been a breach in the system there. They could also be compromised, and their personal and financial data is compromised, or even their biometric data, which cannot be replaced. So that could be a big concern. In addition, there’s also government-associated institutions like universities, who if they face the compromise, they could lose potentially decades of research and discovery. So, you know, I don’t really have a clear answer on is it a give and take for American citizens? I think, you know, we want to be protected in all facets of life. But, you know, I think it’s definitely a high concern.
David: But as you outline some of these risks, you know, in the near term, it could be that I call 911, no one can hear or, you know, I can’t get the dial tone to work, the water doesn’t get delivered, long-term the research that may make the community safer or more healthy is wiped away. And then in the meantime, you know, as governments are looking to clean up from a breach or to deal with the aftermath of an attack, there’s got to be funds to go to that and, you know, that’s the tax dollars that are being pulled away from the smoothing of the roads as you put it, and, you know, a little bit of prevention seems like [00:26:00] it would go a long way, but it takes everyone coming together and understanding that that’s important. To that end, I’d wonder what states are doing well right now. Do you have any examples of some bright spots?
Claire: Absolutely. So there are states really across the nation that are doing an excellent job of really stepping up and really engaging in the difficulties that they’re facing with cybersecurity. An excellent example is Georgia’s governor, for instance, has previously released a budget with recommendations to the General Assembly, and in it was a $50 million recommendation for a new cyber and innovation training center, which will hopefully create a more secure environment and really invest in cybersecurity education. And then, you know, further up the West Coast, we have other states like California and Santa Clara County, who are taking really robust actions to harden their counties’ network infrastructure, modernize their public safety, criminal Justice infrastructure, and really upgrade some of their older mainframes, you know, so that they have a secure data-sharing environment.
And then, you know, one of the best things that we did see coming out of that same state and county was upgrading their IT job descriptions so that they accurately capture different partner roles and responsibilities to attract the right qualified candidates. And then, you know, closer in the heartland, we have other states like Ohio’s Department of Administrative Services, who implemented a new program to improve statewide cybersecurity by engaging with local governments and school districts. So really, you know, from coast to coast, we have different states who are really engaging in this problem, having the strategic conversation and trying to attack the cyber problems with, you know, multiple different measures from cybersecurity to making sure that they have qualified candidates and educated users, so really a holistic response.
David: Well, yeah, I think that the examples you give, we all really have to applaud and maybe follow along and see where we can state-to-state meet those high bars or even exceed them. Melissa, can you talk to me about what state governments could or should be doing as far as best practices? I know you do a lot of research and you probably have some ideas on things that would help out a local or state government.
Melissa: I think in general, it’s key for governments or just listeners in general to understand their environment and establish requirements for protecting it. You know, creating budgets that allow for cybersecurity and hiring qualified professionals is a great start. They can also, you know, do their own research in, you know, are there any third parties that I should hire such as incident response or are there any companies that provide different guidelines for IT network infrastructure. With knowing the environment comes knowing the threat, and intelligence sharing will help tremendously with that. As other states have done their collaborating with state and local governments, they’re also collaborating with the federal government, local universities, really anyone that can share and provide some insight on threat intelligence and the current threats, you know, motivations and what they might be after.
You know, I think in previous blogs, we’ve actually discussed wargaming and fire drills, and those can also be critical in defense. And I believe that still to be true always.
David: Yeah, this is basic cyber hygiene, but it’s I think one of those things that it’s really difficult. So I commend some of those states that you mentioned earlier that were doing a good job of finding budget like California or the work that Georgia is doing. I would wonder, as you’re looking at the complexity of security in the state governments, is there anything that’s coming up over and over that holds them back?
Claire: I think a continuous threat or continuous hurdle that states are facing is making sure that they have enough budget available and going through that very lengthy allocation process to make sure that they can invest in their infrastructure because it can be difficult. There are multiple demands as you discussed earlier about, you know, making sure that the roads are still drivable, and, you know, making sure that education is funded, you know, other critical priorities for citizens. But one of the things that we’ve been looking at kind of jumping ahead of it is election security and making sure that, you know, there’s enough of a budget to make sure that different digital platforms, paperless voting systems are up to snuff in order to make sure that those elections are secure.
David: So talking about election security, it seems to me that one of the other things that governments could do to help each other is share their intelligence on the threats they’re facing, but also maybe some of the vulnerabilities or security weaknesses that they’re finding in those election, I guess, voting machines and processes. Are you seeing any movement in that direction on threat sharing?
Claire: Yeah. So we are actually seeing a lot of states and local governments participating in information sharing and analysis centers or what we call ISACs in order to have those strategic conversations and make sure that known vulnerabilities are being communicated and that the most recent threat information is being disseminated within that critical community.
One of the things that we’ve been following is the coming 2020 elections. And according to the Brennan Center for Justice, about 16 million Americans are going to be voting on paperless systems in the upcoming election without a voter-verified paper ensuring authenticity. But these digital ballots will be cast in multiple locations that are running on legacy systems. And in order to make sure that there is enough of a secure environment, it’s really been coming down to those different ISACs making sure that information is available to make sure that systems are patched, up to date, hardened, and it’s a reliable environment.
David: So beyond ISACs, what are governments within a state whether they’re at, you know, the state level, or the local city level, or even across state lines doing to help each other out?
Claire: So outside of the ISACs, one of the things that we see state and local governments doing is really standing up different working groups that will connect from different counties, or different states, or state to state that are really bringing to light some of the issues that they’re all facing, whether it be how to make sure that they move along in appropriate budgeting process or different threat actors they’re facing, but really having, again, those critical conversations to address some of the common problems that they are all currently going to face, or even threats that are going to be potentially on the horizon.
David: Are there other resources that you might point our listeners to that would help them out thinking about those counties, leaders at the State House, or, you know, mayors of local cities?
Claire: Yeah, that’s a great question. One of the best things that really can be done is to patch into intelligence sharing and different threat intelligence platforms. And that really is what’s going to allow different network defenders to assess network risk, develop responses, and act on accurate and actionable information. I’ll also say that sharing information between organizations including government and the private sector, provides great insight and unique perspectives on threat activity and makes for greater visibility of threats and the holistic threat environment all around. So having that intelligence speed is critical.
David: So the thing that really stuck with me after that conversation, and I keep thinking about it because it’s true in a lot of different parts of my life, and I think it’s true in security is that you get what you ask for. And if you word your job rec correctly, if you put the right language into the job description, you’re going to attract different talent, you’re going to attract diverse talent, you’re going to get the right people on your team. And I think any government, any state, in fact, any business can start with security at the recruiter and their HR level.
Pam: Well, and I think too, when I read a lot of job descriptions out there in the market, you know, they’re focusing a lot on the technical things. And one of the things IBM has talked about has been this idea of, you know, new collar or no collar, and how you’re writing that description because you want, you know, enthusiastic people like Leslie Knope of “Parks and Rec.” And that’s what this whole conversation reminded me of, the idea of state and local government. And that’s just a comedic view into it, but looking at the personalities and you’re trying to attract curious, energetic people, and having your job description reflect that because I don’t know that when you talk to young kids, and even if you get them interested in cybersecurity, do they think like, “Oh, I’m going to go work for the city.” Like, no, they want to be out there like threat hunting, doing like super-secret spy stuff. And it’s not always that glamorous. So that comment really made me think about the types of personalities and the energy and curiosity that you want out of that kind of role.
David: Yeah, finding the balance between the threat hunter and the Hollywood personification of, you know, the cyber warrior, but also somebody that has grit and discipline and stick-to-itiveness that will come in and drive hygiene and policy. That’s actually really tough work. And I think it takes a different type of job description to bring those people into the fold. And in fact, that’s going to be the type of thing that makes a huge impact over time as their work compounds for your state or your local government.
Pam: Yes, current opening, Ron Swanson of Cyber Security. But let’s switch gears, David. So I just spent some time in Texas, in the city of Houston, and was there for some major sports ball action, and knowing that, that Texas maybe suffered a bit of a loss, do you have any good news for us about Texas this week?
David: Actually, I do. So if you recall, Texas had a number of cities, 23 that were attacked by a ransomware. And, you know, the governor here, he declared an emergency. And instead of this taking an enormous amount of time to clean up, Texas actually has a playbook. And they were able to pivot to the playbook and make incredible strides here in Texas against this ransomware. And I think it’s the type of thing that shows that, you know, if you have a plan, if you practice that plan, and then execute that plan, when something goes wrong, you’re going to see much different results than if you wait until, you know, everything’s on fire to go, “We should probably figure out what we should do about this.”
David: So that’s the good news.
Pam: Well, that’s it for this episode. Thanks to our colleagues, Claire and Melissa, for joining us as guests.
David: Subscribe to this podcast on Apple podcast or SoundCloud, and make sure you never miss an episode. You can also visit securityintelligence.com to learn more about the research discussed in this episode. Thanks for listening.