Daniel Krebs works each day to block hackers from Monroe County’s computer systems.
“It becomes a game of cat-and-mouse,” says the county’s deputy director of information systems. “We create better protections and the advanced persistent threats come up with new and improved ways to beat those protections.”
Hackers have found easy targets in local governments around the nation, especially following the coronavirus outbreak. A tiny chink in a government agency’s digital armor can be used to access digital files, deny access to them or gain control of computer systems.
“The good guys have to protect against every possible way in,” says Jonathan Weissman, a senior lecturer on computing security at Rochester Institute of Technology’s Department of Computing Security. “The hackers only need to exploit one. It’s never going to be a fair game.”
Cyber attackers have been busy. U.S. organizations of all kinds suffered 662 data breaches in 2019 that exposed 16.2 million confidential, sensitive or protected records to attackers. In 2020, hackers multiplied their efforts, launching 1,001 attacks that exposed nearly 156 million records.
Locally, governments have received that kind of unwanted attention. Since March 2020, criminal traffic to Monroe County’s websites has risen by close to 300 percent.
“We’ve noticed an increase in alerts on our security controls, we’ve noticed an increase in phishing, we’ve noticed an increase in bad web traffic,” Krebs says.
A growing problem
An Ontech Systems report found that government agencies are now the most frequently targeted organizations, suffering more than 15 percent of all cyberattacks last year. Cyber criminals know that a successful cyberattack on a local government will have an outsized impact, and that can increase the odds of a payout, the report states.
In particular, phishing attacks, where a hacker sends emails to an agency’s or organization’s employees that appear to be legitimate but harbor malicious software, can prove costly to the organizations involved. In some cases, they have to shut down while they deal with the problem. Malicious cyberactivity cost the U.S. economy as much as $109 billion in 2016 alone, a Thompson Hine report shows.
Those who try to break into government agencies’ computer networks do so for a number of reasons, from a desire to beat their safeguards for fun to patriotic fervor. One recent major cyberattack was traced to the Kremlin.
Hackers believed to be working for the Russian Foreign Intelligence Service broke into SolarWinds’ Orion networking program in early 2020. The breach might have allowed spies to gather intelligence from the files of as many as 18,000 of the Texas-based information technology firm’s customers, including Microsoft, the Department of Homeland Security and the National Nuclear Security Agency, which safeguards and maintains the nation’s nuclear weapons stockpile.
SolarWinds has eliminated the weakness in Orion that allowed the hackers to exploit the program, but the organizations that use it might have to deal with the attack’s effects for some time.
“The only way to know for sure you’re safe and secure is to tear everything down and rebuild it from ground zero, which most companies don’t have the time, manpower or desire to do,” Weissman says. “That SolarWinds attack is going to be lurking, most experts say, for many years until we know for sure that those systems are clean.”
On April 15, President Joe Biden responded to the SolarWinds attack by imposing sweeping sanctions against Russia, including punitive economic measures and the expulsion of 10 Russian diplomats. Still, Microsoft announced on May 27 that the same group that executed the SolarWinds cyberattack had made its way into an email marketing account of the U.S. Agency for International Development. That access could allow Russian intelligence to steal data from as many as 150 different organizations in about two dozen countries, including government agencies.
A quick buck
While some hackers set out to improve their country’s chances on the international stage, others just want to make a buck. Ransomware, a particular form of malware, has grown popular among those seeking to profit from cyberattacks.
“Ransomware is the most nefarious of the tools that are out there right now,” Krebs says.
Ransomware can secretly make its way into a government or government agency’s computers or networks, most commonly via a phishing attack upon its employees.
“Ninety-seven percent of phishing emails are meant for delivering ransomware,” Weissman notes.
When an employee opens one of the messages, the ransomware enters the agency’s system and encrypts its files, denying all but the hacker access to them. The target must either pay the ransom, or try to regain access to its files. Until the agency does so, it’s unable to function completely, and might even have to shut down for a time.
At least 2,354 governmental entities, health care facilities and schools in the U.S. were subjected to ransomware attacks in 2020, a 58 percent increase over the year before. Of that total, 113 of the targets were federal, state and municipal governments and agencies.
The FBI encourages ransomware victims to refuse to pay hackers, but that can prove costly. In May 2019, hackers hit Baltimore’s computer systems, and demanded that the city pay bitcoins worth $76,000 at the time of the attack (bitcoin value changes over time) for its files. On the advice of the FBI, the city refused to pay.
Baltimore spent weeks undoing the damage to its computer systems, during which its employees were locked out of their email accounts and city residents were unable to access the websites where they once paid their water bills, property taxes and parking tickets. City officials subsequently estimated that the cost to Baltimore in lost revenue and the expense of restoring its systems would come to $18.2 million.
Other municipalities that were cyberattacked fairly recently decided that resistance wasn’t worth it. Last November, officials in Delaware County, Pa., reported that a ransomware attack that was executed via phishing had cut it off from its employees’ personal data. The county was forced to pay the hackers, whom it did not identify, $25,000 to regain access to employees’ digital files.
Even ransomware victims that pay their attackers risk suffering at their hands. Hackers are not above putting an organization’s files, which often contain sensitive information on their operations, employees or clients, for sale on the internet.
“He’s got all of my employment records, and then he posts it on the dark web where it’s purchased,” Krebs says.
Hackers are also prey on educational institutions. The Victor Central School District discovered on Jan. 30 that ransomware had encrypted a number of its systems, knocking out its phone system and access to the internet. The district shifted to remote instruction, and students began returning to their classrooms on Feb. 8.
District officials did not provide many details of the cyberattack, but said that the FBI and DHS were investigating the incident.
In a vulnerable position
Government agencies can be vulnerable to hackers in many ways. Even the best of their employees might open the wrong email.
“Humans are, and always will be, the weakest link,” Weissman says.
Capitalizing on effects of the COVID-19 pandemic on agencies’ employees, hackers sent out large numbers of emails that played on their emotions.
“We saw a significant increase in COVID-related phishing scams,” Krebs says. “The authors are going to try to capitalize on fear and urgency.”
Cybercriminals also used that approach during the runup to the 2020 election.
Adding to the problem, government agencies might not have the most up-to-date hardware and software.
“Old, obsolete hardware and software are rampant in government infrastructures,” Weissman says. “They’re targets waiting to be exploited, because the modern security implementations are just not going to be there.”
At the same time, hackers’ weapons have grown faster and more sophisticated.
“There’ve been tools that have been created since the last five to 10 years that have provided a lot more capability and ease of use, and they’re more readily available,” Weissman says.
Local governments can take steps to limit the risk of being hacked, like training staff to be alert.
“Education should be number one on any company’s list of ways to protect their systems,” Weissman says.
At the town of Perinton, employees are all taught its rules for safe computer usage.
“We have a computer use policy that we make sure all employees are aware of,” says James Donahue, founder and president of JD Computer Solutions, which services the town’s computer system and oversees its security. “A lot of it is just making sure your staff are well-trained, and trusting they’ll do the right thing.”
Monroe County also regularly trains its employees in the multitude of policies, procedures, security controls and applications that it has in place to help keep its systems safe.
“Since last year, we’ve increased both the intensity and the duration of that cybersecurity training for Monroe County users,” Krebs says. “They’re normally done several times a year.”
Governments also need to make sure their software and hardware are up to date. The village and town of East Rochester share the same geographic boundaries, offices, computer systems and software. A state-of-the-art firewall that prevents malware from traveling from one network to another limits the amount of damage that a hacker could do.
“It’s built to look at the traffic, (and) make an attempt to remove the things that are going to be dangerous and damaging,” says Martin D’Ambrose, East Rochester village administrator. “That’s the first line of defense that probably we have.”
Antivirus software protects the municipalities’ systems from digital viruses that could damage or destroy its files. Monroe County uses what Krebs calls a defense-in-depth.
“Whether you’re talking about file shares, PCs and laptops, cloud software to service applications, remote access, whatever the case, we have to be able to provide some kind of security control,” he says.
Krebs and his staff had to take additional measures to safeguard the county’s systems after the pandemic forced some county employees to work from home.
“This included things like making sure that their remote access was secure,” he says. “If they were taking work devices home, that their home network was encrypted, or they weren’t sharing their work devices with friends or loved ones.”
In addition to making sure employees have the right software, those in charge of government computer systems need to be sure to fix vulnerabilities in those programs. Such problems normally come to light after a program is on the market and in use.
“Any product that you’re using has a regular cycle of issuing functionality patches and security patches,” says Ed Mattison, executive vice president of operations and security services for the nonprofit Center for Internet Security in Rensselaer County.
It’s essential that they be applied as soon as possible after they’re issued.
“One of the byproducts of issuing the patch is it does tell the bad guys where the holes are in systems,” Mattison says. “If the systems aren’t patched, those holes will be evident to the bad guys.”
Those in charge of local agencies’ computer systems say they regularly take care of such problems.
“We’re constantly patching servers and PCs,” Donahue says. “It’s just a constant struggle to keep everything up to date.”
Monroe County has a robust patching strategy for all of its operating systems and web browsers and applications, Krebs says.
He and his staff routinely monitor when county employees log in order to see whether the person at the keyboard is a legitimate user.
“If we see somebody that normally works 8-to-5 … logging in at 1 a.m., that might spark a flag,” Krebs says.
Donahue conducted tests to see how often Perinton’s employees clicked on phishing emails.
“We were well below the industry average, but anything more than zero is not acceptable,” he says.
Finally, government agencies need to be sure that they can recover their data if hackers break through their defenses. East Rochester encrypts its files and stores them in three locations. Two of them are municipal buildings, and the third is a secure area that a vendor provides offsite.
“They offer (what) they call a ‘15-minute recovery,’” D’Ambrose says. “In 15 minutes, you’re going to be back in business.”
Whatever measures local officials take to safeguard their computer systems, they won’t be able to completely eliminate the threat of being hacked.
“In today’s threat landscape, it’s not a matter of if you get breached, but more a matter of when,” Krebs says.
Mike Costanza is a Rochester Beacon contributing writer.