State

Natural disasters bring cyberthreats small and large

North Carolina advises its residents not to fall for scams during Hurricane Florence, while a cybersecurity consultant says communities being hit by big storms can be tempting targets for hackers.

By Benjamin Freed

September 14, 2018

While much of the response to Hurricane Florence involves evacuating coastal communities and coordinating emergency services across multiple agencies, a natural disaster of Florence’s scope could bring a lower-profile, but still dangerous, threat of cybercriminal activity.

The North Carolina Department of Information Technology, which is responsible for keeping its fellow state agencies outfitted with communication equipment and other resources through the storm, posted a series of tweets Thursday warning residents to be wary of online solicitations for hurricane relief.

“Phishing attacks use email, malicious websites to solicit personal info by posing as a trustworthy organization,” the agency posted. “Take time to look at the sender’s email address and don’t click on any links until you are positive the organization is real.”

Fundraising scams have become common occurrences after natural disasters. The U.S. Computer Emergency Readiness Team issued warnings last year after Hurricane Harvey devastated the Houston area, advising internet users to be on the lookout for phony charities designed to steal money, credit card numbers and other personal information.

The North Carolina IT agency also reminded its Twitter followers to be cautious of emails sent by people posing as the Federal Emergency Management Agency, which has long had to tell people in disaster-stricken areas not to fall for such phony solicitations. Those attempts often ask victims for personal identifying information such as Social Security numbers or bank accounts, which FEMA does not require people to supply when requesting aid.

But the potential cyberthreats that accompany a large natural disaster like a hurricane don’t just imperil residents trying to recover. They also make a tempting attack surface for hackers looking to mess with a local government’s infrastructure, said Laura Lee, an executive vice president at Circadence, a cybersecurity consulting firm.

“Let’s say you’re an adversary and you’re not sure your cyberattacks will work, but you want a playground,” Lee told StateScoop. “You can take a situation like in North Carolina and see if you can mess with the traffic signals. In that kind of backdrop you can hide in the noise.”

Lee’s firm recently developed the parameters of a three-day drill conducted in July by the city of Houston and U.S. Army Cyber Institute that simulated a major cyberattack that strikes during a natural disaster. While the Army won’t publish its report on the drill until November, Lee said it helped bring policymakers together with cybersecurity and IT professionals they might not ordinarily talk to.

“This had some nuances of what cyber could add, and getting the tech people talking to the policy people,” she said.

Lee’s firm helps government organizations and businesses prepare for how they’d respond to cyberattacks, and folding in the prospect of one overlapping with a natural disaster has become a more common part of the training.

“There’s a whole bunch of scenarios we talk about,” she said. “Being able to maneuver food to the right locations or water — that could be messed with. You could take snow, tornadoes or hurricanes and add to that. What could you to do cause problems?”

But Lee said that the reason governments are increasingly adding cybersecurity components to their disaster drills isn’t because of any natural circumstance.

“I think cities and regions are starting to think about cyber because of what happened in Atlanta,” she said, referring to the March ransomware attack that crippled dozens of internal and public-facing computer systems across the city. (The incident may ultimately cost the municipal government more than $10 million to repair.) “Before we did the Houston exercise, we prepared for six months before Atlanta. Then Atlanta came out and we said, ‘Oh boy.’ You don’t even need today’s hurricane to worry about things like that.”

Throwing a wide-ranging cyberattack on top of an active disaster would create a special kind of nightmare, though. Emergencies like hurricanes, tornadoes and blizzards can upend how local governments handle transportation, emergency response, healthcare and other critical functions, which makes securing the systems used to manage those services that much more crucial.

“You have to look at anything that’s important during that stress of resources,” Lee said.