Emptying out government offices during the COVID-19 pandemic has had the side effect of greatly expanding the potential attack surface for ransomware by introducing countless home Wi-Fi networks and personal devices into agency networks, state-government cybersecurity officials said Wednesday.
In addition to ensuring continuity of digital services and agencies’ operations through a deadly health crisis, chief information security officers must now also account for user devices that previously never would’ve connected to state networks.
“We’re now adding hundreds of unknown networks,” Colorado CISO Deborah Blyth said during CrowdStrike’s Fal.Con for Public Sector Conference, produced by FedScoop and CyberScoop. “The security framework for remote devices has to be able to reach those devices outside your network, off your [virtual private network]. We have to get away from thinking that the only way to secure a device is to keep it behind locked doors.”
Other statewide cybersecurity chiefs, including Virginia’s Michael Watson, who’s responsible for safeguarding a 40,000-person telework environment, expressed similar concerns earlier this month.
And though much of government IT work over the past three-and-a-half months has been focused on continuity of operations and propping up high-demand services like unemployment benefits, more traditional concerns, like ransomware, haven’t gone away. At least 11 state or local government agencies have endured attacks — which are becoming more sophisticated — since the start of the pandemic, according to StateScoop’s ransomware research.
But Blyth, who led the response to a February 2018 ransomware attack against the Colorado Department of Transportation, said states’ plans for dealing with cyberattacks are also evolving. Even in the middle of an all-consuming health crisis, she said, it’s crucial that IT agencies form and nurture partnerships with homeland security offices, software and hardware vendors, National Guard units and elected officials.
“You should know who to call when a ransomware incident happens,” she said. “You don’t want to be introducing yourself when you’ve got an incident.”
Blyth retold the story of how she learned that lesson that on the fly during the CDOT attack. For the first week after the department was infected with the SamSam ransomware, Blyth and her colleagues from the Colorado Office of Information Technology attempted to remedy the situation themselves, only to find themselves exhausted and unsuccessful. It was only after the state’s emergency management office was brought into the situation, lending its skills in organizing a disaster response, that the attack was remedied.
“Go figure out who your contact is, introduce yourself and talk about how you might partner,” Blyth said.
Joseph Daniels, the chief information officer for the office of the Illinois state treasurer, said he relies on National Guard units as subject-matter experts and incorporates other outside groups in his incident-response planning.
“I love bringing in local universities,” he said. “You need to look at third parties. Not just vendors, but friends, legal partners, people who’ve grown up in the IT world. Bring them to your tabletop exercises.”
And IT security officials need to be concerned with more than just agencies’ servers, computers and applications. New Jersey CISO Michael Geraghty said he’s also put an increased focus on the operational technology that runs physical infrastructure, like utilities and environmental controls. Asset management, he said, is a key first step.
“You can’t protect what you don’t know you have,” he said. “Having a good interview of all those OT devices allows you to have a game plan. Implement network segmentation so they’re on their own network and an infiltration into the HVAC system can’t affect the rest of the network. It’s not just like ransomware where it has an effect on data. It can have an impact on public safety, all sorts of others as well.”
Ultimately, Blyth said, preparation and practice remain two of the most important elements for governments defending against attacks from ransomware or other threats.
“Having a good strategy will not make you immune from a cyberattack, but having a good strategy will help you recover,” she said.