CINCINNATI — When a cyberattack strikes a state or local government, it increasingly comes by way of an agency’s public website. And one of the key reasons is that agency IT staffs take too long to patch their systems, warned Thomas Duffy, the executive director of the Multi-State Information Sharing and Analysis Center.
“Elected officials want to know immediately: How could this group of low-level skilled hackers take down my website?” Duffy said here Tuesday at the annual conference of the National Association of State Technology Directors. Based on his investigations, he said the answer is usually “because the tools are out there to allow them to.”
Duffy’s group acts as cyber detectives of sorts, working to understand the causes behind these attacks, but also as advisers to states and localities around the country to help them seal up the vulnerabilities that made the attacks possible in the first place.
Duffy said that content management systems used to manage and post government information online in some cases pose the greatest threat to security for a variety. In fact, he calls CMS vulnerabilities the most frequent way hackers have successfully attacked networks over the last two years.
“It’s a great tool, but a lot of it is open source,” Duffy said. “It has all sorts of plugins that add all types of additional functionality to your website, but you have to keep it patched and updated.”
Duffy notes his group first noticed this trend in 2013, when a state in the Southwest reported a breach on its website. A closer inspection revealed its Ektron CMS was to blame, throwing up a red flag for another nearby state.
“We gave them the forensics reports which they shared with the local FBI office, and the local FBI office said, ‘Oh by the way, the neighboring state said the same thing,’” Duffy said. That led Duffy’s team to scan other state and local government websites. They eventually found 66 other sites around the country with the same vulnerability.
“Of the 66 that were already vulnerable, 22 were already compromised and did not know it,” Duffy said. “We notified them to let them know what was going on, so this got us thinking about content management systems, and ever since then, it’s been high on our radar.”
It also prompted Duffy and his colleagues to investigate how often governments patched known vulnerabilities that he said are so crucial to keeping attackers at bay.
Once a new security patch was released for Drupal systems, a commonly used open source platform used by many website builders, Duffy’s team started keeping tabs on exactly how quickly governments using the CMS installed the improvement.
After one day, 33 percent of the group patched their vulnerabilities.
“Thank goodness for auto updates,” Duffy quipped.
By one week after the patch’s release, Duffy said about half of the websites were fully updated.
But then things started to slow down dramatically, he said. By the one month mark, Duffy recorded just 60 percent of sites had upgraded. By the fifth week, roughly 20 percent of websites still hadn’t installed the patches.
“If it takes five weeks just to get 80 percent patched, we have a lot of challenges,” Duffy said.
Those challenges are hardly limited to CMS patches. Duffy said phishing scams, when hackers send out emails posing as a respected organization, have become increasingly hard to detect, and can fool even the most diligent IT professionals.
“A good phishing attack, you’re not really going to be able to stop it 100 percent,” Duffy said. “In the old days, you’d say, ‘Look for misspellings’ or things like that, but forget it.”
Duffy still has confidence that the industry can respond to these increasingly complex threats, but only by expanding and reaching out to the next generation of workers.
“The technology is changing faster than we can come up with solutions and we need more workforce to do it, and the workforce just is not there,” Duffy said.
Duffy noted his center lists a number of programs designed to help states find or train prospective IT workers, including a federal scholarship program that gives students a reason to get into public service. The “CyberCorps Scholarship for Service” program, sponsored by the National Science Foundation, is one tool in the toolbox for state IT departments looking for new talent.
Students are eligible for the program after their sophomore year, and if they earn a spot in the program, the scholarship will cover their tuition for their final two years in exchange for promising to apply what they learn in the public sector for two years.
“When they do this, they have to guarantee they give two years of service back to the government,” Duffy said. “It’s an opportunity to get kids in the door, find out what exciting work is being done in the states and keep them in the long term.”
The program is especially attractive for state and local governments. “Almost all of their job requirements require security clearances, which adds another eight to 10 months before they can start work,” Duffy said. “We tell them they can start in two weeks, which is very, very attractive, and states are in the same boat.”
But whether states use the scholarship program or other methods to recruit new workers, Duffy stressed that it’s key for IT departments to start dedicating staffers to cybersecurity before they’re confronted with those tough questions.
“There’s no way just one person can protect a network adequately with the threats that are out there today, it’s just too complicated,” Duffy said.