Cyber resilience: A local approach
In our previous blog posts we have looked at a case study of a vulnerable water plant and explored using Shodan to scan the internet for vulnerable programmable logic controllers. In researching what I wanted to write about next, I watched a presentation at Blackhat 2017 by two U.S. Attorneys about their investigation, arrest and conviction of Roman Seleznev, a Russian hacker and dealer of stolen credit card information. What struck me during the presentation was that many of his targets were small U.S. businesses (the presentation highlighted a few restaurants in the Northwest U.S.) because many of them were easier to hack as they had poorly configured remote desktop protocols and were storing credit card data in unsecure formats. The result of some of these breaches were the target businesses shutting down shortly after publicly announcing being compromised. This got me thinking, what are the effects of cyber attacks on small businesses? What about on rural hospitals? Or local governments and first responders?
Lets start with the small businesses, in October 2017, a USA Today article aggregated some of the numbers from various reports and concluded that over 60% of reported data breaches involved small businesses, “90% of small businesses don’t use any data protection for company and consumer information” and that “60% of small businesses go out of businesses within 6 months of an attack”. Clearly small businesses are targets and there seems to be a strong correlation being breached and shutting down, but yet a majority of the small companies aren’t securing their data. In Verizon’s 2017 Purchase Card Industry (PCI) compliance report the numbers were slightly better, with 55% of businesses fully compliant with payment card security requirements, but these numbers are across all sizes of businesses. A reason for these statistics may in many cases come down to money; large corporations have the budgets to pay for advanced security software, updated systems and hire trained professionals to focus solely on information technology protection. Affordable cyber security training, awareness and implementation of data protection by small businesses is critical to long term viability and the health and sustainment of the economy as small businesses make up between 60-80 percent of jobs in the U.S.
As the ‘internet of things’ expands, there have been increasing threats to internet connected medical devices to go along with the conventional and persistent threat to patient data and records. A June 2017 report from the Health Care Industry Cybersecurity Task Force indicated that small practices and rural hospitals still deliver the majority of health care to Americans and that they do not have the information security resources and infrastructure to keep up with new attack vectors. Nor do they have the technical capacity or skilled professionals to analyze attack information or “physical and logical access controls consistent with best practices”. The report goes as far as to say they “have not crossed the cybersecurity digital divide”. Earlier in the report it talks about how these small practices and rural hospitals help form a “mosaic” of healthcare throughout the country. This interconnectedness could mean that a motivated attacker could use the vulnerability of a smaller provider to leverage information needed to breach a larger target that does business with the breached organization as well as compromise patient care or records at smaller rural institutions.
So we see that small businesses and rural healthcare are both facing cyber readiness issues, what about local government? Unfortunately, the same issue that has affected small businesses is at play here; budget crunching, older systems and lack of resources and advanced training has left many governments vulnerable to potentially crippling attacks. Most recently, the government of Allentown, PA was subject to an attack from the malware ‘Emotet’ which completely shut down the finance department of the city, security cameras and police access to criminal databases. The breach is estimated to cost the city almost $1 million to remediate. In December of 2017, Mecklenburg County in North Carolina was also hit with malware which took down systems that dealt with tax collection, inmate and arrest processing and other database functionalities. Attacks didn’t just focus on financial functions either, with police and fire departments facing ransomware attacks in Maine and Massachusetts, among many others. These attacks blocked access to records and disrupted dispatching capabilities in some cases. A contributor to a CNBC article from 2015 in relation to targeting of Police Departments said that “its not unheard of to see a Windows XP or Vista still in action in a law enforcement environment”. The trend of using outdated systems continues into another facet of local government that has much further reaching implications. According to a report by the Brennan Center in 2015, voting systems that were run by state and local governments in at least three states were based on woefully outdated Windows 2000 or Windows XP systems. This appears to have potentially a direct correlation with recent releases that Russia was able to “successfully penetrate a small number” of state voting infrastructures, although the specific details on this penetration are still coming to light or are unknown.
This is all a lot of doom and gloom, so where do we need to go from here? In the small business world, Congress is starting to take action. The “Main Street Cybersecurity Act” is a new bill that passed the Senate this fall and would task the National Institute of Standards and Technology (NIST) to create a cyber security framework for small businesses. This is a first step to providing these business owners free and technically sound guidance on steps they can take to secure their businesses. NIST only provides guidelines though, there still needs to be an affordable way for small business owners to implement the guidelines and protect their companies. In healthcare, the government task force report referenced earlier called on the Department of Health and Human Services (HHS) and NIST to develop cyber readiness scanning tools specifically for rural locations and for HHS to partner with DHS to promote research into cyber security solutions for rural and small healthcare establishments. When it comes to local government, an article by Greg Garcia, a former Assistant Secretary for Cyber Security at DHS, cites statistics that underscore the attacks outlined earlier. In 2015, states spent 0-2% of their IT budget on Cyber Security and of the 30 states that took Homeland Security Grants, only $27 million over four years was spent on cyber and those states left 36% of the grant money unspent. Garcia’s recommendation, which is from late 2016, bears repeating now as the policy agenda has caught up to it. The infrastructure plan being explored by the current administration must include significant money for states to completely rebuild or renew their computer systems in accordance with already developed NIST guidelines to harden and secure them against cyber threats. This would ensure the new physical infrastructure comes with a strong, up to date, sustainable cyber backbone under it.
Pulling back to look at community resilience, the cyber security of local businesses, health care providers and governments is paramount for all of them sustain their ability to conduct normal business, protect jobs and provide essential services to residents. The solutions and potential funding above from the federal government are all well and good, but the urgency and understanding of the problem must have buy in from the grassroots level. Local communities need to come together to advocate for, build and maintain a cyber security posture that may directly influence their employment, the privacy and availability of their health care, emergency services, the right to cast a fair vote and for their communities to thrive in the 21st century.