Hackers Seized on the Pandemic. Some States Are Fighting Back.

Shutterstock

 

Connecting state and local government leaders

“We don’t want cyber 9/11.”

This story was originally posted by Stateline, an initiative of the Pew Charitable Trusts.

COVID-19 made its U.S. debut in Washington state, but the virus was only the first of several intruders to attack the state in the past year.

Last spring, cybercriminals breached the state’s unemployment system. Washington was one of the states affected by the massive SolarWinds hack, which was discovered in December. And earlier this month, the state auditor’s office disclosed that fraudsters had exposed the personal information of more than a million residents.

“We have a serious governance and oversight problem,” said Washington state Sen. Reuven Carlyle, a Democrat who chairs the Senate Environment, Energy & Technology Committee. “The state auditor breach is historically serious, on every level. And we’ve had four or five major cyber incidents in the last year.”

Rocked by the massive SolarWinds hack, unemployment system breaches and other attacks, several states are trying to bolster their cybersecurity in the midst of the public health crisis.

“If there’s ever been a year to reprioritize and make sure your cybersecurity is taken care of, this is it,” said Forrest Senti, a vice president at the National Cybersecurity Center, a nonprofit think tank based in Colorado Springs, Colorado. “These attacks are precursors to what could happen if we’re not investing properly and doing training and listening to those who know how to deal with this. We don’t want cyber 9/11.”

Cyberattackers have forced states to take down websites, stolen $36 billion in unemployment payments and exposed millions of residents’ personal information to scammers.

In Washington state, lawmakers are proposing to centralize agencies’ cybersecurity practices. In Minnesota, they’re considering creating a joint legislative cybersecurity commission. In Maine, Democratic Gov. Janet Mills issued an executive order establishing a cybersecurity advisory council. And in Texas, state officials are teaming up with a private security company to provide cybersecurity defense services to state and local agencies, after a series of ransomware attacks.

Meredith Ward, policy and research director at the National Association of State Chief Information Officers, said attacks during the pandemic have brought more awareness to the need for stronger protections.

Cybercriminals have had new opportunities to disrupt, she said, whether it’s trying to target the supply chain or launch ransomware attacks on hospitals and health care systems.

“Unfortunately, the bad guys seize on every opportunity they can. That’s what we’ve seen during the pandemic and with these high-profile cyber incidents,” Ward said. “It’s brought attention to what state chief information officers and chief information security officers have been struggling with for a while.”

SolarWinds Attack

The SolarWinds espionage hack, which according to federal officials likely came from Russia, was one of the largest cyberattacks in recent memory. To access information, sophisticated cybercriminals hacked into and hid malicious code in a software update from SolarWinds, an Austin, Texas, technology company.

It was distributed to thousands of public and private sector customers in the U.S. Among them: Microsoft, Cisco and the U.S. Justice and Commerce departments.

Several universities were victims as well, including Iowa State and Kent State universities.

The hackers also hit Pima County, Arizona, where an official wouldn’t disclose the extent of the attack, but said there was no indication any data had been stolen.

At least three state governments were breached in the SolarWinds attack, Bloomberg has reported.

A spokesperson for the Virginia State Corporation Commission, which regulates utilities, insurance and other institutions in the state, later confirmed it had been one of the targets. Carlyle, the Washington state lawmaker, told Stateline that his state also was hit. The third state has not been identified.

Alerts from the federal Cybersecurity and Infrastructure Security Agency warned that the SolarWinds campaign posed “a grave risk” to federal, state and local governments, and private companies. The hackers had the “resources, patience, and expertise to gain access to and privileges over highly sensitive information if left unchecked,” the agency cautioned.

Brett Callow, a threat analyst for cybersecurity company Emsisoft, said these types of attacks are very hard to defend against because they come through organizations’ legitimate vendors.

Unlike ransomware attackers, who are motivated by greed, hijacking computer systems and holding them hostage until their victims pay a ransom or restore systems on their own, the SolarWinds hackers were out to get information, cybersecurity experts say.

Callow describes the SolarWinds hack as “possibly the most serious cybersecurity incident of recent times.”

Callow said many governments, hamstrung by other budget priorities, are reluctant to invest enough in cybersecurity. But with so many recent attacks, he added, that may be changing. “There’s a greater focus on cybersecurity now than there has been,” he said.

Washington State Struck

The SolarWinds attack wasn’t Washington state’s only cyber crisis this past year.

In late spring, Washington was one of more than a half-dozen states victimized in a massive fraud scheme in which cybercriminals struck unemployment systems, which already were overburdened with a huge influx of claims.

The fraudsters apparently used information about people they may have gotten from previous hacks to file fraudulent claims on behalf of those who hadn’t been laid off, without their knowledge.

A cybersecurity company linked the attacks to a Nigerian crime ring it nicknamed Scattered Canary. Washington state officials say they were scammed out of hundreds of millions of dollars in fraudulent claims. The ring also apparently hit Florida, Rhode Island and Wyoming, among other states, according to The New York Times.

Earlier this month, the U.S. Department of Labor announced $49 million in grants to 27 states to combat fraud in their pandemic unemployment assistance programs.

“Criminal organizations have tested the integrity of individual state unemployment systems, quickly exposing vulnerabilities,” the agency said in a news release. “In recent months, state unemployment programs have detected significantly more fraudulent attacks while new schemes emerge daily.”

Months after the first unemployment cyberattack on Washington state, it was struck again.

On Feb. 1, State Auditor Pat McCarthy disclosed a massive data breach in her office. Hackers had compromised a software vendor’s data transfer services in December, exposing the Social Security, bank account numbers and other personal information of at least 1.4 million Washingtonians who filed for unemployment benefits last year.

That data had been collected as part of the state auditor’s investigation into the earlier unemployment fraud scam.

Lawmakers React

In response to the attacks, a group of Washington state senators this month introduced a measure to bolster cybersecurity, at the request of Democratic Gov. Jay Inslee.

The bill would create an Office of Cybersecurity by statute within the office of the state chief information officer. The office would set standards and policies for safely storing sensitive data and develop a centralized cyber protocol for all state agencies, including those run by independently elected officials, such as the state auditor.

“Here we are, the home of some of the premier IT companies on the planet, and our cybersecurity and IT systems simply don’t reflect that qualify,” said Carlyle, the bill’s primary sponsor.

Carlyle said his state has nine independently elected state officials, and each agency is convinced it can manage its own data.

“We have a decentralized, go-it-alone approach in this state, and it simply is not working,” he said.

Many lawmakers in Minnesota also are concerned about an uptick in cyberattacks against their state.

A bipartisan group of state representatives there introduced a bill this month that would create a joint House and Senate legislative commission on cybersecurity. The panel would review state agencies’ cybersecurity policies and practices and recommend changes to protect the state from cyberthreats.

Democratic state Rep. Kristin Bahner, the bill’s primary sponsor, said Minnesota has seen some “dramatic” cyberattacks during the pandemic.

After the civil unrest that followed George Floyd’s killing in Minneapolis in May, the hacker group Anonymous breached the state Senate’s website, forcing officials to take it down.

Then, in June, Minnesota was struck by a torrent of denial-of-service attacks, in which hackers try to knock websites offline by flooding them with traffic.

“In a time of incredible turmoil, there were cybercriminals waiting to exploit that and take advantage,” Bahner said.

The state needs to make sure its websites aren’t tampered with, and it must protect residents’ personal data, whether it’s driver’s license information, Social Security or bank account numbers, she said.

“Our citizens will not be so forgiving if we allow someone to access their critical data or shut down services they rely on. There’s a new interest and understanding on both sides of the aisle.”

Jenni Bergal is a staff writer at Stateline.

NEXT STORY: Public Employees’ Use of Personal Phones, Tablets Puts Local Governments at Risk

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.