Study finds states widely vary on ability to guard against cyber attacks

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Last year, when Baltimore’s municipal functions basically came to a halt, it highlighted the cybersecurity challenges at the non-federal level. The truth is, the ability and skill in staying cyber safe varies widely across state and local governments. That’s the finding of a detailed study by BlueVoyant. With more, BlueVoyant’s head of incident response, and former FBI special agent, Austin Berglas joined Federal Drive with Tom Temin.

Interview transcript:

Tom Temin: Mr. Berglas, good to have you on.

Austin Berglas: Hi, thanks for having me.

Tom Temin: And I guess because of the fact that federal agencies have a lot of statutes and regulations for their cybersecurity, there’s maybe a little bit more consistency. That’s not the case is it for state and local government?

Austin Berglas: It is not. And that’s one of the things that we highlighted in this report is that there is a wide variety of state and local online infrastructure. And with that, it causes lots of opportunities for compromise. We found that a lot of state and local municipalities are not on what we call the .gov domain. They’re on different types of top level domains, .coms, .orgs, .mes, which means that they don’t have a central management from the .gov, and all the things that come into play when you’re on the .gov domain.

Tom Temin: And I guess this should all be of worry to the federal government because so many programs from food stamps to emergency pandemic payments and so forth often go through state and local agencies.

Austin Berglas: Exactly. And it’s not just that, there’s a risk to human health and human safety. We’ve seen incidents where 911 systems were knocked offline because they were part of the local infrastructure. And that local infrastructure was hit by a ransomware attack, that infrastructure was knocked offline. And nobody was able to get into the 911 system for a period of time. So when people think of attacks against state and locals, they think, oh I’m not going to be able to make my tax payment or my sewer payment. They don’t think of it like a healthcare facility, like a hospital where an attack would potentially put some people at risk, but there’s definitely that human safety risk involved here.

Tom Temin: You mentioned ransomware is that the principal attack methodology for state and local governments.

Austin Berglas: It’s not necessarily the the the only one, we’ve seen a rise in ransomware attacks against state and locals. The ransomware attacks simply are aware of bad actors are able to put some sort of virus on their system which either locks up certain files, entire computers or entire networks. And more recently, they do more than that. They actually go in first and steal certain types of sensitive data and then hold that data for ransom. High ransom. Just recently, a few weeks ago, we had a case come in where the ransom was for $20 million. If they didn’t pay that $20 million, not only were they not getting their computers unlocked, but sensitive data tat was stolen would be released either for sale on the dark web or released to the general public, which obviously could create lawsuits or great harm to their brand and reputation.

Tom Temin: Sure, and for some small agencies, $20 million could wipe out a village or a town in point of fact, and is phishing emails, the primary delivery mechanism for these kinds of ransomware attacks.

Austin Berglas: Yes, it’s one of the two top delivery mechanisms. So yeah, email phishing. And in the report, we highlight a case study of few districts in Wisconsin where email phishing was the primary vector of attack there. And then second is something called RDP, or remote desktop protocol. And it’s a way that outsource providers, IT providers or outsourced payroll providers can log into a state and local network remotely. And oftentimes when it’s not used that port or that access is left open and the bad guys know it, and it’s a very, very common approach to push ransomware in through that open RDP port.

Tom Temin: Is there anything that can be done from the federal level to assist state and local governments? I mean, we have this whole cybersecurity and infrastructure security agency which has outreach to industry. Does it also have outreach to non federal government, or should it?

Austin Berglas: Yeah, and that’s highlighted in a report that was released earlier this summer, called the Cyberspace Solarium Commission. And in there is about 50 recommendations to improve the public private partnership. One of the recommendations there is to allow CISA to actively threat hunt or look for badness on the .gov domain. And that’s just another reason why it’s recommended for the state and local municipalities to get on that .gov domain When you get on the .gov domain, not only do you get kind of the monitor ship that the federal government will provide, but it requires members to have two factor authentication, which is very, very important preventing these phishing attacks. It makes sure that there’s something called HTTPS or security on the browsing on computers. And again, it also allows for CISA to be monitoring that cup space. So there’s a management aspect. But these are part of the recommendations that are pushed out and that Solarium report.

Tom Temin: Another one, I guess, would be for state and local governments to have information sharing mechanisms, so that threat detection and so on, and whatever they find out about what’s going on in the threat environment can be alerted throughout the nation, that everyone can get on board with being on the alert for it and protecting themselves against it.

Austin Berglas: Hugely important, hugely important, and that is discussion. The US government has made massive improvements in this area, there’s still a lot of work to be done. But it’s so important, especially in the same sector, in the government sector, when one state or one municipality sees an attack or falls victim to a ransomware attack, how can they take those, what we call indicators of compromise, kind of the footprints of the bad guys, and share those rapidly and easily across the sector and across industry to make sure that other states and locals are protected against that same type of attack. And that’s where the federal government plays a large role in facilitating that public private partnership. And that’s, again, something else that is recommended for improvement.

Tom Temin: Getting back to your report, there are some pretty interesting statistics in there. Give us some of the numbers that you found with respect to attacks and and compromise at the state and local level.

Austin Berglas: Sure. So one thing that we found was over a period of about six months, we observed about over 95,000 incidents of inbound targeted focused on on 28 counties that we highlighted in this report, 17% of them, of those counties showed signs of potential compromise. And at least one of them showed what we believe to be an active infection. And the way we see that is looking at the outbound communication of these organizations. And if that communication is going to infrastructure that’s hosted or owned by known bad actors, we can with a high rate of confidence say that there is something inside that network communicating. And that’s how viruses and malware works. It has to communicate with what we call command and control, it has to report back to home base.

Tom Temin: This is all occurring at a time in a period when state and local governments are actively increasing their deployment of digital services. So it seems like their vision is ahead of their cybersecurity and ability to protect what it is they’re putting out to the public.

Austin Berglas: Yeah, I mean I think that’s not just the state and local. I think that’s everywhere where we’re technology is moving at a very, very rapid pace, yet, a lot of small and medium sized organizations don’t have the funding and capacity to have the appropriate amount of trained cybersecurity professionals to manage that technology and manage those threats. So it’s definitely a fight to stay ahead of the vulnerabilities and the bad guys.

Tom Temin: And finally, I guess state and local governments can do something the federal government is increasingly doing, and that is for digital services deployed to the public, requiring two factor authentication and maybe use of the login .gov types of mechanisms so that citizens can play a part in protecting themselves.

Austin Berglas: Yeah, look, especially with the pandemic and a lot of organizations, most organizations going 100% remote. What that does is increases the attack surface. It gives the bad guys more opportunities to compromise. There’s more laptops, there’s more cell phones. Some of them things that these people can do very, very easily, we call it low hanging fruit, to allow them to best protect themselves against some of the most common attacks is, as you said, make sure that you have two factor authentication on all of your email accounts and sensitive infrastructure. And then secondly, is making sure that there’s a hard password policy. No reuse password policy, we know that most people reuse passwords, the same for multiple accounts. And highlighted in the report, when we’re talking about Wisconsin, we’re seeing at least 4,000 instances of county email addresses that were implicated in 64 distinct data breach events. So those passwords and usernames are floating around the dark web. Bad guys are getting them and they’re testing them against certain accounts. So if you’re not reusing passwords, it limits the ability for the bad guy to use old recycled passwords to get into your account.

Tom Temin: Sure. So everybody’s got a role here in other words.

Austin Berglas: Sure, you know, one part of cybersecurity is that the technology and the technology implementation, but the majority is the human factor, the weakest link in the chain oftentimes. So if we can educate the the workforce and our employees to be the best line of defense, that’ll just enhance the technology that’s put in place.

Tom Temin: Austin Berglas is head of Ransomware Incident Response at Bluevoyant and former FBI special agent. Thanks so much for joining me.

Austin Berglas: Thank you sir. Have a good day.

Related Stories


Sign up for breaking news alerts