What is the most popular password in the Pacific Northwest? Seahawks12, or some variation thereof, according to federal cybersecurity advisor Ronald Watters.
That hackers can easily guess potential security codes of local government employees who cheer for the local NFL team is just one of the many headaches with which Watters must contend in his effort to secure the region’s state, local, and tribal governments from digital threats.
Watters, who covers Alaska, Idaho, Oregon, and Washington for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, spoke on Thursday in downtown Seattle at a government cybersecurity forum hosted by news site Route Fifty. He described his mission in stark terms that any politician can understand: “I’m here to make you more resilient so you don’t end up above the fold in the Seattle Times.”
In the Seattle region, Sammamish officials declared a state of emergency in January after an attack paralyzed city hall. In February 2018, a scammer also duped Yarrow Point’s financial coordinator into wiring $49,284 in city funds to a fraudulent account. Both Skagit County municipality Burlington and the Chelan Public Hospital District were also victims over the past decade.
The Washington state experience tracks with what Kevin Brennan, a special agent with the FBI’s Seattle field office, has observed.
“Ransomware has shifted from the corporate environment to nonprofits and governments,” he said.
The private sector has largely made the necessary investments to secure their systems in light of the toll on profits, he said, but governments have lagged behind and shown a willingness to pay ransoms in the four-to-five figure range. However, with hackers increasingly demanding six-to-seven figure ransoms, he sees an increased need for government officials to beef up their proactive cybersecurity measures.
But cash-strapped local governments struggle to justify those investments. Watters described a hypothetical scenario in which a county IT department — which could be just one person in a smaller jurisdiction — requests $145,000 for an IPS, IDS, and a web proxy.
“The commissioner is going to ask ‘why?’ because they’ve never been hacked,” Watters said. “The correct phase is: You haven’t been hacked yet.”
At the same time, Watters cautioned that purchasing big-ticket cybersecurity products will not solve the problem alone.
“Don’t put in your budget money for a Forescout device at $245,000 and not budget $40,000 to train the people to operate the $245,000 device — or you have a really pretty box that blinks at you,” he said.
Even for relatively well-resourced jurisdictions, simple nudges that affect behavior at the keyboard and keep employees on high alert can be far more effective than expensive cybersecurity bells and whistles.
“We want to make sure the county leaders understand and send the message that we are the first line of defense,” said Snohomish County Chief Information Officer Viggo Forde.
He cited the recent installation of an industry-standard banner on Office 365 that informs users when a message originates from an outside organization. Those kinds of decisions, he said, “start the water cooler and lunch table talk where everyone complains about the banner that IT forces on them.” But those minor annoyances have paid off with several recent near misses from phishing attacks.
“Because of the alert behavior that individuals demonstrated, it allowed us to react much more quickly than we otherwise could have,” Forde said.
Watters, who has worked with dozens of Pacific Northwest governments on improving their cybersecurity, underscored the national resource for local governments facing cyberthreats, the Department of Homeland Security-sponsored Multi-State Information Sharing & Analysis Center.
His counterpart at the Secret Service’s Seattle field office, Assistant Special Agent in Charge Michael Germain, pointed to a regional standout that he advised: Montana-based Flathead Electric Cooperative, which he said faces up to 5,000 attacks daily.
“For an electric co-op, they have a very robust cybersecurity program right down to the linemen who are stringing power lines for them on a daily basis,” he said. “They host biannual training on cybersecurity. That’s their culture.”
If an electric co-op can institutionalize cybersecurity awareness, then it seems any local government entity can take a more defensive posture.
“We have kids hacking things for fun and state actors hacking for money,” Watters said. “Be aware.”