Nearly a dozen government institutions throughout Indiana have reported a cyberattack in recent years. To fight back, state and local government officials are taking a page from the enemy’s playbook by expanding protections against attacks from one entry point to thousands.
This past summer, the Indiana Secretary of State’s Office entered into an agreement with California-based FireEye Security to provide counties with desktop and email protection, as well as 24/7 live network monitoring.
The effort initially focused on clerk’s offices and elections-related personnel but broadened this fall to include all end points. Using federal funds, the secretary of state is providing FireEye’s capabilities to all 92 counties at no cost for three years, saving each of them hundreds of thousands of dollars in protection and reconstruction costs. About 25 counties have signed up so far.
Deputy Secretary of State Brandon Clifton said his office’s decision to blanket all end points dates to December 2015, when a worker at a Ukrainian electric power distribution company looked up at his computer screen to see the cursor seemingly moving under its own power.
The bad actor—or actors—who had gained control of the computer shut off scores of energy grids to plunge 225,000 people into the cold and dark, according to the U.S. Department of Homeland Security.
“They did that by targeting vendors or offices three or four degrees removed from the energy offices,” Clifton said. “That scenario is just critical in understanding this FireEye project. The intelligence shows foreign actors and adversaries will remain patient; they’ll watch and wait and do their research on what their ultimate target is.”
Since then, cyberattacks closer to home have awakened local government leaders to the real threat of remaining unprotected.
In 2016, voting systems in Illinois and Arizona were compromised by hackers. In Indiana, Madison County officials resolved a November 2016 attack after weeks of disruption and thousands spent on an outside consultant by eventually paying the $21,000 ransom.
Later that month, the Indiana Department of Veterans Affairs office in Howard County was taken offline for about three hours as employees worked overtime to recover 76,000 files encrypted by ransomware.
Clifton said it was around that time that election security became a top priority in Indiana.
In 2017, the U.S. Congress authorized distributions under the 2002 Help America Vote Act to help states bolster election security. Valerie Warycha, deputy chief of staff for the Indiana Secretary of State’s Office, said state officials chose to spend about 90% of Indiana’s $7 million allotment to partner with FireEye.
The program began as a seven-county pilot providing advanced software to elections employees. In addition to going statewide, the expanded program includes new security features for all end points in a county. Those include software to fight off viruses and malware, a tool that alerts a 24/7 operations center to potential threats, and a limited number of email filtering licenses for critical users.
Not all counties in Indiana are starting with the same protections. Some lack the personnel to conduct training, while others are unable to set aside the funding necessary to plug security gaps.
“You look at some of the smaller counties, and they may have one IT staff or two, or maybe they even outsource that to a company handling multiple counties,” said Chris Mertens, Hamilton County’s information technology director. “Their focus is just operational, just to keep the lights on.”
In contrast, Hamilton County has 25 IT professionals who work to secure the county’s more than 1,100 vulnerable end points.
For the past three years, Mertens said, county employees have been required to spend 10-15 minutes each month completing a web-based training program. The county also sends out mock phishing emails every quarter to test whether employees will click a link from UPS or FedEx requesting confirmation for a package they never ordered.
Mertens said the back end of the network has been configured to allow only approved traffic from outside the United States. The county also upgraded its firewalls last year with software that can detect new threats using artificial intelligence.
While installing those firewalls, Mertens said, Hamilton County pre-paid nearly $100,000 to install new antivirus and malware protections on every end point in the county for three years—almost exactly what FireEye is now offering for free.
“If we had known about this maybe eight months earlier, we would have avoided that hundred-thousand-dollar expenditure,” he said.
Even with those protections in place, Mertens said, the county has been victim to two isolated ransomware attacks. That’s why Mertens said he was glad Hamilton County had the opportunity to install two of FireEye’s 24/7 monitoring tools, one on each of the county’s firewalls.
“We have to be right every time. The hackers only need to be right once, and they try thousands of times,” Mertens said. “That’s why, even though we have a lot of these components in place, we can take advantage of those other components. It just becomes another layer of security for us.”
Closing the gap
Howard County, one of the original seven pilot counties, has already seen FireEye’s added layer of protection pay off.
IT Director Jeremy Stevens said he received a report a couple of weeks ago that said FireEye’s network monitoring had identified and blocked a suspicious email that had gotten past another firewall the county has been using since it was struck by a ransomware attack in April.
“In cybersecurity, no one thing can stop everything,” Stevens said.
Having been hit twice since 2016, Howard County now pays $20,000 a year for an upgraded antivirus with anti-encryption components and a team of professionals to monitor all activity on the network, Stevens said. Through security training, he has also been able to reduce the number of employees who fall for the county’s monthly mock phishing emails from 8.7% to 1.9%.
Stevens also serves as president of the Indiana Government Technology Leaders Association, where he promotes collaboration among local government IT leaders.
He said local government agencies are great targets, not necessarily for the money they have or the data they collect, but for their digital connections.
“The bad guys, they want to get access to these state and federal databases. [The federal databases have] got pretty good shields, but each county agency has got connections to those databases,” Stevens said.
“The high-end databases may be protected themselves, but at a county level, they’re not all created equal. That’s a way into the system that’s easier than attacking it straight on.”
Stevens said the state’s partnership with FireEye aims to address the gap between state and county protections by making sure each local government has at least the bare-minimum level of protection.
Not every local government is interested in adding another layer, though.
Ken Clark, chief technology officer for the city of Indianapolis and Marion County, said in a written statement that his offices weren’t planning to take advantage of FireEye’s cybersecurity products.
“For the products they are offering today, we already have long-standing relationships with other vendors to provide the same or better services for the city of Indianapolis and Marion County,” he said.
“But as each of our own tools come up for evaluation annually, we are looking to see if the FireEye products better meet our needs.”
Election hot seat
Industry experts say counties must keep their guard up, especially as 2020 elections approach.
“We have even seen a major increase in the targeting of state and local government organizations, most likely because they have fewer resources than the federal government,” FireEye Senior Vice President of Global Intelligence Sandra Joyce wrote in the company’s latest annual report.
Kapersky, a Moscow-based multinational cybersecurity provider, said in a November report that at least 174 municipal organizations were targeted by ransomware in 2019—a 60% increase over 2018.
Among those was LaPorte County, where officials paid a $130,000 ransom in August to avoid an otherwise costly recovery.
“Once some governments were hacked, it became apparent that they were vulnerable,” Mertens said. “You’ve seen many governments start to pay. That, then, fuels the fire [of hackers] even more.”
Patrick Glover, director of information security for the Secretary of State’s Office, said FireEye’s protections are some of the best in the world.
However, counties have an average of 500 end-point users, and any one of those employees could be exploited through phishing attempts or other malware.
So, in addition to the new software and appliances, each user plays an important role in protecting against hackers.
“Potential bad actors taking this as a challenge is, I think, an everyday battle,” Glover said. “The thought—and the way—to combat that really is to always be cognizant.”•