States ‘Unprepared’ for Cyberthreats, Legislatures Told
States should worry about vulnerability of their utilities and other infrastructure to cyberattacks, cybersecurity experts said on a panel live-streamed Thursday from the National Conference of State Legislatures Summit in Chicago. "We are unprepared,” said Integrated Justice Information Systems Institute Director of Operations Ashwini Jarral. A December attack that knocked out power in Ukraine was an attack on the types of utilities, equipment and systems for which U.S. states and their public utility commissions are responsible, said Andrew Bochman, Idaho National Laboratory cyber and energy strategist.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“We have a huge gap today between the technology innovation and the policy,” Jarral said. “If we are going to -- collectively as a community -- try and address some of the cyberthreats, we have to bridge that gap of technology to policy.” An increasingly connected world means increased risk, and the number of hacks on federal agencies has increased dramatically over the past 10 years, he said. Most public safety agencies are aware of the threats, but they often have no risk management framework, he said. Often, they don't have control of their infrastructure and lack resources to bring in the skills to address the challenges, he said. With budget shortfalls, cybersecurity policy often isn't a high priority, he said.
States should consider lessons learned from previous cyberattacks and look at national cyber policy as a model for protecting infrastructure, said Jarral. “We need to talk in a mission context. We need to work with executives to understand how deep this problem is. We need to educate them. We need to come up with a model policy [so] that we can collectively work and address some of the challenges that our state and locals face.”
“There’s no way of truly preventing every attack,” said Joseph Demarest, an Ernst & Young executive director and former FBI Cyber Division assistant director. “The actors are skilled, they’re trained, financially supported and they’re patient," he said: They target “not only our technology systems but also our people and the processes we use for certain key functions within government today.” Adversaries who have targeted state entities include nation states, hactivists, criminals and insiders, he said. Attackers sponsored by nation states have targeted people within organizations through “spear phishing,” emails aimed at specific people by incorporating research on the target to make the emails seem legitimate, and even by scattering malicious USB sticks in parking lots and waiting areas for unwitting employees to pick up and plug into their computers, he said.
Vermont Rep. Curt McCormack (D) asked during Q&A if growing dependence on computers and connected systems is the problem: “Can’t we at least get back to a mandate that utilities have manual systems and protocol always ready on a moment’s notice to bypass the computer?”
It’s good to be a “selective Luddite,” replied Bochman. “For certain things, that attitude and that opinion is extremely appropriate these days, and how to get there is the magic trick.” The targets of the Ukraine attack were distribution utilities that bring electricity into towns and cities, he said. One reason utilities recovered quickly was that they had only recently begun digitizing control systems, he said. “The personnel who were used to doing it in a more manual fashion were still there. … They hadn’t been completely replaced by automation. And this is a big feather in their cap.” The U.S. is very different than Ukraine, he said, “and it will be highly nontrivial to start to move in that direction.”