MILWAUKEE – Power outages. Crashed government service websites. Pilfered personal information from corporate or government databases. A world increasingly interconnected through the Internet also provides numerous opportunities for individuals or groups to visit malice or mischief upon people, businesses, utilities and government agencies.
The focus of Wisconsin’s third annual Cybersecurity Summit was defending the state’s operational infrastructure, such as power grids, information databases, communication networks and utilities. But an underlying theme was expanding knowledge of the adversary, of one’s own weaknesses, and the difference between an attack and a routine system scan.
Gov. Scott Walker opened the summit by noting that cybersecurity has only become more important over the past two years.
“That’s why a session like this is so important,” he said. “The people looking to wreak havoc against us, they’re focused.”
Walker said that the state’s declining unemployment rate could be jeopardized if cyberattacks result in significant economic damage. Byron Franz, a special agent assigned to the FBI’s Milwaukee Cyber Squad, agreed.
“It seems like a bloodless crime, but the blood is there,” he said of cyber espionage. “You just won’t see it for three years.”
Franz discussed insider and outsider attacks. Insider attacks – employees copying or downloading trade secrets for the purpose of delivering them to competitors – have caused significant harm to businesses inside Wisconsin. A firm in Middleton suffered up to $1 billion in lost sales due to an alleged insider theft of wind turbine technology sent to a Chinese firm. An insider at GE Healthcare admitted to downloading 2.4 million files and mailing the information to China.
“Absolutely, positively, we are under attack,” Franz said.
Methods to counter insider threats include daily network analytics to determine who is uploading or downloading files into the network, using – and changing – complex passwords, and building partnerships between private and public agencies.
Walker said Wisconsin experiences an average of 2 million attempted cyber attacks each day. One recent example – a March 9 “denial of service” attack claimed by the hacktivist group Anonymous – disrupted connectivity for squad car mobile computers and temporarily crashed city of Madison and Dane County websites.
Maj. Gen. Don Dunbar, Wisconsin adjutant general, said in a taped presentation that Wisconsin has made strides in hardening its cyber systems, but new and sophisticated phishing attacks and coordinated attempts to crack passwords are increasing.
“The state [information technology] professionals do a great job defending against those threats,” Dunbar said, “but with that many attacks, the likelihood that one will get through is high.”
Dunbar emphasized “cyber hygiene” – a five-step method that calls for inventorying network-connected hardware and software, establishing common security settings for the network, controlling administrative privileges, applying current software security upgrades and repeating the first four steps.
David Cagigal, Wisconsin’s chief information officer, said the state is taking steps to protect its infrastructure from cyber attacks – the issue is a point of emphasis in Wisconsin’s homeland security plan. But infrastructure serving Wisconsin does not stop at the state line, meaning a successful cyber attack against another state’s infrastructure can still impact Wisconsin.
“It’s not an ‘if,’ it’s a ‘when,'” Cagigal said. “How will we be able to respond?”
Part of Wisconsin’s proactive posture against cyber attacks is developing cyber defense teams – including the Wisconsin National Guard’s Cyber Network Defense Team – and conducting public-private cyber security exercises. However, Cagigal said there are not enough security professionals in the cyber field.
“It’s the people not in the room that we need,” he explained.
Thomas MacLellan, director of national homeland security and government affairs for FireEye, Inc., compared cyber attacks to asymmetric warfare, and listed nation states and criminal organizations among the adversaries.
“Advanced persistent threats are real people sitting at a keyboard actively trying to get into your system,” MacLellan said. “There’s a very real chance they may already be in your network. Motivation matters – if they want to get in, they’re going to get in. That’s gonna change your posture, gonna change your thinking.”
Those adversaries use social media to profile individuals within organizations, and then target those individuals with e-mails they would be likely to open – e-mails containing malware or viruses that could enter the organization’s information network. Some e-mails contain components of a complete malware, which assemble with other components introduced by other e-mails. Once assembled within a network, the virus executes its programming and then disappears.
“The cavalry really ain’t coming,” MacLellan said. He urged summit attendees to “go hunting” – assume that adversaries are already in the network and root them out.
Robert Lee, a certified instructor for SANS Institute, said bad information can hinder a strong cyber defense. He cited news stories that misidentified industrial disasters as cyber attacks because the news organizations lacked a basic understanding of what cyber attacks are and what they are capable of.
“There’s a lot of hype in the community,” Lee said. “It’s hard to kill hype. It’s not that these APTs don’t exist – it’s that we have to understand exactly what they are and how to address them.”
Some intrusions are for the purpose of stealing data, but others are intended to cause the operator to lose control of a system or even manipulate that system.
“That’s actually pretty hard,” Lee cautioned. “It’s doable, but it’s hard. It takes a lot of effort and a large amount of time.
“The adversary is persistent,” he continued. “But they’re also people, and because they’re people they make mistakes. These folks are not invincible. Defense is doable against these types of adversaries.
“Ultimately, it’s going to take empowered and trained personnel – human operators – to counter other humans.”
1st Lt. Piotr Wlodarczyk and Capt. John Conley are two members of the Wisconsin National Guard’s Cyber Network Defense Team. The summit offered them a two-day practical exercise in testing the cyber defenses of the fictional Alphaville.
“Our role [yesterday] was to break into the city, the library, take over websites, take over the database center, get passwords,” Wlodarczyk said. “Today we reverse the roles.”
Conley said the scenario was realistic for someone without a hardened network.
Cagigal said the purpose of the summit was not to paint a doomsday scenario.
“I am not here to create hysteria,” he said. “I’m here to give confidence that we can prepare, we can defend. We can do this together.”
Walker said the key was for public and private sectors to work together.
“All of us play a role,” he said.