State, Local Cyberdefense Lacking, Say Security Officials

The state and local governments that operate U.S. critical infrastructure would be directly impacted by the Senate Cybersecurity Act (S-2105), said Walker. S-2105 defines a U.S. system or asset as covered critical infrastructure if a cyberattack against it could interrupt life-sustaining services sufficient to cause a mass casualty event or mass evacuations, catastrophic economic damage to the United States or severe degradation of national security (WID Feb 15 p1). That means that if the bill were passed in its current form, the secretary of Homeland Security would be authorized to oversee security upgrades for states and local utilities whose critical infrastructure performance requirements are lacking. “Whatever comes out of this we want to make sure that states and local [governments] have a seat at the table to help craft these regulations, because it will impact us,” she said.

A “tremendous problem” that prevents cybersecurity at the state and local level is the large quantity of online passwords that public officials must keep, said Thomas Duffy, executive director of the Multi-State Information Sharing and Analysis Center (MS-ISAC). “We all have a hundred passwords now,” he said, “and users are reusing their passwords so they can remember them.”

Last June the “hacktivist” groups AntiSec and LulzSec exploited the password problem to breach state government systems in Arizona, Duffy said. He explained how hackers targeted the personal email accounts of Arizona state policemen through their local Fraternal Order of Police website. The hackers were able to gain access user names and passwords from the compromised site and then use the same passwords to access the computer systems of the Arizona Department of Public Safety. “The state systems were secure but the users were reusing the passwords,” Duffy said. “That is something we have been seeing ever since … there has been approximately one case per week.”

The threat landscape is growing internationally, Duffy said, particularly from Eastern European cybercriminals who actively seek to steal municipal funds through the Internet. Duffy told how a New York school district near Albany received a call from its bank about an $800,000 wire transfer going to the Ukraine. The school officials said “'No, we didn’t authorize that, can you cancel that?’ The bank manager said ’sure … but what about the transfer yesterday for $700,000, and the transfer Monday for $600,000?'” Duffy said the school’s credentials had been compromised by Ukrainian hackers via the Web, “and that can happen very easily.”

There are solutions to the password problem, Walker said. State and local officials can choose from a host of smart phone password apps like Keeper, mSecure, Wallet and oneSafe, that keep passwords and user name info secure and at one’s fingertips. But even those aren’t foolproof, said Walker: “I forgot my password to the app.”

DHS can help by offering free services to states like cybersecurity evaluations, exercises and training, said Kelvin Coleman, director of state, local and tribal engagement for the Department of Homeland Security’s National Cyber Security Division. “We are sensitive to the financial situation happening at the local level. These services are no cost -- free to you.” Coleman said that DHS will also partner with states and towns to offer cybersummits that help bring awareness to local officials, businesses and citizens.