After a cyberattack forced a local Alaska government to disconnect its computer systems from the Internet this summer, employees were ready with a Plan B. They picked up pens and paper — and even resorted to typewriters — so that the government could continue its daily work, from collecting property taxes to checking out books at public libraries.
They had practiced for this kind of scenario, which helped ensure the multipronged malware attack did not grind public business to a halt, said Eric Wyatt, the Matanuska-Susitna Borough IT director. “Having these plans and being able to go to paper and pen and manual methods was very helpful,” he said. “We could keep our doors open and continue to provide service to our citizens.”
The focus of government cybersecurity has largely centered on developing cutting-edge solutions — and shoring up basic vulnerabilities — to prevent attacks on IT systems. But as more and more government business moves online, there’s a growing call among security pros and government officials for a different, albeit slightly more fatalistic, approach. Public agencies, this cohort says, should just assume they will be hacked — and practice how to carry out essential functions without Internet access or even computers in some cases.
“Assume the worst,” said Suzanne Spaulding, who was undersecretary for the Department of Homeland Security’s National Protection and Programs Directorate — the agency’s cybersecurity arm — in the Obama administration. “Assume that your adversary has gotten through all of your defenses and has figured out how to cause this kind of disruption where you may, for example, lose access to all the things that you rely on in the networked world, and how could you proceed.”
Kevin Mandia, chief executive of the cybersecurity firm FireEye, advocated for such an approach during a congressional hearing last month on homeland security threats.
Mandia wants senators to “require government agencies to develop and carry out continuity-of-operations plans that practice, even for just 24 hours, going without Internet connectivity while continuing critical functions.”
Sen. Maggie Hassan (D-N.H.), who sits on the Senate Homeland Security and Governmental Affairs Committee before which Mandia testified, told me in an email that his proposal was “worth considering.” She said that seeking to thwart cyberattacks before they hit “should always be our first priority” but also acknowledged that “no defense system is invincible.”
“Emergency preparedness including carrying out drills and real-life exercises can help save lives when terrorist attacks or natural disasters occur, and cyberattacks are no different,” Hassan said. “Both the public and private sectors need to conduct trainings, simulations and planning for cyberattacks — and drills to practice not having Internet access for 24 hours are worth considering.”
Moreover, former U.S. cybersecurity officials said public agencies and businesses should not merely develop contingency plans in case of a cyberattack but carry out exercises to expose and fill security gaps in those plans. Mark Weatherford, a former deputy undersecretary for cybersecurity at DHS, said he worries that some government agencies might develop backup plans to operate in “degraded mode” but may not bother to test them.
“It’s one thing to have a strategy written down in a notebook,” said Weatherford, who now serves as senior vice president and chief cybersecurity strategist at the cybersecurity company vArmour. “It’s another thing to pull that strategy out and say: ‘We’re going to actually walk through this thing.’ ”
Spaulding also called such exercises “critical” and stressed that contingency plans should involve tools that are completely offline to be fully immune from hacking.
“You need to make sure that you have thought about pre-Internet ways of doing your business, and that you don’t throw those things away when you move to take advantage of a networked world,” said Spaulding, now a senior adviser at the Center for Strategic and International Studies.
Spaulding pointed to the restoration of power after a December 2015 cyberattack on the Ukrainian power grid as an example of the usefulness of manual backup measures. The attack caused power outages for about 225,000 customers for several hours. But, as E&E News reported, manual controls from the Soviet Union era allowed power to be restored manually.
“They got the power back on not by fixing the network, but by getting guys in trucks who knew how the grid was laid out, who went to the places where the breakers had been flipped and they moved those breakers back in place and got the power back on in six hours,” Spaulding said.
And this issue could hit close to home for lawmakers. Mandia in his September testimony sought to stress how far-reaching and unpredictable the damage from a cyberattack could be — by emphasizing the threat to lawmakers themselves.
“Imagine if the U.S. Senate came offline for a day or two from the Internet,” he said. “What would happen? Would you be able to get into the parking garage? Would you be able to even make a phone call from your desk? Would you be able to buy lunch in the cafeteria downstairs? It has a lot of unintended consequences that people have not predicted in the past.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “The Justice Department announced Friday it had charged a Russian woman who prosecutors say conspired to interfere with the 2018 U.S. election, marking the first criminal case that accuses a foreign national of interfering in the upcoming midterms,” The Washington Post's Matt Zapotosky, Rachel Weiner, Ellen Nakashima and Devlin Barrett reported. “Elena Khusyaynova, 44, was charged with conspiracy to defraud the United States. Prosecutors said she managed the finances of ‘Project Lakhta,’ a foreign influence operation they said was designed ‘to sow discord in the U.S. political system’ by pushing arguments and misinformation online about a host of divisive political issues, including immigration, the Confederate flag, gun control and National Football League protests during the national anthem.”
My colleagues reported that the complaint was filed late last month and remained secret for three weeks. “Prosecutors said the sophisticated campaign Khusyaynova was a part of ‘did not exclusively adopt one ideological viewpoint’ but instead tried to push incendiary positions on various political controversies on social media platforms,” Matt, Rachel, Ellen and Devlin wrote.
Also on Friday, the Office of the Director of National Intelligence, the Justice Department, the FBI and DHS said in a joint statement that they were “concerned about ongoing campaigns by Russia, China and other foreign actors, including Iran,” to interfere in the 2018 and 2020 elections. Those behind such foreign influence efforts may use social media “to amplify divisive issues” or spread disinformation about politicians “through sympathetic spokespersons,” according to the statement. However, the agencies also said that they “do not have any evidence of a compromise or disruption of infrastructure that would enable adversaries to prevent voting, change vote counts or disrupt our ability to tally votes in the midterm elections.”
PATCHED: Several parts of the 38-page affidavit supporting the criminal complaint against Khusyaynova provide insight into online manipulation techniques, The Post's Craig Timberg, Tony Romm and Brian Fung reported Friday. “Name the subject, and Russian disinformation operatives had a playbook on how to pass themselves off as politically active Americans as they secretly sought to manipulate U.S. voters online — on the right and the left — with incendiary phrases, glib put-downs and appeals to preexisting political biases,” my colleagues wrote.
Russian operatives often promoted both sides of a same divisive issue and they also took aim at public figures such as the late senator John McCain (R-Ariz.), House Speaker Paul D. Ryan (R-Wis.) and special counsel Robert S. Mueller III, according to Craig, Tony and Brian. “Around August 2017, for example, disinformation operators sought to cast a story about McCain — at a time when he had criticized Trump’s plan for a U.S.-Mexico border wall — as an ‘old geezer who has lost it and who long ago belonged in a home for elderly,’” my colleagues reported. “Russian disinformation efforts sought to use another August 2017 news story to push the narrative that California could perpetuate voter fraud. The same Facebook group cited a conservative news site in its attacks on Mueller, calling him a ‘puppet of the establishment’ and a ‘highly politicized figure.’ ”
PWNED: Saudi Arabia's trolling efforts are drawing scrutiny. “The disappearance of Saudi journalist Jamal Khashoggi more than two weeks ago has dragged the kingdom’s cyber-battles to center stage, with a vast network of Twitter accounts in the spotlight for amplifying Saudi government denials of involvement and hounding dissidents who contradict the official line,” The Post's Louisa Loveluck and Ghalia al-Alwani reported Friday. “Researchers and activists say they have tracked a sprawling web of loyalist social media accounts — real people and bots — that have repeatedly joined forces in times of crisis for the Saudi government.” My colleagues also wrote that the Saudi “online army has worked tirelessly to smear Khashoggi’s reputation.” The Saudi government on Saturday said Khashoggi was killed following a fistfight in the Saudi Consulate in Istanbul. The announcement followed previous denials about his fate.
On Saturday, the New York Times's Katie Benner, Mark Mazzetti, Ben Hubbard and Mike Isaac reported that Western intelligence officials warned Twitter a few years ago about a possible plot involving an employee from the tech company. “Twitter executives first became aware of a possible plot to infiltrate user accounts at the end of 2015, when Western intelligence officials told them that the Saudis were grooming an employee, Ali Alzabarah, to spy on the accounts of dissidents and others, according to five people briefed on the matter,” the Times reported. Alzabarah was fired in December 2015 but the company “could not find evidence that he had handed over Twitter data to the Saudi government,” according to Benner, Mazzetti, Hubbard and Isaac.
— “A virtual chat room the Homeland Security Department will operate on election day will be available to election officials down to the county level and will include unclassified information, the department’s top cybersecurity official Chris Krebs said Friday,” Nextgov's Joseph Marks reported. “When it comes to classified threat information, Homeland Security officials will shift to secure phone calls and video conferences with state and local officials who have been granted security clearances or authorized for temporary clearances, Krebs told reporters following an election security exercise. Krebs and other Homeland Security officials previously described the virtual chat room, called the National Situational Awareness Room, but have not provided details about the scale or content.”
— Sen. Ben Sasse (R-Neb.) warned in an op-ed in The Post on Friday that doctored videos known as deepfakes “are likely to send American politics into a tailspin, and Washington isn’t paying nearly enough attention to the very real danger that’s right around the corner.” Sasse wrote that “one of the most senior U.S. intelligence officials” recently told him that many intelligence leaders “think we’re on the verge of a deepfakes ‘perfect storm.’ ” The fact that deepfakes are relatively easy to create, that foreign adversaries are keen to undermine the United States and that Americans are bitterly divided constitute “three critical ingredients” for such a storm, according to Sasse. “We are so domestically divided right now, about who we are and what we hold in common, that malevolent foreign actors can pick at dozens of scabs as they seek to weaken us,” Sasse wrote.
— More cybersecurity news from the public sector:
— “The Affordable Care Act’s federal exchange system for insurance was breached and about 75,000 consumer files compromised, the Trump administration said Friday,” the Wall Street Journal's Stephanie Armour reported. “Suspicious activity was detected early this week in a part of the exchange system that allows agents and brokers to assist consumers with enrollment applications, the Centers for Medicare and Medicaid Services said. The exchange, Healthcare.gov, is used by most states and is where millions of people sign up for health coverage. The breach is likely to raise concerns about the security of consumer data on the cusp of ACA’s open enrollment period, which begins Nov. 1.”
- Palo Alto Networks Federal Ignite 2018 conference in Washington tomorrow.
Trump will exit Cold War-era nuclear treaty:
Central Americans in caravan cross into Mexico from Guatemala:
Listen to an ice shelf melting: