Nobody knows how many successful cyberattacks have happened in Idaho over the past year. Not the county and city IT directors who look after the individual system, not third-parties that track cybersecurity data, not even the state’s chief information security officer.
“It’s hard to tell because you don’t have control or visibility on a lot of these organizations,” said Lance Wyatt, the state’s chief information security officer.
The most recent incident in the region may have happened to Eastern Idaho Community Action Partnership in May. An employee’s compromised email sent out a series of other emails with links to a “OneDrive” document that contained malware.
The agency’s Microsoft email settings automatically shut down the affected account within minutes and IT director Ace Ballard restored the account’s settings. Ballard said it was the first successful attack in his two years working with EICAP but far from the only attempt. Like many public entities, the agency receives phishing scams and spoofed emails on an almost weekly basis.
“It’s been a problem for everyone for the last five years but the attacks have definitely increased more in the last year or two,” Ballard said.
The gold standard for tracking hacking trends is Verizon’s annual Data Breach Investigations Report. In 2018, the report logged more than 23,000 hacking-related incidents aimed at governments or public entities in the United States. Those attacks counted for 16 percent of all incidents tracked by the report and Verizon warned that the number of yearly incidents are likely to increase.
“When there is enough detail to derive breach timeline metrics, the data shows that breaches in the public sector are taking months and years to be discovered,” the report said.
Over the next few months, two new programs are being rolled out on a statewide level to deal with cybersecurity. One is aimed at training agencies how to avoid phishing scams and other hacking attempts, while the other makes sure the state can react to any attack that does occur.
Phishing and training
Phishing attacks, where emails are sent from supposedly reliable accounts with links to malware that can compromise an email or computer network, are the most common kind of attacks. Around 30 percent of all successful data breaches last year were caused by a phishing attack, according to the Verizon report.
“All over the country, all over the world, people are falling for phishing emails and things like that,” Teton County Director of Information Technology Greg Adams said.
Teton County is one of the counties that has been testing a security awareness campaign from Idaho Counties Risk Management Program, the state’s local government insurance pool. The agency hosted an online training for computer risk management last summer, but recently rolled out the program to all the counties it covers.
Executive Director Timothy Osborne said the program’s focus is on creating a “human firewall” of trained employees to battle against phishing email scams and spoofed email accounts that imitate the email address of another coworker or trusted contact.
“With public entities, most of the information the workers have about themselves is public. You can go online and see their names, job titles, phone numbers, email addresses — everything that could be used by a scammer,” Osborne said.
The effort will roll out from the county level to cities later this month and, eventually, reach school districts. Attacks against school districts have grown increasingly common and costly — a phishing attack against Teton School District last year stole $784,000 in fraudulent payments. ICRMP eventually paid for $300,000 of that loss while the rest was recovered from a bank in Texas.
The Idaho Counties Risk Management Program’s cybersecurity training efforts include sending test emails to employees, luring them into clicking on a suspicious link that could be used for a phishing attack. Instead, the link pops up a message warning the employee of their mistake and logs the incident for the Idaho Counties Risk Management Program and the local IT director to track.
“It scared the heck out of the county employees, which I guess is a good thing,” Adams said.
The Risk Management Program also provides the counties and cities with tools to prevent attacks. One of those is a browser add-on icon shaped like a fishhook. If a county employee receives a link that concerns them, they can highlight the link and click on the fishhook icon to immediately report the incident for investigation.
Eastern Idaho Community Action Partnership is not covered by the Idaho Counties Risk Management Program training program. Ballard said the agency has enacted several measures to protect the accounts of the high-level workers that are often targeted and hopes to conduct its own internal phishing test.
Incident Response Program
Idaho’s Office of Information Technology Services was launched in 2018 to prevent and respond to attacks across the state.
Communication problems with other groups and agencies sometimes have gotten in the way of the office’s work. Idaho’s legislative website was briefly taken offline last May by an attack from the Italian hacker collective AnonPlus. In some cases, the department only found out about hacking incidents after a press release was sent out.
Diego Curt is the chief compliance officer for the state of Idaho. During his time as the deputy chief information security officer last year, he started work on a new platform that would allow the state to log and track every incident of hacking that affected a government entity.
On Thursday, the department unveiled the policy behind an incident response program that would organize the responses to cyberattacks against public agencies.
“The vision is to unite Idaho. We’ve had enough of these ransom attacks, enough of these isolated pockets,” Curt said.
Currently, Wyatt said the reports that counties and other agencies send to the state office vary drastically in the details included.
“Right now it can take a number of forms. It could be a full report or it could be a blurb saying ‘We got malware.’ There’s no way to tell a story about what happened based on that,” Wyatt said.
The incident response program was created using two open-source platforms, one of which is the Veris system created by Verizon to improve its data breach reporting. Filling out the report involves using a drop-down menu to give the overview of what happened. Was the breach from an internal source or an external attacker? What type of attack was it?
To Curt, the worst-case scenario for Idaho is a hacker targeting a major government agency, such as the Transportation Department, and holding its computer access for ransom. A similar incident in Baltimore locked employees out of government emails and records for several weeks in May.
At the time of the Baltimore hack, National Public Radio reported that at least 20 other municipalities across the country had been affected by similar .
Curt said the state doesn’t need to know every detail about what information was affected, a privacy concern that keeps some hacks from being reported quickly. The program is interested in logging attacks of any size against a state-related group and getting the full picture of the current state of affairs.