Since 2009, government agencies in America have lost more than 94 million records containing citizens’ information.
In light of the news this year that the National Security Agency is monitoring the online activity of Americans, many in the country have begun to wonder whom they can trust with their information, who might be accessing it on the Web and why. States are entrusted with a wealth of personal data. Just think of the things you have on file in some state database: your Social Security number, driver’s license number, age, home address. The Illinois Department of Revenue likely has your financial information. If you work for the state or take part in a state program, the information could be even more personal, such as medical records. “There’s a treasure trove of personally identifiable information in states,” says Doug Robinson, executive director of the National Association of State Chief Information Officers. “There’s a tremendous amount of information entrusted to state government, and the bad guys know that.”
In many cases, citizens are required to provide this data to state entities. In return, states have the responsibility to maintain the public’s trust by properly protecting it. Failure to do so can result in anything from the theft of personal information to compromises of important infrastructure and national security.
What are hackers after?
As the amount of data that states must protect has grown, so have the attempts to break through their security. “States have becomes attractive targets for cybercrime and aggressive nation-state hacking and attempts to circumvent network controls,” says Robinson. He estimates that a state the size of Illinois probably sees 30 million to 40 million attempted breaches of their cyber security per month. “It’s a constant barrage of network probes looking for a weak perimeter defense,” he says. Illinois will not release specific information on the number of attempted breaches it faces on a regular basis. “It is fair to say that an enterprise of our size faces a multitude of threats on an ongoing basis,” Chief Information Officer Sean Vinck said in an email. Despite these threats, he says, “the state has not experienced a major security breach in recent years.”
Jonathon Monken, director of the Illinois Emergency Management Agency, says deterring the attacks can feel like trying to plug lots of small holes in a leaky boat. But with all the potential targets in state government, he says, “it’s a ship the size of the Titanic.”
Personal information obtained from hacking into state databases could be used for identity theft or sold. In some cases, it is even held for ransom. In 2009, hackers stole records of more than 8 million patients from a state of Virginia health database and demanded a $10 million ransom. The state refused to pay up and instead brought the Federal Bureau of Investigation in on the case.
Other attackers are not seeking financial gain but just want to disrupt states’ online presence by shutting down or taking over websites. “Many computer hackers are motivated solely by a desire to make mischief, acquire restricted information or cripple certain sites,” says a 2011 report from the National Conference of State Legislatures. The recent rise of hacking activism and online protests has left government entities fearing embarrassing incidents, such as the online activist group Anonymous’ 2011 takeover of San Francisco’s Bay Area Rapid Transit website, myBART.org. The group vowed to seize control of the site the day before it did, but even with the advance warning, BART could not thwart the attack. The site was shut down and defaced, and personal information of more than 2,000 users was released. Anonymous released a statement that the takedown was a response to BART’s plan to shut down cell phone service in several stations to try to deter protestors. The protests were organized in response to a BART police officer shooting a homeless man, who police say had a knife, in the subway.
A 2012 report from Verizon found that 58 percent of data thefts in 2011 were tied to activist groups. “[The] re-imagined and re-invigorated specter of ‘hacktivism’ rose to haunt organizations around the world. Many, troubled by the shadowy nature of its origins and proclivity to embarrass victims, found this trend more frightening than other threats, whether real or imagined. Doubly concerning for many organizations and executives was that target selection by these groups didn’t follow the logical lines of who has money and/or valuable information. Enemies are even scarier when you can’t predict their behavior,” stated the report.
Robinson says states also face growing threats from more sophisticated organized crime groups and international attacks. “Many [hackers] are full-time professionals, motivated by profit and increasingly connected to organized crime or government-bankrolled hacking rings in countries such as Russia, China, Brazil and Estonia,” says the NCSL report. And ever present is the fear of a large-scale attack on infrastructure. Such a hit could come from a hacktivist group or a terrorist organization. In Illinois, as in many other states, the worst-case scenario is considered to be a mass shutdown of electrical service. “Our biggest concern is that impact on infrastructure utilities,” says Monken.
How do hackers get in?
Those seeking to jam up the works and stop a website from operating can use what is called a denial of service attack (DoS). Such an attack is meant to prevent regular users from accessing a website. There are several ways to achieve a DoS. A common one is overwhelming the system with communications requests so that legitimate users cannot log on to the site. Most of us have experienced something similar when we have visited a website that became quickly and unexpectedly popular and could not handle all the new traffic. The site takes seemingly forever to load or cannot load at all. A DoS attack is the same concept, only it is targeted with ill intent. Attackers may use computers that they have taken over using malicious software, known as malware, to aid them in a DoS attack.
Those seeking to actively hack into state systems can do it through security flaws in software. These flaws are found and exploited incredibly quickly, and it can be difficult for states to keep up with installing fixes, known as patches, when they are released by software developers. “Hackers can do this 24/7, and they can spend a lot of time and effort, and they can come up with new threats every day,” Robinson says. “[States] are constantly struggling to catch up. They are doing all that they can. States are always playing defense.” Overall, he says that most successful breaches are made by using relatively simple methods. The Verizon study found that 96 percent of breaches were “not highly difficult,” and 97 percent of breaches could have been prevented “without difficult or expensive countermeasures.”
Several hacking tactics are targeted at users, and most people who surf the Web have come across at least a few of them. They involve fooling users into downloading malware or visiting a website they did not intend to visit. Phishing is a tactic most everyone with an email account is familiar with. It is the email you receive from a distant foreign relative you have never heard of who wants to give you a large sum of money — if you will just provide some personal information or wire him or her a small fee for converting the currency. Phishing emails can also be designed to fool users into downloading malware that will allow attackers to control their computers, access networks they are plugged into and collect information, such as user names and passwords. While your spam folder can attest that there are still plenty of attempts at such awkward and often easily identifiable scams, some phishing has become more refined.
Targeted attacks are known as spear phishing. These efforts focus on one department of an organization, or possibly just a few people. They are emails that appear to come from a trusted source, such as coworkers, the human resources department or technical support. They may prompt employees to enter passwords or personal information or click a link or download a file that contains malware. The Associated Press fell victim to such an attack this spring. Employees received an email that appeared to be from a coworker and contain a link to a news story. The emails called the story “very important” and asked recipients to read it. The AP’s Twitter account was hacked less than an hour after the email went around. The hackers posted a false tweet claiming that there had been explosions at the White House and President Barack Obama had been injured. The fake news caused the Dow Jones Industrial Average to drop by more than 140 points in three minutes, but it recovered after the AP confirmed that the tweet was fiction. “I’ve seen ones that look very legitimate. You’d never know that it didn’t come from a very legitimate, authenticated source,” says Robinson.
Since virtually every state employee in Illinois now has an email account that is tied to a state system, hackers have thousands of potential points of entry for phishing attacks. States are bombarded with junk email every day. NASCIO estimates that about 90 percent of the inbound email that public agencies receive is spam. Robinson says these targeted attacks can be hard to prevent if the emails make it through an agency’s security filters and into the inboxes of employees. “They’ve probably gone through security training and been told not to click on the links,” he says. “But research shows that 20 [percent] to 30 percent of people click on the links anyway.”
Employee error is one of the most common ways confidential data is leaked. Sometimes it happens without an agency ever getting hacked. In July, reports surfaced that the Internal Revenue Service had failed to redact more than 2,000 Social Security numbers from tax data it posted online.
Loss of state-owned hardware, such as smart phones and laptop computers, is another way that personal information gets into the wrong hands. A recent audit found that Southern Illinois University Carbondale lost 257 computers in 2012. The auditor general’s report says that the university has no procedure in place to determine whether the computers had personal data on them. Another audit found that the Illinois Department of Corrections lost track of 156 computers that may contain confidential information. However, an IDOC spokesperson says it is unlikely that any of the computers are actually lost outside of the corrections system. “The Illinois Department of Corrections is following all recommendations of the Auditor General and is thus working with Central Management Services on another inventory. IDOC does not believe these computers are lying around somewhere, compromising security,” Corrections spokesman Tom Shaer said in a written statement. “The department’s work with CMS will determine if the units are still in inventory or, more likely, were properly wiped clean and disposed of, with paperwork simply not completed due to human error with the department short of staff.” According to the audit, the department had not installed encryption software on all its laptops to protect confidential data. The audit also found that employees and former employees had “inappropriate access” to some of Corrections’ offender tracking systems and that the corrections department could not provide documentation to show that it had properly updated or tested its computer recovery systems.
Of course, the growth in digitized data also offers opportunities for states to be more efficient and transparent. “Making government programs and services available to citizens in a more agile, effective or direct way doesn’t necessarily imply taking on undue security risk,” says Vinck. Websites where states can share data with the public, such as data.illinois.gov, allow for more sunshine. Interagency sharing of data, such as health care records, can mean that citizens get better services. Vinck says governments can protect the information that needs to be protected without jealously guarding every bit of data they have. “I’m pretty proud of the fact that I think we’ve gone to some lengths to be extremely transparent.”
In 2012, Illinois received a $1 million federal grant to partner with the Illinois Terrorism Task Force, the Cyber Security Committee and the Center for Public Safety and Justice at the University of Illinois Springfield to create a curriculum for a cyber-security training program. Once the program is completed, it will be used in all 50 states. Monken says the curriculum will help to create a baseline of knowledge about how to avoid breaches, such as choosing secure passwords and avoiding suspicious emails, and how to identify them when they have happened. These two seemingly basic ideas, if well-executed, can go a long way toward improving security. The Verizon study found that 85 percent of breaches took a week to discover, and in 92 percent of the cases, the breach was discovered by an outside party. The longer a breach takes to be found, the more potential damage and loss of data it can cause.
Monken compares the need for reporting from employees to the “If you see something, say something” anti-terrorism campaign started by New York’s Metropolitan Transportation Authority and adopted by the U.S. Department of Homeland Security. “The essence of that campaign is, look for changes in your environment that are inconsistent with your experiences,” he says. Workers should report anything odd, such as being prompted for passwords more than usual or computers that are running unusually slow. “You’re going to know if something is different. It’s just human nature. You’re going to know if something is out of sync with the hundreds of other times you have done it.”
Vinck says that emerging technologies also provide new opportunities for improved security. The state has begun outsourcing some of its technology needs to privately supplied cloud computing services, meaning that the programs and documents are no longer stored locally on state computers but spread out over a network of several computers maintained by a contractor. Vinck says that much like diversifying a financial portfolio, keeping your information in more than one place could mitigate risk. If all of an agency’s info is stored in one place, then it would be more vulnerable to cyber attack or physical threats, such as the server being damaged or destroyed. Also, contractors that maintain security on such platforms as their primary responsibility can be relied upon to make software updates and patch security flaws that short-staffed agencies with other priorities might miss. Robinson says that moving some functions to cloud providers could help combat the uneven execution of security policies that can happen across a multitude of state entities. “The complexity and the diversity of the state government makes it extremely difficult.” Still, Robinson says that given the sheer amount of sensitive and valuable information states have to protect with generally underfunded and understaffed IT departments, they could be doing a lot worse. “They’re doing a fairly remarkable job with the resources they have.’’
Illinois Issues, September 2013