As Connecticut awaits more than $90 million in federal funding to shore up state and municipal defenses against cyberattacks, Gov. Ned Lamont warned Wednesday Russian hackers are likely already trying to infiltrate the system.
But the governor said he’s “getting comfortable” with the state’s ability to fend off attacks.
In June, Connecticut hosts the annual Cyber Yankee exercise with National Guard units from the New England states, with the goal of improving coordinated responses in the event of any major cyberattack on critical assets. Last November, Connecticut was one of four states to participate in GridEx along with California, Illinois and Utah, simulating a cyberattack on utilities.
“We tend to focus on utilities and other big, integrated systems where the lights go out,” Lamont said Wednesday during a cybersecurity forum at Fairfield University.
“Think about those attacks that are probably a lot more vulnerable that would have a devastating psychological impact. For example, filtration systems at a local reservoir — not necessarily a high priority when you think of systemic outages, but think what that does to people psychologically, where people say, ‘I can’t drink the water.’”
As Russia positioned military units leading up to the Ukraine invasion, experts warned of the possibility of cyberattacks on U.S. government agencies and key businesses. The Wall Street Journal reported Tuesday that hackers in China gained access to information systems in six states last year.
Lamont said when he took office in 2019, he viewed a cyberattack as the biggest potential threat facing Connecticut residents and businesses, before the COVID-19 pandemic the following year put the state into a prolonged state of emergency.
Lamont and Tennessee Gov. Bill Lee have included cybersecurity among the topics they have prioritized as co-chairs of a pandemic and disaster response task force for the National Governors Association. At the task force’s request, the federal Cybersecurity and Infrastructure Security Agency recently produced a guide for governors in responding to a major cyberattack.
“Ransomware and cyberthreats are scary,” Jen Easterly, director of CISA, said in January to Lamont’s and Lee’s task force. “But what we really need to do is to reclaim that territory, and make cybersecurity — and most importantly cyberhygiene — a ‘kitchen-table’ issue.”
Last year, the state Bond Commission approved more than $11 million in additional funding for cyberdefense, and the Lamont administration expects at least $90 million to be earmarked to Connecticut under the State and Local Cybersecurity Grant Program.
Lamont said the state’s most important step has been the ongoing process of moving data and applications to the “cloud” that had previously been housed in state computer servers, allowing for remote access and also data recovery in the event of an incident.
But internet access opens the possibility of infiltration, denial-of-service attacks or ransomware threats. As the case with many businesses, Connecticut trains state employees on how to recognize “phishing” attacks and other ploys to gain surreptitious access to systems. And the state requires password entries to trigger a second step to authenticate a person attempting to gain entry.
“The most important thing is really defense in depth,” said Jeff Brown, chief information security officer in the Lamont administration. “We have multiple controls if something does fail or somebody does manage to get past something — there’s multiple things after that to be able to catch it.”
Brown said in any debilitating attack, Connecticut could call on other entities like the FBI, consultancies like Accenture, or the the Connecticut Military Department, which oversees Army National Guard and Air National Guard units and maintains a cybersecurity team. Brown said that unit played a critical role a few years ago in helping Hartford deal with a ransomware attack.
Consumers have already been under siege by identity thieves, including a T-Mobile incident last August in which more than 500,000 current and former customers in Connecticut had their information exposed.
The case ranked as the fourth-largest tracked by the office of Attorney General William Tong, after the Equifax breach of 2017 that affected as many as half the state’s residents, and major intrusions several years before into systems of Target and JPMorgan Chase.
To prod more businesses into strengthening their defenses — and by extension protecting more consumers — Connecticut enacted a law last year that shields entities from punitive legal damages, provided they can demonstrate they have invested in effective countermeasures.
“A lot of this is being prepared for an incident, and not assuming that they’re not going to happen,” Brown said. “Cybersecurity … used to be really focused on how do we stop cyberattacks from happening. It’s the same way you stop crime from happening — you don’t. You manage it and you react to it and you respond to it, when it happens.”
Includes prior reporting by Verónica Del Valle and Mary Katherine Wildeman.
Alex.Soule@scni.com; 203-842-2545; @casoulman
Click Here For The Original Source.
————————————————————————————-