Governors who gathered in Rhode Island for their semiannual meeting this weekend got a chilling warning from the tech experts who know best — the hacks and cyberattacks they’ve seen so far are just the beginning.
Hacks on state systems could expose personal medical records and income tax information, or give a foreign government access to sensitive, defense-oriented research projects from a public university. In a talk before the governors on Saturday, Tesla CEO Elon Musk even raised the prospect that a hack could start a war if an enemy commandeered an official email system and started sending fake press releases.
“The actions we saw last year as it relates to Russia and other nation-states is only the beginning,” warned Democratic Virginia Gov. Terry McAuliffe, who spent the past year chairing the National Governors Association and made cybersecurity his main focus. “They want to ramp up, and they’re going to go after that state data.”
McAuliffe praised states for taking action in the past year to strengthen their defenses, from issuing executive orders to launching cybersecurity task forces. In Nevada, Gov. Brian Sandoval sponsored and ultimately signed a bill creating Cyber Defense Center, and welcomed Department of Homeland Security personnel who inspected the security of the state’s voting systems ahead of the 2016 general election.
The two governors have gone to Washington D.C. and lobbied for a standalone cybersecurity committee in Congress to address the threat. McAuliffe said the responsibility is spread out over several committees because leaders don’t want to give up portions of their jurisdiction.
“Putin must be sitting back today laughing at what’s happening,” he said. “It could be Russia today; it could be China tomorrow.”
Above all, McAuliffe warned his colleagues against letting their guard down in the face of an ever-evolving threat.
“Although these are great accomplishments, you must never, ever become complacent,” he said. “Criminals and foreign adversaries will continue to pursue vulnerabilities in our defenses that will harm our citizens, cripple our critical infrastructure and steal our resources.”
Election system hacking
Among the most troubling potential targets are voter databases. A report last month indicated Russian hackers breached election systems in 39 states, and investigators in Illinois reportedly found evidence that the intruders tried to alter or delete voter information.
The Virginia governor said he’s pressed federal officials to release a list of names. Some states fear the embarrassment of being publicly named, he said, but the list should be public.
“I don’t know if Virginia is on the list but I think I should know that,” he said.
In Nevada, Secretary of State Barbara Cegavske’s office has said it’s not aware that it was targeted as part of the breach. It has also tried to dispel concerns that voting machines themselves are subject to hacking, pointing out that they are not connected to an online network.
Sandoval, who met with Department of Homeland Security John Kelly on Thursday during the NGA conference, said election security — along with the need for more federal emergency response money for Las Vegas — were among their topics of conversation.
The governor revealed that DHS officials had conducted an inspection of Nevada’s voting systems ahead of the 2016 general election and affirmed that they were secure from hacking. Leading up to the vote, Donald Trump had floated the idea of widespread voter fraud and election rigging.
“I encouraged the secretary of state to accept the help and she did,” he said of the inspection, which happened in several states. “They went through it before the election and said that our voting systems were secure. I thought that was a prudent thing to do.”
One of the toughest tasks in the battle against hacking is finding enough qualified people to fill cybersecurity jobs. McAuliffe said Virginia currently has 36,000 such jobs open, and the starting pay is $88,000 a year.
The job typically requires an associate’s degree or something even less, such as a cybersecurity certificate. Virginia has expanded cybersecurity apprenticeship programs and promises to pay tuition for cybersecurity students who work for the state for at least two years.
In a panel discussion on the topic on Friday, one security expert who previously worked at the Department of Defense pointed out that governments often shoot themselves in the foot by making their hiring procedures so complex that they’re unable to lock down talented workers. Some don’t have online job portals or easy ways to bring willing employees on board.
“When I walked out of the Pentagon, the national security issue I was most worried was not ISIS, was not Iran, was not Syria,” said Matt Spence, who’s now a partner at Silicon Valley venture capital firm Andreessen Horowitz. “It was about is whether we are equipped in our government to open the door to the most talented people to work for us.”
Spence said he thinks an “enormous” number of IT professionals would willingly leave the more lucrative private sector and take lower pay at a government job because they are “mission-driven people.”
Nevertheless, tech jobs have proven to be some of the hardest to fill for Nevada. State lawmakers recently voted give a raise to state IT professionals, above and beyond the cost of living increase that all state employees received, because salaries were thousands of dollars below that of comparable local government and private sector jobs.
Defending against the threat
While hiring is important, one expert advised the governors that they need to build protections into their systems so they can weather inevitable attacks.
“The cyber threat evolves so quickly. Although it’s important to increase our cyber workforce across the nation, at the end of the day we’re probably not going to be able to out-hire the threat,” said Wes Kremer, president of Integrated Defense Systems at Raytheon. “It really becomes one of the key things to design a cyber-resilient architecture.”
Kremer said states need to design their networks so processes can keep going in spite of the threat.
“You have to be able to operate through a cyber attack,” he said. “Maybe it’s in a degraded mode. But we can’t afford emergency services or medical services to shut down during a cyber attack.”
With limited state budgets, experts recommend prioritizing data protection measures based on the sensitivity of the information in question. McAuliffe said part of the problem is that many governors don’t know what kinds of sensitive information are even in their care.
As administrators of Medicaid, states have an enormous amount of health information and interface with all sorts of providers whose systems could serve as a “back door” for hackers, he warned. From there, the intruders could access systems in other states.
“The first thing anybody should do is find what data you have in your state,” he said. “We’re only as strong as our weakest link.”