Nearly two years later, just how badly were Nevada cops damaged by ‘BlueLeaks’ dump? The answer remains unclear.
Give Shaun Rahmeyer, administrator for the Nevada Office of Cyber Defense Coordination, credit for his candor.
Rahmeyer admits he doesn’t know the depth of harm done to Nevada law enforcement by the massive 2020 hack of the Houston-based web services company Netsential in what has become more commonly known as “BlueLeaks.”
Rahmeyer’s office focuses on protecting Nevada’s cybersecurity infrastructure, which took a little-publicized hit in the Netsential hack.
“There was an impact to the mission,” he says. “Was it substantial? No.”
He follows with a caveat.
“Where there is a greater impact was in the loss of data,” Rahmeyer says. “I can’t speak to the severity of data loss because no investigative reporting has been shared with the state at this point.”
As the FBI continues its confidential criminal investigation, Rahmeyer says the state is working to try to ensure this doesn’t happen again. There are no guarantees.
The Netsential hack, reportedly carried out by activists in response to the May 2020 murder of George Floyd by a Minneapolis police officer, resulted in the Juneteenth release of nearly 270 gigabytes of data from more than 200 police departments, fusion centers, and other law enforcement agencies. By July, the United States had seized a computer server in Falkenstein, Germany, near the border of the Czech Republic, in connection with the breach.
In the wake of the BlueLeaks dump, national news outlets have reported the partial fallout of sensitive and at times embarrassing information from the data breach. Law enforcement web addresses and phone numbers, unedited surveillance video, counterterrorism strategies, intelligence reports, and citizen hotline tips are to be found among the mountain of data.
Civil liberty and privacy rights advocates have criticized the massive collection of data, some of it on citizens not accused of a crime, and have raised the dark specter of a burgeoning American surveillance state.
In Nevada, there has been almost no response, official or otherwise. Although the degree of exposure to state and local law enforcement and its fusion center partners remains unclear, the subject continues to be explored by activist/publisher Sarah Ashton-Cirillo on her Political.tips website.
If the Las Vegas Metropolitan Police Department harbors grave concerns about a breach to the Southern Nevada Counter Terrorism Center (SNCTC), it’s not showing it. The stated purpose of the fusion center, as it’s called by law enforcement officials, is to be able to respond to all incidents—natural and man-made — in Clark County using the combined efforts of staff from 27 different agencies.
Citing the ongoing FBI investigation, Nevada’s largest police department reduces its response to a statement from the public information office that reads in part, “Protecting the community, the agency and yourself from attack is important. We continually monitor our networks and follow best practices as put forth by the Cybersecurity Infrastructure Security Agency (CISA), as well as other partners.
“At the time of the compromise, SNCTC was contracting with NetSential for some of their web services. Since the compromise SNCTC does not contract with NetSential.”
Following the hack, Rahmeyer says Nevada also cut its years-long ties to Netsential and asked the company to scrub its information from the system. One question being asked is whether the company was thorough in its efforts.
“I don’t know at this time how the data was lost,” Rahmeyer says, citing a lack of details being shared with the state by federal authorities.
Nevada didn’t wait around. By late 2020, officials rewrote state guidelines for third-party servers and software vendors.
“And then we moved on to make I think very appropriate changes to better mitigate any future risk to using third-party vendors for state business,” Rahmeyer says. “As part of that adoption process, a new state security policy was revised to better account for the vetting process of third-party software vendors, as an example, to ensure the cybersecurity best practices are being implemented within that organization.”
In addition to improving scrutiny of its vendors and augmenting encryption, they now mandate that their server system be located within the continental United States. It’s all an attempt to reduce risk of another data breach in a rapidly changing world.
“It’s kind of a moving target,” Rahmeyer says. “Because the cyber threat environment is extremely dynamic, the best practices are constantly changing and being updated. So, these reflect the most current recommended best practices, but they do evolve and change regularly.”
While realizing it’s little solace following a gargantuan hack of potentially sensitive data, he adds, “No one across the globe has gotten that right yet. It’s kind of an ongoing battle, if you will, to make more people knowledgeable in how to better protect themselves and the organizations they work in and in the communities where they live.”
His candor is as refreshing as it is rare.
The lack of official comment on the extent of damage done to law enforcement methods and procedures, and presumably to ongoing criminal cases, not only fuels speculation and even conspiracy, but makes getting to the bottom of the BlueLeaks trove all the more relevant.
John L. Smith is an author and longtime columnist. He was born in Henderson and his family’s Nevada roots go back to 1881. His stories have appeared in Time, Readers Digest, The Daily Beast, Reuters, Ruralite and Desert Companion, among others. He also offers weekly commentary on Nevada Public Radio station KNPR.