Nevada's Cyber Insecurity
ANALYSIS
For one weekend every year Las Vegas blooms into the epicenter of cybersecurity. The world’s top cybersecurity talent converges at the Black Hat and DEF CON hacking conferences that bring together leading white-hat, black-hat, NSA, and other technology wonks at a no-holds-barred gathering of the global cyber brain trust.
More than 30,000 of them occupy more than 83,000 hotel room-nights and come to listen to speakers talk about hacking related topics, play a hacker’s version of capture the flag, and compete for top prizes against artificial intelligence programs. They attempt to hack the hotels they are staying in. They find, and often solve, the greatest cyber challenges we face as a nation. And then they leave. And Nevada returns to its barren desert landscape of technological vulnerability.
In 2015 and 2016, we saw national-level hacks of the Democratic National Committee, the Office of Personnel Management (OPM), and Quest Diagnostics. The last two resulted in the breach of the records of almost 22 million people. With the OPM hack, the records of millions of members of the military and intelligence community were exposed. Federal government and corporate systems are vulnerable.
Nevada is no different. While our state is home to area 51, Creech Air Force Base – the home base of U.S. military drones – and many other highly sensitive cyber-related enterprises, we remain woefully lacking in preparedness against any kind of cyber attack.
Nevada saw hacks of the Las Vegas Valley Water Authority in 2016, The Las Vegas Sands Corporation by Iran in 2014, and possibly our 911 systems in 2015. Yet in the face of a tidal wave of headlines, the State of Nevada allocated zero dollars to cybersecurity and “persistent cyber threats” for 2015-2017 in the budget. The state budget also decreased funding for Information Technology (IT) cybersecurity training to less than $15,000 a year. Nevada’s IT security department employs eight people (22 if you fudge the numbers and count Enterprise IT and the CIO’s office) – a number more fitting for a neighborhood Kinkos..
The creation of the cyber security subcommittee of the Nevada Department of Homeland Security (DHS) was not even discussed until 2014. Under the leadership of Chairman Mark Hutchison it did not have its first meeting until 2016. It has only met three time since, despite a desire on the part of some committee members to meet more often.
Oddly, this committee has made funding Washoe County’s cyber security project a “high” priority via the creation of an 18-month study, rather than mapping Nevada’s current, real-time cybersecurity gaps against the state of Virginia’s gold-standard model for state-level cybersecurity practices, which could then serve as a blueprint and jump-start this critical process.
Hutchison is on record as follows: “Concern was presented by Chairman Hutchison on having the Cyber Security Committee (CSC) present any advice that would be at odds with what the Governor may want.” Oh? Why gather a roomful of the state’s leading subject matter experts only to subjugate their recommendations? To date, for the record, our CSC has given us: No mission statement. No vision. No top cybersecurity advisor with necessary authority. No emergency response plan. This despite the fact the National Governor’s Association has made cyber security its number one priority in the 2016-2017 term.
Mercifully, in Governor Sandoval’s State of the State address earlier this week he said, “I have allocated $3.5 million for the creation of Nevada’s first Cyber Defense Center run by Nevada’s first Cyber Defense Coordinator.” This is welcome. However, the Governor’s budget seems only to allocate around $876,000 to create the cyber defense office — and that amount is to be spent over two years for the employ of four people.
If as the Governor said, “The Cyber Defense Center will help Nevada detect, prevent, and respond to cyber-attacks and stand ready to partner with local governments and the private sector to minimize cyber risks,” then both the amount of funding for the Office of Cyber Defense and the $3.5 million figure are wholly insufficient.
I could find no public record of the CSC advising the executive branch on this issue. Did they have input into the Gov. Sandoval's decision to fund a cyber defense office? Will they work in tandem with that team? Will either entity have continuous relationships with all private companies and local governments in the state? Will they monitor the web traffic going to all companies for viruses?
There is also no legal vehicle for this cyber defense center. Will it be the equivalent of a fire department? Will it only be advisory? Have liability issues been considered? In other words, is this announcement simply the policy equivalent of vaporware?
In a recent survey of state-level Cyber Information Security Officers (CISOs) cited in the 2016 Deloitte-NASCIO cybersecurity study, inadequate funding was named as the top barrier to addressing challenges, followed by lack of access to expertise and lack of documented processes:
We have already seen the consequences of inaction and ineptitude in this area. In December, the state-run website housing the portal for applying for medical marijuana business licenses was found to be poorly-designed – with seemingly little regard for information security – revealing 11,700 applicant’s names and Social Security numbers, as well as driver’s license numbers, height, weight, eye and hair color, addresses, and phone numbers. (The site was immediately taken down, and stayed down through Friday, Jan. 21, 2017.)
How eager will businesses and individuals be to invest in Nevada if their basic personal data cannot be kept safe when they submit applications containing confidential information to our state’s agencies? If we wish to reap the benefits of investment and economic growth attendant to legalizing entire new industries, we should try not to shoot ourselves in the foot in the process. Information security is foundational for economic and job growth.
It has taken more than three weeks for some of the people involved in this issue to answer my most basic questions. I hope that is not an indicator of future inattention to this issue.
Many residents in Nevada believe that, should a cyber incident happen, the federal government will be there to backstop us. Nothing could be further from the truth. There will be no cavalry.
The federal government is struggling to get its own house in order. While the DHS offers some support to state and local governments, it is underfunded, understaffed, and under-mandated. No one knows exactly what they are supposed to do in the event of a state cyber incident. Presidential Policy Directive 41 provides some insight, but questions remain.
What even constitutes a cyber incident? Much of our critical infrastructure is in the hands of the private sector, yet the private sector has been loath to allow more transparency and oversight on the part of the government, even on issues of cyber security. A hack at one of our critical infrastructure enterprises recently was resolved only due to the pity and good will of an FBI field agent.
While the FBI comes in to investigate in cyber matters, they cannot advise. The FBI is first and foremost a law enforcement organization. They are there to collect evidence and find criminals, not help resolve the situation. That generous FBI agent I mentioned was kind enough to pass on what other enterprises had done to resolve similar situations in the past.
And what about the National Guard, you may ask? In many states, the National Guard plays an important role in coordinating cyber defense and resilience between the private sector, governments, and households. As of the original writing of this article, when I went to seek information, the Nevada National Guard website was down (type in http://www.nv.ngb.army.mil/nvng/ to see the “500-Internal server error” message I received).
Yes, folks, we are on our own.
Heather Murren served as a Commissioner on the White House Commission for Enhancing National Cybersecurity, a 12-member commission charged with identifying the steps our nation must take to ensure our cybersecurity in an increasingly digital world. The commission report was submitted December 2nd, 2016 and made recommendations relating to consumer rights and responsibilities in the digital age, the internet of things, building cyber workforce capabilities, and better equipping the government to function securely and effectively in the digital age, among others.
Murren will be volunteering her time and expertise to The Nevada Independent as an analyst and special correspondent. You can read more about her in this welcome post by our editor, Jon Ralston.