By Mike Denison
Capital News Service
Maryland government entities have suffered at least six cyberattacks since the beginning of 2013, according to incident reports from the Department of Information Technology.
The heavily-redacted reports, obtained by Capital News Service through a Maryland Public Information Act request, reveal that data-hungry hackers and scammers aren’t only going after retailers like Target and Neiman Marcus — they’re targeting state agencies.
“Our government doesn’t move as quickly as the private sector … and the private sector isn’t moving as quickly as it should be,” Sen. Catherine Pugh, D-Baltimore, said in an interview.
The report said a phishing scam that hit the Department of Labor, Licensing and Regulation affected “more than 100 users,” and two other incidents affected an estimated “more than 10 users.”
Elliot Schlanger, the state director of cybersecurity, said specific numbers of affected users are often difficult to pin down, particularly with phishing attacks. Phishing involves sending a large number of emails asking for sensitive information, like passwords, under the guise of a legitimate sender.
Flood of gun applications raised concerns
One listed incident involved the Maryland State Police in September. Last year, the police were bombarded with thousands of gun applications ahead of incoming stricter firearm laws. To reduce the massive backlog, volunteers from the departments of Health and Mental Hygiene, Transportation, Public Safety and Correctional Services, Human Resources and Juvenile Services offered to help out with data entry, according to a police press release.
According to a National Rifle Association press release, some state agencies’ computers were not adequately secured to handle gun applications, which include sensitive information.
Elena Russo, director of the police’s communications department, said the incident on the Department of Information Technology report was merely a notification of a potential security risk.
“It was not a security breach, it was not a cyberbreach, there were no hacks and no data brought forward by the Maryland State Police,” Russo said.
Similarly, Maureen O’Connor, director of media relations for the Department of Labor Licensing and Regulation, said that no personnel data was stolen in a phishing attack on her department. However, a malicious program known as a “ransomware” encrypted department information, demanding that money be sent to a specific account to unlock the data.
The attack began when an employee ignored a department-wide warning not to open a suspicious email. O’Connor said the malware was eliminated and the data restored within five days.
The document also said that three Department of Human Resources servers were attacked on Oct. 22. Brian Schleter, director of communications for the agency, said the attack was launched on a department website used to post press releases. No data was compromised.
No substantial disruptions, budget documents says
The proposed budget for fiscal year 2014 notes that no “substantial disruptions” of state network services have occurred since 2011, when records of disruptions began.
The state has taken steps to teach its employees about best practices in cybersecurity. In February, Isabel FitzGerald, secretary of the Department of Information Technology, told the House of Delegates that the department had begun monthly cybersecurity training courses for more than 40,000 state employees and contractors.
“They endeavor to make sure all the employees of all the agencies are aware of the possibilities of attacks,” said O’Connor, who has taken the course.
Audits cite weaknesses
The state’s vulnerabilities aren’t new. The Office of Legislative Audits has outlined weaknesses in several agencies’ cybersecurity plans over several years.
An audit of the state police from February 2009 to December 2011 found that some servers that guarded personal information, including about 176,000 Social Security numbers, were insufficiently secured.
In a March 2013 response to the audit, the police insisted the auditors misunderstood a security measure, and personal information was secure.
The audit also found that police networks lacked systems designed to detect intrusions. The response said that those systems were added after the audit.
Similar audits found more cyber vulnerabilities in the departments of Labor, Transportation and Education as well as the State Archives.
Pugh legislation on cybesecurity
Pugh aimed to promote state cybersecurity even further during the recently-ended 2014 legislative session. She authored a bill to adopt an overarching cybersecurity plan based on a similar document published by the National Institute of Standards and Technology. The Senate passed the bill unanimously, but it died in a House committee.
Pugh said the bill arose out of concerns for the state’s long-term condition, citing the growing amount of information that state entities and contractors transfer online.
A 2012 hack into South Carolina records that exposed 3.6 million tax returns, according to the South Carolina Department of Revenue, encouraged her to make sure Maryland didn’t suffer a similar fate.
“If this can occur in other states, it can occur here,” Pugh said.
The Department of Information Technology’s information security policy currently encourages following National Institute of Standards and Technology recommendations. But Pugh said that her bill would have given state departments incentive to ensure they were actually following best practices.
Professor estimates hundreds of thousands attempted attacks
Costis Toregas, a computer science professor at The George Washington University, warned that the government reports may not tell the full story. He said that there are “probably hundreds of thousands” of attempted attacks on Maryland agencies every day that don’t get public attention.
“We penalize people for coming forward and saying something bad happened … there’s no sharing of information happening,” Toregas said.
According to state information technology policy, agencies do not need to report viruses or malware that have been automatically thwarted by anti-virus software.
The Heartbleed security bug, first discovered on April 7, also may have a serious impact on government operations.
The bug is a vulnerability in OpenSSL, a security protocol used to protect information on about two-thirds of all web servers, according to the technology website Ars Technica. Hackers can exploit the bug to steal passwords and other sensitive information.
Toregas said even if they aren’t vulnerable to Heartbleed on their own, state agencies could still be seriously affected by it if they interact with vulnerable businesses.
“We live in an interconnected world. At some point the government will come into contact with a commercial entity on the web,” Toregas said. “We’ve become too interconnected to draw a rigid line between commercial [and government entities].”
Continuous monitoring, but what are hackers looking for?
Schlanger said after the Heartbleed outbreak, the Department of InformatioTechnology shared strategies to deal with the bug with state information officers, some of which may have affected users. He added that the department would continue to keep tabs on potential fallout from the bug.
“Continuous monitoring of the cyber threatscape is one of the fundamental tenets of our cybersecurity program,” Schlanger wrote in an email.
The Department of Information Technology report also included four incidents that were not cyberattacks, in addition to the police’s risk warning. These included a stolen computer, a former employee sending an email from another’s account, and an employee’s home computer being infected with malware.
What the phishers and would-be hackers were looking for in state agency computers remains a mystery. Mark Cather, director of communications and security at the University of Maryland, Baltimore County, said they were likely seeking employees’ personal information “because they can turn identities into cash.”
Hackers might also have tried to use government computers as a resource, utilizing their processing power to crunch numbers or launch further attacks, Cather said. He added that some may have sought trade secrets or other information worth selling, but it was unlikely because few state agencies make anything with patents or trademarks that would be worth selling.
Regardless of their objectives, hackers aren’t going to leave state agencies alone anytime soon. Pugh hopes that legislators will take a more active role in promoting cybersecurity.
“I look at the government from the perspective of a business,” Pugh said. “What do [we] want the state to look like three years from now? I don’t think we do enough of that kind of thinking and planning.”