🏛 The Cambridge Record
Search ▸ Communication to the City Council

a communication from Councillor Kelley, transmitting a memorandum regarding Cybersecurity

From City Clerk Donna P. Lopez·Council meeting Jun 25, 2018·15 pages·📄 Original PDF (city portal)
CAMBRIDGE CITY COUNCIL Craig A. Kelley City Councillor CITY HALL, CAMBRIDGE, MASSACHUSETTS 02139 [phone removed] FAX: [phone removed] TTY/TDD: [phone removed] EMAIL: ckelley@cambridgema.gov To: Donna Lopez, City Clerk From: Craig A. Kelley, City Councillor Date: June 21, 2018 Subject: Memorandum Submission Please place the attached memorandum, “Cybersecurity: An Overview”, on the City Council agenda as “Communications and reports from Other City Officials” for the June 25, 2018 meeting. Thank you.
CAMBRIDGE CITY COUNCIL Craig A. Kelley City Councillor CITY HALL, CAMBRIDGE, MASSACHUSETTS 02139 [phone removed] FAX: [phone removed] TTY/TDD: [phone removed] EMAIL: ckelley@cambridgema.gov MEMORANDUM To: Cambridge City Council From: Craig A. Kelley, City Councillor Mark Gutierrez, Council Aide Date: June 25, 2018 Subject: Cybersecurity: An Overview 1. Introduction Cybersecurity is no longer just an IT problem. Common threats like data theft, extortion, and vandalism are increasing and diversifying through evolving hacking software that allows more sophisticated attacks including disruption of infrastructure, disinformation, market manipulation, and espionage.1 The U.S. Department of Homeland Security recognizes “As information technology becomes increasingly integrated with physical infrastructure operations, there is increased risk for wide scale or high-consequence events that could cause harm or disrupt services upon which our economy and the daily lives of millions of Americans depend.”2 Cyberspace is the field of non-physical information storage and transmission, their networks, and the tangibles they rely on. Cybersecurity is the protections and overall security of cyberspace.3 It’s easy to think of cyberspace as strictly digital, considering the popularity of “the cloud,” digital devices, and WiFi, but the digital world is astonishingly physical. Physical attributes include cables, data centers, and a half-million miles of transcontinental submarine fiber optics lining the ocean floor, reaching as deep as Mount Everest is high. These cables and centers are subject to cybersecurity risks, as displayed by espionage and wiretapping during the Cold War, and are not immune from these and other threats.
2 2. Cyberattacks: A Closer Look Cambridge, MA March 2018. Population: 110,000. The Cambridge Health Alliance announced that a data breach revealed the private information of 2,500 patients. The leaked data was acquired from billing records and landed in the hands of an unauthorized third party.4 Atlanta, GA April 2018. Population: 472,000. The city battled a ransomware malware attack that severely affected multiple departments causing disruptions with the court system, prevented people from paying bills and submitting important requests, and forcing the police department to resort to pen and paper to file reports. The sophistication of this strain of malware, called SamSam, and the lack of preparedness from the city is what made this attack so successful.5 Atlanta was held hostage for a ransom of $52,000, but has allegedly denied payment and has since spent $2.6M on recovery efforts.6 Sarasota, FL February 2016. Population: 56,000. A city employee clicked on an email attachment, appearing to be a regular document, only to launch a ransomware attack encrypting 160,000 files. Attackers demanded $33M in bitcoin to restore the files. The IT department had to unplug the city’s servers before beginning the recovery process.7 Cockrell Hill, TX December 2016. Population: 4,000. A ransomware attack encrypted all of the digital files that the police department had. The city refused to pay the $4,000 ransom, so the attackers deleted all of the department’s records, dating back to 2009.7 911 Call Centers Attacks on 42 911 call centers have been reported in which hackers disabled computer and dispatch systems and immobilized phone lines with bogus calls, leading to service shutdowns and even a child’s death.8 U.S. Power Grid & Energy Infrastructure Russian hackers gained access to energy and critical infrastructure sectors including nuclear generators, power plants, water facilities, aviation, and manufacturing facilities. The DHS and FBI said the computer systems and internal networks of multiple companies across the U.S. were infiltrated. The Kremlin hacking campaign used old and unsophisticated hacking techniques, and once in the systems, installed programs to surveil and collect information.9
3 Significant Cyber Incidents The Center for Strategic and International Studies documented all significant cyber incidents since 2006. A significant incident is considered “cyber-attacks on government agencies, defense and high-tech companies, or economic crimes with losses of more than a million dollars.”10 They’ve counted 324 incidents from 2006 through April 2018, with a majority of them happening in the last 4 years. Attacks include the hacking of several state voter registries, an Uber breach, and North Korea’s testing of U.S. electric companies’ defense systems. The biggest data breaches (greater than 30,000 records) from 2004 through 2017 were compiled into an interactive visualization illustrating the radical increase in both sensitivity of data and number of breaches over time (Attachment A). Attacks and breaches occurred globally against law enforcement agencies, defense and military arms, transportation networks, banks, universities, hospitals, financial institutions, scores of private sector companies, and even the Massachusetts State government.11 Privacy Rights Clearinghouse reports more than 10.5B records have been breached globally since 2005.12 The Identity Theft Resource Center and CyberScout report over 1B exposed records from more than 8,000 breaches in the U.S. alone (Figure 1).13 Figure 1
4 3. The Rapid Growth of Data and Cyber Threats Global Data In 2011, global data volume was just shy of 2 zettabytes (or 2 trillion gigabytes).14 In 2016, that number reached 16ZB. The International Data Corporation (IDC) released a new report predicting that in 2025, the total volume will reach 163ZB to support critical infrastructure, medical devices, autonomous vehicles, smart devices, business and government operations, and artificial intelligence, to name a few.15 That amount of data would fill 40 trillion DVDs, reaching to the moon and back 100 million times. Much of this data growth will be in the life-critical and enterprise sectors, and it’s expected that the average “connected” person will interact with a connected device 4,800 times per day.16 In 2021, 1 million minutes of video content will cross the network every second to support things like surveillance and consumer entertainment.17 Cyber Threats and Vulnerabilities Heimdal Securities identified and explained a complete list of all 52 types of cyberattacks, in 8 categories, carried out by 3 types of attackers. A spear phishing attack led to the hacking of the Democratic National Committee. Spyware can sit undetected on multiple computers and collect data to report back to the attackers, and ransomware can hijack computer networks and demand payment for the release of associated data.18 Privileged Escalation Attacks get a ‘beach head’ into a system via a personal computer and all of these attacks beg the questions “What are you afraid of?” and “What is your threat model?” Many of these attacks are highly calibrated and executed with military precision by talented individuals who know how to hide their identity and hit hard. Attackers look for soft targets and often governments offer a perfect target due to:19 • A lack of synchronization across critical systems and third parties. • High quality and quantity of data. • Difficulty in attracting high-demand cybersecurity professionals. • Governments don’t typically look at cyberspace as an enterprise-wide risk like the private sector does. • Governments relegate the cybersecurity responsibility to under-funded and under- equipped IT departments and vendors. • A cultural willingness not to ask, “Did this email really come from that person.” Figure 2: Global Data Growth 1.8 16.1 163 0 20 40 60 80 100 120 140 [phone removed] 2016 2025 Global Data (ZB)
5 4. Resiliency & Proactive Measures Three months before Atlanta was hit, the city failed a security compliance assessment20 that could have prevented the attack and saved them millions of dollars. Security is a process, not a product21 and with a sharp increase in use and dependency on technology in an ever-evolving digital world, being proactive is a prerequisite for resiliency. Cybersecurity is also a national security issue. FEMA aides in emergency and disaster situations and fire departments protect people and property from damage. Arguably, the Department of Homeland Security and state agencies should bear the responsibility of protecting cyberspace, in addition to municipal efforts.22 Bad cybersecurity itself is self-reinforcing as it is easy to think that since a cyberbreach has not occurred yet, the security is adequate. Given the crippling impact of cyberbreaches, it is hard to take this issue too seriously. Nonetheless, it is easy to get mired in jurisdictional issues as cyberevents can stretch across municipal, regional, state and international boundaries. Even something as seemingly mundane as participants interacting on Nextdoor.com, for example, is often done via out-of-state servers. The lack of clear jurisdiction can confuse responsibility(ies) for enforcement and reaction. There is always a trade-off between user convenience and security and also between security and budgets. Additionally, user access can present challenges in that some users may have access to parts of a system or network for which they have responsibility, but no need for access, and this excess access increases the risk of a cyberbreach. While cyberbreaches such as defacing a website are reputational in nature and pose less operational danger to a government, any system that deals with sensitive personal data or finances requires absolute protection. This protection must extend to third-party vendors, to include how a government keeps its interactions with vendors such as credit card companies secure. Attention must also be paid to how shared portals with other organizations, such as the Cambridge Health Alliance or even the School Department, might increase vulnerabilities. Some protective measures like site blocking can lead to operational challenges as city staff may need to research issues on sites that are “blocked.” Municipal employees should have appropriate expectations of how secure their data and computer usage is. This should include when using the city’s Wi-Fi on their phones, using apps and so forth. People should understand that anonymity, or the lack thereof, is a different issue from censorship. Agencies in Action7 • Washington State offers free cybersecurity audits to over a dozen municipalities. Washington pays for the tests through a voter-approved initiative that allows the state auditor to appropriate millions of dollars for performance audits like cybersecurity. • Michigan formed a squad of stand-by volunteers, the Michigan Cyber Civilian Corps (MiC3), to provide technical assistance if the state gets hit with a crippling cyberattack in any of its 1,300 local governments.
6 • Michigan also launched a pilot program with five local governments to test whether a chief information security officer (CISO) can operate as a shared service. The idea is to have a certified, trained, cyber-professional to assist local governments lacking the expertise that more resourceful agencies may have. • Sugar Land, Texas has its first CISO to confront cybersecurity issues. He’s a cybersecurity expert that serves as part of IT. Recommendations • Cambridge’s IT Strategic Plan is 5 years out of date and does not address cybersecurity. A review and update of this policy to reflect current technology trends, city business needs, and proactive cybersecurity measures is essential.21 • Identify if the City has an information security policy and a disaster recovery/business continuity plan. If the City does not have them, they should be created and implemented, if the City does have them, they should be reviewed for currency and a process should be developed to ensure they are continuously updated.21 As with a hurricane or other, more familiar type of disaster, we need to have a relevant recovery plan prior to the event. • Conduct an assessment, penetration test, audit, or other review to lower the City’s risk profile, to include equipment, testing and training. Identify the crucial security vulnerabilities and low-hanging fruit.22 This will not be cheap. o What must happen now? o What can wait? o What are long-term plans for upgrades, hiring, etc? o Are access levels appropriately curtailed? • Develop a disaster recovery plan in case computers or communication systems become unusable.22 • Consider obtaining cyber breach insurance to defray the cost of any potential cyber disaster.22 • Research state resources and other municipalities with similar goals and determine if joint training, purchasing or other efforts could help with cybersecurity. • Research non-governmental resources such as the Kennedy School’s Defending Digital Democracy Project, offering a playbook for cybersecurity.21 • Consider splitting cybersecurity responsibilities from general IT responsibilities. There are no City positions with cybersecurity in their title, which does not mean cybersecurity is being ignored, but is competing with other important responsibilities.21 • Clarify and make public CPD’s cybercrime unit’s responsibilities and capabilities. • Create a Chief Cybersecurity Officer position or clearly identify a current position with that responsibility for the City as a whole and within relevant departments.22 • Review training—specialized training for those in the IT/cybersecurity fields, and general training for staff.22 Some training is already done but given the risk that users pose to the systems they use, a review and probable expansion of cybersecurity training for all
7 involved. People need to understand that cybersecurity is their problem too. • Consider having the 2020 fiscal year budget specifically identify cybersecurity resources.21
8 References 1 https://www.forbes.com/sites/edelmantechnology/2017/10/11/cyber-security-is-a-business-risk-not-just-an-it- problem/#53763acf7832 2 https://www.dhs.gov/cybersecurity-overview 3 https://blogs.cisco.com/security/cyberspace-what-is-it 4 https://www.bostonglobe.com/metro/2018/03/30/cambridge-health-alliance-says-some-its-patients-data-was- compromised/7skcaSVG9GbYaFNSTpWLtN/story.html 5 https://www.wired.com/story/atlanta-ransomware-samsam-will-strike-again/ 6 https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/ 7 http://www.govtech.com/security/GT-OctoberNovember-2017-Small-Towns-Confront-Big-Cyber-Risks.html 8 https://www.nbcnews.com/news/us-news/hackers-have-taken-down-dozens-911-centers-why-it-so-n862206 9 https://www.vox.com/world/2018/3/28/17170612/russia-hacking-us-power-grid-nuclear-plants 10 https://csis-prod.s3.amazonaws.com/s3fs- public/180425_Significant_Cyber_Events_List.pdf?pqetcWcwV7mvAo33_lAZFlQVQz7.E0qh 11 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 12 https://www.privacyrights.org/data-breaches 13 https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches- and-records-exposed/ 14 https://www.zdnet.com/article/data-volume-to-hit-1-8zb-in-2011/ 15 https://www.seagate.com/our-story/data-age-2025/ 16 https://www.seagate.com/files/www-content/our-story/trends/files/data-age-2025-infographic-2017.pdf 17 https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/vni- hyperconnectivity-wp.html#_Toc484556829 18 https://heimdalsecurity.com/blog/cyber-attack/ 19 https://www.forbes.com/sites/dantedisparte/2018/04/02/cities-held-for-ransom-lessons-from-atlantas-cyber- extortion/#385685725996 20 https://www.wired.com/story/atlanta-ransomware-samsam-will-strike-again/ 21 Tannenbaum, Saul. 2018/06/08. Cybersecurity meeting. 22 Berman, Seth. 2018/06/08. Cybersecurity meeting. Figure 1- https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of- breaches-and-records-exposed/ Figure 2- Gutierrez, Mark. 2018/06/14.
YEAR SHOW FILTER BUBBLE SIZE NO OF RECORDS STOLEN DATA SENSITIVITY BUBBLE COLOUR YEAR METHOD OF LEAK World's Biggest Data Breaches Selected losses greater than 30,000 records (updated 8th May 2018)
ORDER X-AXIS BY ALPHABETICAL DATA SENSITIVITY SEND FEEDBACK SEE THE DATA Version 1.095 // design & concept: David McCandless code: Tom Evans, Powered by VIZSweet Source: DataBreaches.net, IdTheftCentre, press reports Research: Miriam Quick, Ella Hollowood, Christian Miles, Dan Hampson
Live link: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches- hacks/ Bubbles are clickable to learn more information and read originating articles and reports. Bubbles sized by Data Sensitivity Bubbles colored by Method of Leak:
The team behind the 2018 Winter Olympics hack is still active, according to security researchers -- in fact, it's switching to more serious targets. Kaspersky has discovered that the group, nicknamed Olympic Destroyer, has been launching email phishing attacks against biochemical warfare prevention labs in Europe and Ukraine as well as financial organizations in Russia. The methodology is extremely familiar, including the same rogue macros embedded in decoy documents as well as extensive efforts to avoid typical detection methods. While Kaspersky didn't directly point fingers, it brought up a number of clues suggesting that Russia was responsible. Most of the lab targets were people associated with an upcoming biochemical threat conference run by Spiez Laboratory, which just happened to be involved in the investigation of the nerve agent poisoning of former Russian double agent Sergei Skripal and his daughter Yulia. Also, Kaspersky noted that the custom images and messages in the documents were in "perfect" Russian, and The team behind the 2018 Winter Olympics hack is still active, according to Olympic hackers may be attacking chemical warfare prevention labs Jon Fingas Engadget June 19, 2018
one of them specifically references the Skripal attack (conveniently, a piece where scientists couldn't definitively came from Russia). So why target Russian financial outfits, then? Kaspersky acknowledged that there could be multiple parties involved (say, profit-oriented crooks in addition to state-sponsored attackers). However, it's generally accepted that Russia tried to frame North Korea for the Olympic hack. It's entirely possible that the Russian targets amounted to a false flag meant to cast doubt on the true origins of the attack. The focus on labs and the Skripal connection may have been meant to rattle the West for daring to attribute assassination attempts to Russia. It may be difficult to completely prevent campaigns like this when political tensions are so high. Kaspersky believes the labs can curb this in the future, however, such as tightening their overall security and running impromptu security audits. It's also a reminder to be cautious -- a seemingly innocuous attachment can have dire consequences. Securelist This article originally appeared on Engadget.