State IT chief: Maintain ‘maniacal focus’ on cybersecurity
Individuals and entities should have a “maniacal focus” on cybersecurity, which includes having strong passwords and backing up data regularly, according to Gary Vance, chief information security officer with the Arkansas Division of Information Systems.
Vance was part of a panel discussion Tuesday (Oct. 8) on the second day of the two-day 2024 Cybersecurity Summit presented by Arkansas Attorney General Tim Griffin and the Forge Institute. The first day’s speakers included Jen Easterly, director of the federal government’s Cybersecurity and Infrastructure Security Agency (CISA).
Vance and James Gentry, Fort Smith’s chief information officer, emphasized the importance of having complex, unique passwords for each site one visits. Gentry said he has 400-500 passwords organized through an encrypted password manager, an application that can be obtained at an app store. Vance said complex passwords close the door on bad actors trying to assess a user’s data.
“I think we as individuals, as entities, as businesses, as public and private, you have to take a maniacal focus on cyberdefense, which means you as an individual have to take a maniacal focus,” he said. “So I’ve always looked at it this way: A door left open is a door that can be walked through.”
Vance also emphasized the importance of having a business continuity and disaster recovery plan that includes backing up one’s data regularly. Doing so reduces hackers’ leverage.
Paul Davis, chief information officer with the attorney general’s office, said users should use a “3-2-1” backup system that includes three copies of the data stored on two devices, one of those being offsite. An example of the three would be the computer itself, an external hard drive and a cloud service provider. Leaving the external hard drive plugged in will ensure backups occur regularly. However, the bad actors can access the backup.
Davis said users should always be suspicious, especially if something includes a link or an attachment, because it could be a phishing attempt. Don’t call a phone number that pops up on the screen. Software should be kept up to date.
Chad Johnson, CISA cybersecurity state coordinator, warned that it’s becoming harder to protect oneself against email phishing attempts. Thanks to artificial intelligence, the bad grammar is going away. He advised users to hover over a link to see the actual address rather than what appears on screen, or to copy and paste it or type the address physically into a website. He warned that bad actors have sophisticated operations with customer service departments, so be sure to use a known good phone number and a known good website.
He said bad actors are scanning the internet looking for targets, but an individual may not be the end target. The hackers may be testing out new malware or new techniques. The Chinese-backed Volt Typhoon seeks to embed itself in critical infrastructure, go to sleep, and then awaken when China wants.
Gentry emphasized the importance of reporting data breaches quickly to mitigate the damage. Victims should contact their information technology department or security department, law enforcement or CISA.
“Don’t be embarrassed. It happens to everyone. I have almost clicked on things too and had to back out,” he said.
Also speaking at the conference was Thomas MacLellan, director of governmental affairs and strategy for Palo Alto Networks, the world’s largest cybersecurity company.
MacLellan said hackers are using artificial intelligence to make their phishing emails more effective. He also almost fell for a phishing attempt a couple of weeks ago. Attempting to obtain a flight for his daughter using his airline points – while multitasking – he googled his preferred airline’s phone number. When he called the fake one that appeared, the responder asked him to reset his password and asked for his credit card. He stopped, changed his password, and reported.
“I’m a cybersecurity professional, and they got me,” he said.
MacLellan said entities must ask themselves how quickly they can detect a threat and also how quickly they can respond. Many entities are at risk, including internet-connected industrial control systems running dams, traffic lights and other critical infrastructure systems.
Challenges include a lack of qualified professional cybersecurity workers, who must deal with organizational complexities including many vendors and legacy technologies. The “attack surface” has grown in that most organizations don’t know what is connected to the public-facing internet.
MacLellan said bad actors will attack systems that are easiest to exploit, such as schools and local governments. One large county was shut down for a month and was unable to issue titles, death notices or driver’s licenses. In North Dakota, a small rural school was under attack by North Korea hackers, which were trying to access the children of parents who worked at missile silos. States, which have more resources, can help local governments respond.
Among the other speakers at the summit was U.S. Rep. Rick Crawford, R-Jonesboro. He noted that the United States developed technology that it then outsourced to unfriendly countries that could produce it at scale. They have reverse-engineered it and can use it to exploit U.S. vulnerabilities.
“It’s important that we start to recognize it’s not just nice to have U.S. technology being U.S. based. It’s essential from a national security perspective,” he said.
Crawford said Americans should incorporate redundancies in critical infrastructure, with fail-safes that can’t be hacked or accessed through cyber means. He said United States Cyber Command, which is part of the National Security Agency, is a combat command.
“Can we go on the offense? Yes, we can,” he said. “Have we? Officially, no, and I don’t know of any offensive measures we’ve taken from a cyber perspective. Should we? At some point, probably so.”