Alaskans have been affected by cyberattacks in various ways, whether it’s leaked private information from the Permanent Fund dividend program or the shutdown of online court or health department services.
The kinds of attackers and their motivations in targeting governmental organizations can also vary, says Chuck Benson, director of risk mitigation strategy for the ‘Internet of Things’ at the University of Washington.
The “bad guys,” as Benson calls them, can range from nation states engaging in a kind of simmering online warfare to criminals looking to freeze an organization’s IT systems so they can demand ransom to unlock them. He says there are even partnerships between the two groups.
Read a full transcript with minor edits for clarity.
Chuck Benson: The core of this is that the complexity of the world is accelerating so quickly. Things are just even more complex every new day. I think the bad guys are more aware of that. They don’t have complexity mastered, but they’re more aware that it’s more chaotic than the non-bad guys are. I think the non-bad guys trust in systems, and we think it’s is going to work for the most part. But the bad guys know that that’s not the case and they exploit that difference in perception.
Casey Grove: Do they say, “Okay, I want to target the Alaska Department of Health,” and then go from there? Or is it more of a passive search for vulnerabilities, wherever they might be with some sort of like automated code or something? How does that work?
Chuck Benson: It’s all the above.
The tools for doing malicious things is a very mature market and it has been for years. There are eBay equivalents, there are places you can go buy malicious code that even comes with support plans.
To be clear, I don’t know who or why or how the Alaska attacks happened. But attacking governments and city governments and local governments, often, I think that’s the case, because they’re under-resourced. Everybody is under-resourced for cybersecurity, but governments tend to be more so and so that makes them kind of an attractive target. Plus, if you get some good government disruption, then that can be a payoff for the bad guy.
Casey Grove: So if they’re describing it as having caught this early on, and then it still takes a while to restore services. Why is that? Why does it take so long to bring things back?
Chuck Benson: Well, it can take some time if there weren’t backups, or maybe even some new hardware was needed. Sometimes they’ll detect something, shut something down, but then try to figure out, ‘Okay, how far did they get?’ Because that’s not obvious, the attackers don’t always leave a note saying ‘I got exactly this far.’
That speaks also to resilience: We need to get good at this stuff. When you get taken down or you get bumped on, how quickly can you come back and be pretty much fully operational? That’s a particular skill and capability set. We have to get out of that mindset — and it’s starting to happen.
We used to think we could build a perfect fence all around, and no one’s gonna get through your fence. That’s not enough. We want to have a fence. But we also have to know that people are getting through the fence. And we have to act and plan on people already being inside the fence. It’s a fantasy to think that you’re gonna build a perfect fence and keep all the bad guys out. Bad guys would love that because we are gonna be looking the wrong way all the time.
And it’s not fun, right? It’s not fun to say that or to think it or admit: it makes you uncomfortable, but I think it’s the right thing to do.
Casey Grove: Specific to ransomware attacks. Is it wrong to pay the cyber attackers in a ransomware attackers? If the cost of replacing your entire system, if that’s what you’ve got to do, might be more than what they’re asking in ransom. In the past, folks like the FBI have said, ‘never pay them.’ But is that true? I mean, in some cases, does it make sense to just pay the ransom?
Chuck Benson: Yeah, I would say it’s a very, very active public and private debate. People will talk about out loud what their positions are. And there will be other conversations behind closed doors about what their positions are. My sense is that it’s going to vary case by case for at least for a while. Like you said, it’s my understanding also that the FBI says, ‘Don’t never do this.’ But we know that some places do, and they’re probably doing that math. It’s like, ‘It’s gonna cost me this much money to replace all this. I’m gonna pay them.’
So to your question, I would say it’s an unsettled question.
Casey Grove: I think another thing that people are trying to figure out is just the uncertainty of living in the 2020s and hearing about these kind of attacks and people get notified that their private data was leaked. How do people grapple with that? Or how should people think about that to sort of just get through their daily lives?
Chuck Benson: The situation is bad. But we also don’t want to say the sky is falling, because then people just throw up their hands and say, ‘Heck with it, I just can’t keep up. Whatever happens happens.’ We don’t want to do that.
So there are basic things we can do that are good for individuals, good cyber hygiene, for institutions, whether it’s government or corporations, to have programs and structures in place to start to go at the problem and then you work those things. And then you get ready to respond. And when something happens and something will happen.
We want to get out of this mindset that we’re trying to stop everything from happening. But we want to slow things that are happening, and we want to be able to respond. We want to be able to be resilient when they do happen.