EAST GREENWICH, R.I. — Municipal department heads and staff from Woonsocket and East Providence as well as other organizations converged on Camp Fogarty Tuesday for the first day of a two day cybersecurity seminar hosted by the Rhode Island National Guard.
The seminar, led and organized by Rhode Island National Guard Chief Information Officer Col. Mike Tetreault and East Providence IT Director Kelly Ahrens, comes as cyber attacks on municipalities, state and federal governments and businesses continues to rise with hackers, both private and state-sponsored, targeting organizations through fraudulent email links, a process known as “phishing,” and other malware to steal valuable information, often which is held ransom until a payment is made or an IT firm figures out how to crack the malware.
In the past year alone, four Rhode Island communities including Coventry, Pawtucket and East Greenwich have been targeted, with personal information of employees being stolen and important documents changed or deleted. Between January 2016 and October 2019, 704 municipalities fell victim to cyber attacks and this past November Louisiana Gov. John Bel Edwards declared a state of emergency after state agencies and 40 parish governments were attacked.
In response to attacks, the Rhode Island Joint Cyber Task Force, a partnership between the Rhode Island National Guard, Rhode Island State Police and Internet service providers formed by Gov. Gina Raimondo, has been on an outreach mission to cities and towns across the state to help improve their cybersecurity capabilities and encourage training to help mitigate the damage and try and prevent future attacks, or at the least give communities the tools on how to respond to them and protect themselves.
They’re also working with the Board of Elections to ensure voter registration and voting machines are secured.
“We’ve been doing cyber here in Rhode Island for at least 12, going on 13 years,” Tetreault said. “This is not something that’s new to us.”
In addition to working with the RIJCTF, Tetreault leads the Rhode Island National Guard’s Defensive Cyber Operations Team at Camp Fogarty, having been assigned to the position by Maj. Gen. Christopher P. Callahan, the leader of the state’s National Guard and Homeland Security Adviser to Raimondo.
Both Tetreault and Ahrens said they don’t know all of the answers and don’t claim to, but through working together and collaborating with other departments and municipalities that they hope to develop the best possible defense against these attacks, and hope to use the seminar as a template for future endeavors with other towns and cities, with Tetreault saying North Providence, North Kingstown and Cranston among others have expressed interest as the state looks to require such training for government employees on an annual basis.
“(Hackers) are coming after municipalities because we have weak spots,” Ahrens said. “We don’t have the funding sometimes to have a good resilience plan, so it’s important that we work together to talk about some of our vulnerabilities, talk about a plan that we can look at and start executing. Nobody’s here to say we have the best plan. We’re certainly not here to say we have everything right, what we want you to do is talk amongst each other so if we do get a cyber attack, we can still provide services to our cities and our residents.”
East Providence implemented mandatory training for cybersecurity last year, while Woonsocket is currently looking into it.
According to Tetreault, strong cybersecurity starts from the top.
“Leadership is the key (to cybersecurity),” Tetreault said. “Without that, it all falls apart.”
Leaders are responsible for ensuring that their staff is well-trained in basic cybersecurity practices on a consistent basis and can identify phishing scams as well as making sure systems are always updated to the most recent software, data is strongly backed up in case of an attack and that if an attack occurs, all staff know who to contact and how to handle the situation.
He also stressed the importance of two-factor authentication for logging into software and making sure employees utilize strong passwords rather than “stupid” ones such as 123456.
He compared training for cyber attacks to fire drills, saying both serve the purpose of teaching people how to reduce risk, something he calculates as the likelihood of such an attack multiplied by its severity, or threats by the system’s vulnerability, and are important in ensuring proper procedure.
Tetreault also stressed the importance of not underestimating such attacks, a lesson Coventry learned the hard way as they did not anticipate foreign-based hackers would consider them an important enough target.
“I think you all know by now that the threat is real,” Tetreault said, adding that hackers “just throw out a net” to see who or what they can catch.
Many of these attacks come from outside of the United States, according to Tetreault, as attacks from within the nation can be easily traced by government agencies and police forces, whereas foreign-based attacks are harder to prosecute as they’re often based in countries that don’t have extradition treaties with the US and many are sponsored by other governments, such as the 2014 attack by North Korean-backed hackers on Sony that cost the media giant $500 million in damages.
With hundreds of millions attacks on American systems happening daily, Tetreault compared having unprotected computers to leaving your front door open, saying that while you may think you live in a safe neighborhood or that you’re not a big enough target, it only takes one instance to be completely wiped out.
He acknowledged that phishing attacks can never be truly prevented as humans are naturally curious and even with anti-phishing training, employees can still fall susceptible to such scams.
“The best we can hope for is a 12 to 15 percent click rate (on malicious links),” Tetreault said.
For the best framework for cyber security, Tetreault recommened the National Institute of Standards and Technology (NIST) Cyber Security Framework, something he utilizes with his own team and considers the “gold standard.”
The framework consists of six steps: Prepare, Identify, Protect, Detect, Respond and Recover. Organizations should be prepared for attacks through control baselines and strong organizational communication, identify asset management and asses/manage risks, protection of the system through access control, data security, awareness training, maintenance and protective technology, detecting any anomalies or unusual events, having response planning and communications in place for mitigation, analysis and improvement and to plan for recovery through improvements and communications.
Following Tetreault’s remarks, Rhode Island Department of State Elections Director Rob Rock spoke to the work to protect the state’s elections.
“I only focus on elections,” he said, “but it goes to the bigger issue of phishing and being vigilant of what you open and what you don’t, because ultimately it could affect elections or it could affect the payroll in the police department or in the fire department or somewhere else.”
After Rock wrapped up his remarks, the attendees broke for a quick recess before returning to work in groups to share ideas and identify the best cyber security methods.