In many ways, Connecticut is a state in search of an identity. Could we become known as the Cybersecurity state? In Europe, some already know us that way.
After a very enlightening conversation with Art House, Chief Cybersecurity Risk Officer for the State of Connecticut toward the end of last year, he was gracious enough to come back to the Kelser offices this fall for a follow up interview to give us the latest on the global cybersecurity landscape and how Connecticut fits in.
Here are some highlights of the interview. Full transcript and audio below.
Connecticut is one of the only states with a cybersecurity strategy. Art’s work in intelligence under President Obama prepared him to help make Connecticut a cybersecurity leader.
ART: In 2012, very few states had people in them with an intelligence background or who understood the threat of cybersecurity. So, when I came up to Connecticut, people in Washington said, “Could you please go to work on Connecticut? Because we need some states to get out in front on this.”
In September, October of 2017, we put out our first report on the defense capabilities of our public utilities, and our second report was just published. Connecticut was the first in the United States to do a report like this, so we were way out in front of other states.
So, the answer to the question of, “How did Connecticut get into this [discussion with Ukraine],” we were the first state to do that sort of a review process with the utilities, and we had done a strategic plan and an action plan. The State Department wanted these countries to do strategic plans and action plans. Connecticut had done one, so they said, “Could you go over and work on this?”
We stack up very well [compared to other states] in that we were one of the first ones to get started in public utilities, critical infrastructure. And I am told that our strategy and action plan is far more extensive than that of other states.
Having said that, we’re very vulnerable. So, compared to other states we’re doing well, but it’s not reason to be –
MATT: Be excited?
ART: Or to be reassured. We’re still quite vulnerable, so that although we’re doing well, it’s no reason to relax.
MATT: Do you think that in any way makes Connecticut a little bit more attractive for businesses to come here?
ART: That’s exactly what we’re trying to do. We are trying to create a culture of cybersecurity to give Connecticut businesses a competitive edge. Now, with our utilities, we’re hard at work on that. Our defense industry is doing a terrific job, as is the insurance industry and financial services. We just need to expand this to make it something that does identify Connecticut as a state which takes cybersecurity –
MATT: Like if you’re thinking of opening a business like, “We take cybersecurity seriously.”
ART: Exactly.
MATT: “We can’t guarantee safety, but you may be safer here than –”
ART: We want to be known as a state that takes it seriously, and that’s why we need to work with CBIA and with the Metropolitan Chambers of Commerce so that businesses will take it seriously. And it’ll help give our businesses a competitive edge, absolutely.
We’re known as the “collaboration state” because we chose to facilitate collaboration between public utilities and the regulators, and we worked it out by negotiation.
What’s holding Connecticut back from going even further?
ART: In Connecticut, there’s a shortage of cybersecurity professionals. Businesses are trying to hire people to get started in-house to build their defenses, and then use whatever external resources they need. And they’re having trouble hiring people, as they are across the country. There are – it’s estimated there are about 3,500 jobs unfilled in Connecticut and close to 400,000 across the country.
Where are they coming from? Businesses want somebody with a two-year degree. Why? Because if you go to a four-year institution and the curriculum is, say, three years old, by the time you get out with an electrical engineer, you’re seven years old. In the field of cybersecurity, that’s a long time.
Well, now, the Connecticut system is starting to rally to this. But in our action plan, we point out that Connecticut’s community colleges are producing – one year they had 16 graduates, one year they had 40 graduates. But whatever it is, it’s about 1% of the need. And education is not a market-based system. It’s not supply and demand. And so, you have to actually go in and not only redesign curricula but place those curricula in other community colleges so there’ll be more graduates coming out.
The cybersecurity landscape of each state is different. What are the unique challenges in Connecticut?
ART: Our unique risks are also ones that are defended against, and they’re especially in the defense industry – Electric Boat, General Dynamics, United Technologies, Sikorsky. The plans for the F-35 strike fighter – joint strike fighter, the Aegis Antimissile Ship Defense System, the Black Hawk helicopter – the Chinese have stolen all of those.
Now, the new area is the supply chain, and Connecticut is supplied with supply shops – machine shops and so forth. We’re suppliers to the defense industry. And more and more they’re saying, “What is your cybersecurity plan? How do I know in buying the widget that you’re going to put on this submarine or this jet engine, is okay? Let’s go – let’s take a look at the cybersecurity protection plan for your company and for your products.”
And that’s a huge incentive because they can say, “Look, there are four manufacturers of this product. If your system is not adequate, there are three others I can go to.” Well, that’s an incentive for somebody to say, “I’m going to take cybersecurity seriously.”
MATT: Shifting gears a little bit, same type of question around our municipalities, local governments, how vulnerable do you feel they are?
ART: The history shows –
MATT: We hear about W2 fraud, but –
ART: No, the history shows they are vulnerable. Now, five or six years ago, you wouldn’t have put cybersecurity and municipality on the same page. They are now, and they know it. Towns in Connecticut have been hit with ransomware attacks. Now, almost every person I know of, especially every mayor or every CEO: “I will never pay ransom, I will not deal with, I will not negotiate with a terrorist,” and so on.
Now, put yourself in the position of a mayor or a town manager. You’re delivered a notice that your communication system, your operating systems are shut down. The key to restore it will cost two Bitcoin – say, $10,000. The gut reaction is, “I’m not going to pay it, I want nothing to do with these guys.”
Okay, fine. You are not able to respond to fire calls, your police cannot respond to emergencies, your ambulances cannot go to houses. As mayor, do you really want to be responsible for deaths, for fires in houses, for ambulance – for not being able to respond to a car accident or something? And once you take into account all the things that could go wrong, inevitably, they turn around and they try to negotiate and resolve it.
ART: That’s one factor. The other is, “It’s not going to happen here.” That they’ve never heard of that happening in their town or in surrounding towns. They don’t know that we’ve already had a bunch of them in Connecticut.
But – and the other is, “If it happens, it won’t come to me, it won’t be this town.” Now, the solution, I think, has to be regional. There are a lot of small towns in Connecticut that don’t have information officers and they don’t have the resources, and property taxes are too high here and they’re under real budget control.
The Capitol Region Organization of Governments knows about this. The solution needs to be regional because a lot of small towns don’t have chief information officers.
MATT: Sure, and why would they?
ART: Right. Or if they do, they don’t have a cybersecurity officer. But you can make this resource available for the towns and to come in and check what your defense system is, how you can bolster it.
But I think you’re right that for a lot of towns this is new, it hasn’t happened before, “We have a tight budget, maybe we can get by without investing in it.” And then something bad goes wrong.
ART: Two things I found are very predictable. One is everyone does not want to pay ransom or negotiate with a terrorist or whatever. Once the attack actually happens, I’ve not found somebody who has not wanted to deal with them.
We identified in Connecticut the need for more intelligence on cyber threats and investigation of cybercrimes. And the state police is starting to do that. They already had the rudiments of that in place. They’re increasing their manpower, they’re increasing their attention to it, and they are processing and analyzing more intelligence and they have more officers dedicated to investigating cybercrimes as they take place. Those officers can also work with municipalities.
So there’s an example of the action plan building on the strategy to provide tangible results for the people of Connecticut.
MATT: So, Connecticut state police has dedicated officers and investigators where their sole task actually is cybercrime?
ART: That’s right, that’s right. The analogy I like to use is if you’re at home and somebody is running around the backdoor at night and is rattling the door, you call the police. And the chances are, they’ll be there very, very fast.
MATT: They kind of know what to do.
ART: They kind of know what to do, right. Now, you’re a small business. You see somebody trying to get into your computer to steal your money. Who do you call?
MATT: I wouldn’t know now, but logically, the police, right, when someone’s trying to steal something?
ART: The answer is you can call the Secret Service or you can call the FBI. But if you’re – and if you are a major bank, you already have relations with them, and they’re there right away. If you’re a local retailer or a law firm or a real estate agent or a local business, there’s not much the FBI and the Secret Service can do. They appreciate having the information, but they’re not going to be jumping in to take care of you.
We need in Connecticut somebody in Connecticut who can say, “The same thing happened in the next town over” and so forth and to be able to help you, to build your defenses, to report the crime, to try to find out who did it. And that has to be a state, regional, and local function. And yes, they’re putting that in place and they’re starting to work on that.
Full Audio and Transcript
If you’d like to listen to or review my entire conversation with Art, you can stream the full audio and read along below. The conversation kicks off with a discussion of how phishing succeeds 50 percent of the time. That’s how hackers brought down the Ukrainian power grid.
MATT: My name is Matt Kozloski, I’m the Vice President of Professional Services at Kelser. With me today I have Art House, Chief Cybersecurity Risk Officer for the State of Connecticut. Welcome, and thank you for coming in today.
ART: It’s great to be here, thanks for having me.
MATT: Art, when last we left off, you were traveling to the Ukraine, so how was that?
ART: That was quite a trip. And there are four countries that the State Department is focusing on in the Black Sea region: Ukraine, Moldova, Georgia, and Armenia. So since then, I’ve been to – I’ve been to Ukraine; I’ve also been to Georgia and to Armenia. And they’re developing cybersecurity strategies.
The State Department AID has put together a group of some American specialists. I would not call myself an expert, but others were experts. And we went and helped them work on strategies. And since then, there’s been a lot of activity out there.
So, this is – Ukraine especially is a hotbed of Russian attacks. And a lot of the new kinds of technology that is being tested is being used on Ukraine.
MATT: Interesting. So, before it comes here -
ART: If it does come here. But the point is that Russia is in open conflict with Ukraine over Crimea, over eastern Ukraine. And cyber is a weapon. I say this a lot. People should not look upon it as just inconvenient. Cyber is a weapon. And just as they’re firing artillery shells, they’re also trying to compromise systems by using cyber.
My counterpart on the Ukrainian side – I don’t have to tell him cyber is a weapon. He’s dealing with it all the time. And just a year ago, one of the brand-new strains of malware was released by the Russians on Ukraine. It was a very dangerous, very sophisticated new form. And they tried it there because they are in direct conflict with Ukrainians.
MATT: What are some of the ways that they’re getting the malware out there? Is it phishing like what we deal with here or…?
ART: It was the first time. When they shut down the electric distribution companies a couple of years ago, that was a spear phishing attack, and it was very instructive because of how they did it. They identified the operators of the distribution companies and used several emails, and eventually, they got through.
And the American team that did that assessment figured that if you try three times, a tailored phishing attack, you have a 50/50 chance of getting through. And by “tailored” I mean they know who you are. They talk about something about you or your family or where your children go to school or your church, or something about your work, so that when you get the tagline, it looks like a paving plan for Maple Street, and you live on Maple Street.
MATT: You would open that.
ART: You open that, yes. And you want to find out what it’s all about. Well, they did spear phishing for those operators, got through. And then once they got through all of them, for about six months, then they assumed the identity of those operators and proceeded to shut down the facilities that they were managing. The operators looked at the screens in front of them that were their screens and tried to do things, but they were no longer the operators. The Russians had taken over, changed the passwords, and were managing it and were shutting down the facilities.
MATT: Is this their power grid essentially?
ART: Yes, it was the distribution companies for the power grid. And there’s – I can go more into it, but they had gone onto automatic management. And what they had to do – fortunately, they’d only done it in the past couple of years.
And what they actually had to do was to go find the former engineers who used to do it manually. They literally got Jeeps and went and got these guys and drove them out to the plant and said, “Do what you used to do a couple years ago. Go set it up again.” And had they not found those people, the outage would have lasted a long time.
MATT: Do you have any sense between – so obviously, the outage was a pretty high giveaway, but was it -
ART: It was December, by the way, so they needed it for heat.
MATT: So, in this case too, you’re not just holding electricity because it’s nice to have, in a way to be hostage. You’re preventing people from heating their houses.
ART: That’s right, that’s right. So, there are several ways of getting in, but the first one was a spear phishing attack.
Once you get into a system, and there are several ways of getting in, they planted that malware. And that was extremely dangerous, and the West had not seen it yet. No one had seen it. It was a new form and did a lot of damage.
MATT: Is there any estimation to determine how long that malware was on their network for before there was any sign that it was activated?
ART: I don’t know how long it was on, no. But fortunately, they left – the designer left a backdoor open. And there was a British specialist who found the backdoor and could go in and close it down. But if not, this could have been a much worse story than it was.
There have been two major attacks in the past couple years. That was one. Another one was on the British health system. They went around the world.
One of the ironies also is that they attacked the older versions of Word systems. And some of the people who had stolen Microsoft Word had the older systems, and they were hit because the more modern ones had the patches.
MATT: Sure, and they were just –
ART: So, one of the ironies is that a lot of the damage on one of these attacks was done to people who had pirated the system in the first place.
MATT: How likely would it be for an attack like the distribution operator one, for example, to happen here in the U.S.?
ART: In the United States? I take a deep breath. No, seriously, anything can be penetrated. That’s one of the things that people don’t want to realize but is the truth. If people can hack into our intelligence systems, our most secret intelligence systems in Washington, into the Pentagon and military operating systems, into our large companies that have sophisticated defense systems, they can break into anything.
There are in North Korea 6,000 electrical engineers in their cyberattack force.
MATT: Wow. Attack force, not defense, but actual attack force?
ART: Well, but they do both, they do both, they do both. In China, it’s estimated they have close to 180,000 people in the cyber forces. Now, if you think – if you take that number of people and you put resources behind them, what you can do – the Russians have very sophisticated attack penetration capabilities. So, my point is anything can be penetrated. So, the answer to your question is, yes, it can be.
In March of 2018, just a couple months ago, the Department of Homeland Security put out a statement that the Russians had penetrated a large number of American public utilities. They had not pulled the trigger, but they were in there in what they call “battlefield preparation.”
So yes, it could happen. In fact, they’re already inside. They’re already inside a number of utilities. And should they decide to – should there be armed conflict or there be open war, they could pull the trigger and disable those utilities.
So, we need to practice cyber hygiene. We need to do all those things that Connecticut’s action report refers to – patching, going through, doing penetration testing.
My field is international relations and national security. I’ve worked in the National Security Council, in the U.S. Senate at different times. And I was in the Obama Administration. I worked for the director of national intelligence. I was head of congressional relations and communications, and I was an intelligence officer.
And as such, one of the things you do is you work on integrating intelligence, meaning intelligence from all sources – cybersecurity, I was with the National Geospatial Intelligence Agency that takes the pictures, human intelligence. So, the point is when – I had some basic understanding of intelligence.
When I became chairman of Connecticut’s Public Utilities Regulatory Authority, because it is state-regulated, it’s vulnerable. Very few states have people in them with an intelligence background or who understand the threat of cybersecurity.
So, when I came up to Connecticut, people in Washington said, “Could you please go to work on Connecticut? Because we need some states to get out in front on this.” So, when I came up, I talked to Governor Malloy and he said, “By all means.”
So, he encouraged me. I wrote a strategy for the Public Utilities Regulatory Authority and an action plan, and we negotiated it with the utilities.
In September, October of 2017, we put out our first report on the defense capabilities of our public utilities. We’re doing the second one right now. That was the first time done in the United States, so we were way out in front of other states.
So, the answer to the question of, “How did Connecticut get into this,” we were the first state to do that sort of a review process with the utilities, and we had done a strategic plan and an action plan. The State Department wanted these countries to do strategic plans and action plans. Connecticut had done one, so they said, “Could you go over and work on this?”
Yes, there are a couple of other states. The state of Washington has done some work on it, Illinois, and then they’ve taken people from the national labs such as the Idaho National Lab, have come and they’ve been part of our team as well.
But Connecticut was chosen because we are a bit ahead of the game in terms of working with critical infrastructure and our utilities.
MATT: Do you think that in any way makes Connecticut a little bit more attractive for businesses to come here?
ART: That’s exactly what we’re trying to do. We are trying to create a culture of cybersecurity to give Connecticut businesses a competitive edge. Now, with our utilities, we’re hard at work on that. Our defense industry is doing a terrific job, as is the insurance industry and financial services. We just need to expand this to make it something that does identify Connecticut as a state which takes cybersecurity --
MATT: Like if you’re thinking of opening a business like, “We take cybersecurity seriously.”
ART: Exactly.
MATT: “We can’t guarantee safety, but you may be safer here than…”
ART: We want to be known as a state that takes it seriously, and that’s why we need to work with CBIA and with the Metropolitan Chambers of Commerce so that businesses will take it seriously. And it’ll help give our businesses a competitive edge, absolutely.
MATT: What do you think it’s going to take for people to care a little bit more? We see businesses and it’s in the news a lot. Obviously, the risk is there, but it just seems like there’s this disconnect with actually doing something about it.
ART: That’s a huge question. That’s exactly the right question. I hope it is not a cyber 9/11.
MATT: I would hope not also, but –
ART: In the United States, we’re very good at rallying after a disastrous attack – Pearl Harbor or 9/11 or whatever. We come together as a country. But we’re not very good at reading warnings signs. And the warning signs for cyberattack are all over the place. And as you say, they’re in the news. I mean, just to follow through on that, that more than half the businesses in Connecticut have never even done a risk assessment.
MATT: I believe it, yes.
ART: And never mind setting up a defense system. Well, I mean, I don’t know what it takes. I don’t know the answer to that. But if you could lose your livelihood, your company could be shut down, you could put in danger the jobs of the people who work for you, your shareholders, your customers, that could be done, I don’t know what more you need to know is – than that that kind of damage could be done and the systems to do it are out there.
MATT: It almost feels like it’s just negligent to not do something about it.
ART: I don’t know why one would not go on the defensive and take that kind of threat seriously and start to build up appropriate defenses.
And there are companies that do that, as you well know.
MATT: Yeah, of course.
ART: I mean, there – well, I liken it to doing your taxes. Now, if you have a very simple financial profile, maybe you can do your own taxes. But once you start owning assets, you have children going to school—to keep up with the laws, the regulations, it makes sense to have someone help you with your taxes. And very quickly, you find out that either you have to become a specialist in taxes yourself or you hire someone to do it.
And it’s very much for home the same way. I mean, even a home needs a professional to check your firewalls, to check your security, to make sure things are backed up, so that if you’re hit you’re not devastated. And for businesses, I think it’s a necessity.
MATT: I just look at how much a business would invest in a new piece of equipment for the shop floor or how much just revenue a given business is taking in. And when you talk about how relatively inexpensive these defenses are to it, it just surprises me that more people aren’t doing more about it, I guess.
ART: Oh, it’s like insurance. I mean, “I didn’t have insurance and I was wiped out.” Well, yeah.
MATT: Exactly, yeah. So, the state recently published a cybersecurity action plan. Tell us a little bit about that.
ART: Well, this action plan follows the strategy, the cybersecurity strategy that Governor Malloy announced in July of 2017. This action plan actually comes up with things to do, and it focuses on five sectors: state government, municipal government, private business, higher education, and law enforcement. So, there are targets for each of these. It was just announced in May, so we’re getting started putting it into effect.
But there are some specific things in there. Just to take a specific example, in Connecticut there’s a shortage of cybersecurity professionals. Businesses are trying to hire people to get started in-house to build their defenses, and then use whatever external resources they need. And they’re having trouble hiring people, as they are across the country. There are – it’s estimated there are about 3,500 jobs unfilled in Connecticut and close to 400,000 across the country.
Where are they coming from? Businesses want somebody with a two-year degree. Why? Because if you go to a four-year institution and the curriculum is, say, three years old, by the time you get out with an electrical engineer, you’re seven years old. In the field of cybersecurity, that’s a long time.
MATT: It sure is.
ART: So, you come out and the business has to kind of retrain you. They want somebody fresh out with the basics, and they’ll do the recertification, the updating constantly all the time, and they want you to learn their business.
Well, now, the Connecticut system is starting to rally to this. But in our action plan, we point out that Connecticut’s community colleges are producing – one year they had 16 graduates, one year they had 40 graduates. But whatever it is, it’s about 1% of the need. And education is not a market-based system. It’s not supply and demand. And so, you have to actually go in and not only redesign curricula but place those curricula in other community colleges so there’ll be more graduates coming out.
MATT: That makes sense.
ART: I’m giving you a specific example. We also looked at law enforcement, private business, municipal government, and state government as well.
MATT: How about private business? This is just an action plan. This isn’t a regulation at this point, right?
ART: It is not yet a regulation, but it is an action plan. And what we call for are businesses to look at what’s important to them. And to do the basic things I’ve been talking about – firewalls, softwalls, corporate culture, software systems, training, patching, backups, do all that kind of thing. And businesses are just – they don’t want more legislation and more regulation. They’re against that.
And yet when they are compromised, it’s not just the business itself that’s hurt. It’s the community, it’s the employee of the customers and shareholders and so forth.
And it used to be 10 years ago, if you asked a governor or a state legislator, “How was our state doing on cybersecurity,” it was perfectly okay back then to say, “I don’t really know. I mean, it’s a new field.” Today they can’t do that. They have to know what the cybersecurity plan is for the state and how prepared we are.
Now, there’s a tension between – there are some states that are starting to legislate and regulate. New York is one of them, for example; and Connecticut, where we haven’t done that yet. We’re known as the “collaboration state” because we created collaboration between public utilities and the regulators, and we worked it out by negotiation.
But what can you do if most businesses in the state have not even done a risk assessment? That can’t go on for very much longer. You can’t have basically no action being taken to know even what the problem is. And there’s growing, mounting penetration, especially small- and medium-sized businesses. Why? Because they’re quick, easy targets.
MATT: How do you feel we stack up to other states? Do other states have an action plan even in place?
ART: We stack up very well in that we were one of the first ones to get started in public utilities, critical infrastructure. And I am told that our strategy and action plan is far more extensive than that of other states.
Having said that, we’re very vulnerable. So, compared to other states we’re doing well, but it’s not reason to be –
MATT: Be excited?
ART: Or to be reassured. We’re still quite vulnerable, so that although we’re doing well, it’s no reason to relax.
MATT: The SHIELD Act was New York’s version of a regulation actually around this too.
ART: Yes, that’s right.
MATT: And they were looking to pass, I think, even stricter regulations that would affect actual businesses and whatnot.
ART: Local businesses, smaller businesses. They’re big in the financial community for obvious reasons, having New York City. And they have a mandatory reporting requirement. If you have an attack of a certain dimension, you need to report it.
Okay, that’s a starting point. Connecticut business has to decide what it’s going to do, organized business. The CBIA, Connecticut Business and Industry Association, and the Metropolitan business – Chambers of Commerce – the MetroHartford Alliance and Middlesex – they all care a lot about this and they’re trying to work out with their members what to do about it.
My own solution – I don’t know if this is ever going to happen, but I think that the parallel is very much similar to what you have with financial accounting. If you have a firm of a certain size, its finances are a matter of public interest, and therefore they hire an accountant to come in and do an annual accounting assessment by generally accepted accounting principles. And one of the accounting firms puts out a letter which reports on the financial health of the company.
We may be getting there for cybersecurity. And in fact, the large accounting firms already have cybersecurity accounting practices, where they will come in and do an assessment.
And the benefit of it is that the company gets to choose the firm it wants, and the firm does not give a blueprint for how the bad guys can get in and describe what’s going wrong. But the outside world gets a chance to know how secure you are and how seriously you’re taking it. And that may be where we’re headed.
MATT: Do you think there would even be a grade?
ART: Yeah.
MATT: So, restaurants have cleanliness grades when you see it in some – there might be some kind of score along there?
ART: Yes, yes, there could easily be. In corporate culture, you get an A, but in training you get a B-. You’re trying hard, but you’re not training your employees. Firewalls, backup systems; yeah, I mean, there could be grades given.
MATT: It would seem too if I’m a business looking for another business partner, that report card would be helpful for me too as a business to business.
ART: Not only that – not only that, but if you have a cyber attack, your chances of consummating a merger are significantly reduced. Your chance – you will lose customers and your chances of gaining new customers are diminished. Your stock price goes down, and 20% of small and medium-sized businesses that suffer a cyber attack go out of business.
So, the answer to your question – yes, if you’re working with another partner company and they have a cyber problem, that’ll affect your relationship, and businesses want to know: How are you doing?
MATT: I would want to know, absolutely.
ART: Of course.
MATT: That’s a scary stat if 20% kind of close their doors after one. But then we know upfront a fraction of the businesses in Connecticut are even doing anything about it. It would just seem the math is not in anyone’s favor there.
ART: Well, what you need to do is say, “What is essential in my business? If it were to be compromised or shut down, I’d be out of business. What is that? How do I protect that,” and to put a human backup to the systems you put in place so that a person can check this more regularly.
One of the great problems we have is someone will say, “I have a great software company,” or, “I have Sally as my chief information officer, and she is really bright and I’m sure that she’ll take care of it or the firewall will take care of it.” No, you need a more thorough system. What could go wrong and how do I defend against that so that you know that when the attack comes, you’re going to be able to do manage it.
MATT: Just in the state of Connecticut, businesses that we see, are there any unique risks you would say that Connecticut faces compared to other states at all?
ART: Yes. Our unique risks are also ones that are defended against, and they’re especially in the defense industry – Electric Boat, General Dynamics, United Technologies, Sikorsky. The plans for the F-35 strike fighter – joint strike fighter, the Aegis Antimissile Ship Defense System, the Black Hawk helicopter – the Chinese have stolen all of those.
So just simply by intellectual property theft or systems theft, I mean, they’ve already been damaged. And those companies know it. They take cybersecurity very seriously and they have extremely sophisticated systems to defend against it.
So that plus just simply business compromise, they have the whole root of everything I just talked about, plus they screen their employees, they talk to other defense companies about common threats, and they have structured ways of dealing with the U.S. intelligence agencies to know of incoming threats.
So, the answer to your question is: Because we’re a heavy-defense-system state, yes, those are serious threats coming in. We also have very good defenses in those companies.
Now, the new area is the supply chain, and Connecticut is supplied with supply shops – machine shops and so forth. We’re suppliers to the defense industry. And more and more they’re going and saying, “What is your cybersecurity plan? How do I know in buying the widget that you’re going to put on this submarine or this jet engine, is okay? Let’s go – let’s take a look at the cybersecurity protection plan for your company and for your products.”
And that’s a huge incentive because they can say, “Look, there are four manufacturers of this product. If your system is not adequate, there are three others I can go to.” Well, that’s an incentive for somebody to say, “I’m going to take cybersecurity seriously.”
MATT: Shifting gears a little bit, same type of question around our municipalities, local governments, how vulnerable do you feel they are?
ART: The history shows –
MATT: We hear about W2 fraud, but –
ART: No, the history shows they are vulnerable. Now, five or six years ago, you wouldn’t have put cybersecurity and municipality on the same page. They are now and they know it. I think the – and towns in Connecticut have been hit with ransomware attacks. Now, almost every person I know of, especially every mayor or every CEO: “I will never pay ransom, I will not deal with, I will not negotiate with a terrorist,” and so on.
Now, put yourself in the position of a mayor or a town manager. You’re delivered a notice that your communication system, your operating systems are shut down. The key to restore it will cost two Bitcoin – say, $10,000. The gut reaction is, “I’m not going to pay it, I want nothing to do with these guys.”
Okay, fine. You are not able to respond to fire calls, your police cannot respond to emergencies, your ambulances cannot go to houses. As mayor, do you really want to be responsible for deaths, for fires in houses, for ambulance – for not being able to respond to a car accident or something? And once you take into account all the things that could go wrong, inevitably, they turn around and they try to negotiate and resolve it.
MATT: Kind of back to the point of people not taking this as seriously as they probably should, do you think people just don’t get that it is entirely possible for a town to be taken over and emergency services held hostage?
ART: That’s one factor. The other is, “It’s not going to happen here.” That they’ve never heard of that happening in their town or in surrounding towns. They don’t know that we’ve already had a bunch of them in Connecticut.
But – and the other is, “If it happens, it won’t come to me, it won’t be this town.” Now, the solution, I think, has to be regional. There are a lot of small towns in Connecticut that don’t have information officers and they don’t have the resources, and property taxes are too high here and they’re under real budget control.
The Capitol Region Organization of Governments knows about this. The solution needs to be regional because a lot of small towns don’t have chief information officers.
MATT: Sure, and why would they?
ART: Right. Or if they do, they don’t have a cybersecurity officer. But you can make this resource available for the towns and to come in and check what your defense system is, how you can bolster it.
But I think you’re right that for a lot of towns this is new, it hasn’t happened before, “We have a tight budget, maybe we can get by without investing in it.” And then something bad goes wrong.
MATT: It would just be a real shame if someone actually got hurt and it was –
ART: Oh, yes, yes. No, one – two things I found are very predictable. One is everyone does not want to pay ransom or negotiate with a terrorist or whatever. Once the attack actually happens, I’ve not found somebody who has not wanted to deal with them.
There are insurance companies and law firms who can help resolve that for you. I know of a small business in Connecticut – small, medium-sized – had really good insurance – I mean, a top insurance company; did not have a very good cybersecurity defense program, and they were ransomed, they got hit, shut down.
They called the insurance company right away. They said, “You will have a call back from a boutique law firm that’s going to manage this for you right away. Don’t do anything until you…” And within 15 minutes, they had the call. They shut down all their computers.
That law firm managed the reconstruction and the – all the things they should have done beforehand, but they had to do, to bolster their defenses. And that law firm negotiated with the ransom demanders.
And they’ll tell you, “This ransom demander is only a 50/50 chance that they’ll actually set it up,” because they can shut things down but they’re not very good at turning them on again.
MATT: Turning it back once they have your money.
ART: Right. So, you – and you in paying them would take a 50/50 chance of actually being turned on. Turned out, they said, “This is a fairly reliable bad guy.” So, they paid the money and they were reinstalled right away. They shut everything down, they completely rewired the whole system, put in real defenses, and was taken care of. That’s just one case study I’m telling you about.
MATT: Do you have any idea how much it costs to do the cleanup part of it?
ART: It’s stuff you would have, should have done anyway in the first place. It depends on the system, depends on the size of your company. But look, we’re – if you’re going to have a computer and if you’re going to use the internet and you’re going to be part of the digital age, and every company has to, then you have to take defense into account. Otherwise you’re on borrowed time and considerable danger is possible.
MATT: So back to the action plan, what’s kind of the timeline and a process for enacting the plan? What’s that look like?
ART: Right. Well, it’s in motion right now, and we’re trying to deal with all of them. For the state governments, our state government is a bit of a confederacy. Each commissioner manages his or her own cybersecurity.
Essentially, the Department of Administrative services has plans and has programs that they can share. We have some parts of Connecticut government that are really up to speed, they are in very good shape; others less so. And the more you have exposed – for example, if you have – if you manage tax information, health information, Social Security Numbers, generally, the more sophisticated you are.
We are trying to see that each section of Connecticut State Government, is up to speed, and we’re also doing – we’re making testing available. And the Department of Administrative Services is available to come in and help you with your upgrades. The Judicial Department is separate, as is the legislature. So, they’re in business right now of going through and trying to upgrade, doing scorecards, doing penetration testing; the same with municipalities.
So, it’s in plan right now, and unfortunately, all of this is being done at a time when resources are very, very scarce.
We identified in Connecticut the need for more intelligence on cyber threats and investigation of cybercrimes. And the state police is starting to do that. They already had the rudiments of that in place. They’re increasing their manpower, they’re increasing their attention to it, and they are processing and analyzing more intelligence and they have more officers dedicated to investigating cybercrimes as they take place. Those officers can also work with municipalities.
So, there’s an example of the action plan building on the strategy to provide tangible results for the people of Connecticut.
MATT: So, Connecticut state police has dedicated officers and investigators where their sole task actually is cybercrime?
ART: That’s right, that’s right. The analogy I like to use is: If you’re at home and somebody is running around the backdoor at night and is rattling the door, you call the police. And the chances are, they’ll be there very, very fast.
MATT: They kind of know what to do.
ART: They kind of know what to do, right. Now, you’re a small business. You see somebody trying to get into your computer to steal your money. Who do you call?
MATT: I wouldn’t know now, but logically, the police, right, when someone’s trying to steal something?
ART: The answer is you can call the Secret Service or you can call the FBI. But if you’re – and if you are a major bank, you already have relations with them, and they’re there right away. If you’re a local retailer or a law firm or a real estate agent or a local business, there’s not much the FBI and the Secret Service can do. They appreciate having the information, but they’re not going to be jumping in to take care of you.
We need in Connecticut somebody in Connecticut who can say, “The same thing happened in the next town over” and so forth and to be able to help you, to build your defenses, to report the crime to try to find out who did it. And that has to be a state, regional, and local function. And yes, they’re putting that in place and they’re starting to work on that.
MATT: In closing, what would you say for some last pieces of advice or the most important thing you could share with either businesses, municipalities, the general public here in Connecticut?
ART: Yes. If the service, the product that you’re managing is important to you, defend it. You have to defend it. What would happen if you were no longer able to do the following: in a town, manage emergency services; in a business, deal with customers or produce your product; in state government, protect the private information of individuals?
If that were to be compromised, would it be a serious matter? The answer, of course, for those I’ve cited is yes, and there are others. If so, then you need to take protection against them seriously. Do what you can yourself but get outside help.
MATT: Sure, that makes sense.
ART: And look at all the ways in which this could be protected. And then beyond that, if it were to be compromised, what would you do? And run a drill, rehearse so that if it does happen, it’s not the end of the world, you can recover as quickly as you possibly can. That would be my message.
MATT: Well, Art, thank you, so much for being here. I really appreciate you taking your time out.
ART: It’s a pleasure, Matt. Let’s do it again.
