Hackers seized on the pandemic. Some states are fighting back
COVID-19 made its U.S. debut in Washington state, but the virus was only the first of several intruders to attack the state in the past year.
Last spring, cybercriminals breached the state’s unemployment system. Washington was one of the states affected by the massive SolarWinds hack, which was discovered in December. And in February, the state auditor’s office disclosed that fraudsters had exposed the personal information of more than a million residents.
“We have a serious governance and oversight problem,” said Washington state Sen. Reuven Carlyle, a Democrat who chairs the Senate Environment, Energy & Technology Committee. “The state auditor breach is historically serious, on every level. And we’ve had four or five major cyber incidents in the last year.”
Rocked by the massive SolarWinds hack, unemployment system breaches and other attacks, several states are trying to bolster their cybersecurity in the midst of the public health crisis.
“If there’s ever been a year to reprioritize and make sure your cybersecurity is taken care of, this is it,” said Forrest Senti, a vice president at the National Cybersecurity Center, a nonprofit think tank based in Colorado Springs, Colorado. “These attacks are precursors to what could happen if we’re not investing properly and doing training and listening to those who know how to deal with this. We don’t want cyber 9/11.”
Cyberattackers have forced states to take down websites, stolen $36 billion in unemployment payments and exposed millions of residents’ personal information to scammers.
In Washington state, lawmakers are proposing to centralize agencies’ cybersecurity practices. In Minnesota, they’re considering creating a joint legislative cybersecurity commission. In Maine, Democratic Gov. Janet Mills issued an executive order establishing a cybersecurity advisory council. And in Texas, state officials are teaming up with a private security company to provide cybersecurity defense services to state and local agencies, after a series of ransomware attacks.
Meredith Ward, policy and research director at the National Association of State Chief Information Officers, said attacks during the pandemic have brought more awareness to the need for stronger protections.
Cybercriminals have had new opportunities to disrupt, she said, whether it’s trying to target the supply chain or launch ransomware attacks on hospitals and health care systems.
“Unfortunately, the bad guys seize on every opportunity they can. That’s what we’ve seen during the pandemic and with these highprofile cyber incidents,” Ward said. “It’s brought attention to what state chief information officers and chief information security officers have been struggling with for a while.”
The SolarWinds espionage hack, which according to federal officials likely came from Russia, was one of the largest cyberattacks in recent memory. To access information, sophisticated cybercriminals hacked into and hid malicious code in a software update from SolarWinds, an Austin, Texas, technology company.
It was distributed to thousands of public and private sector customers in the U.S. Among them: Microsoft, Cisco and the U.S. Justice and Commerce departments.
Several universities were victims as well, including Iowa State and Kent State universities.
The hackers also hit Pima County, Arizona, where an official wouldn’t disclose the extent of the attack, but said there was no indication any data had been stolen.
At least three state governments were breached in the SolarWinds attack, Bloomberg has reported.
A spokesperson for the Virginia State Corporation Commission, which regulates utilities, insurance and other institutions in the state, later confirmed it had been one of the targets. Carlyle, the Washington state lawmaker, told Stateline that his state also was hit. The third state has not been identified.
Alerts from the federal Cybersecurity and Infrastructure Security Agency warned that the SolarWinds campaign posed “a grave risk” to federal, state and local governments, and private companies. The hackers had the “resources, patience, and expertise to gain access to and privileges over highly sensitive information if left unchecked,” the agency cautioned.
Brett Callow, a threat analyst for cybersecurity company Emsisoft, said these types of attacks are very hard to defend against because they come through organizations’ legitimate vendors.
Unlike ransomware attackers, who are motivated by greed, hijacking computer systems and holding them hostage until their victims pay a ransom or restore systems on their own, the SolarWinds hackers were out to get information, cybersecurity experts say.
Callow describes the SolarWinds hack as “possibly the most serious cybersecurity incident of recent times.”
Callow said many governments, hamstrung by other budget priorities, are reluctant to invest enough in cybersecurity. But with so many recent attacks, he added, that may be changing. “There’s a greater focus on cybersecurity now than there has been,” he said.
The SolarWinds attack wasn’t Washington state’s only cyber crisis this past year.
In late spring, Washington was one of more than a half-dozen states victimized in a massive fraud scheme in which cybercriminals struck unemployment systems, which already were overburdened with a huge influx of claims.
The fraudsters apparently used information about people they may have gotten from previous hacks to file fraudulent claims on behalf of those who hadn’t been laid off, without their knowledge.
A cybersecurity company linked the attacks to a Nigerian crime ring it nicknamed Scattered Canary. Washington state officials say they were scammed out of hundreds of millions of dollars in fraudulent claims. The ring also apparently hit Florida, Rhode Island and Wyoming, among other states, according to The New York Times.
In February, the U.S. Department of Labor announced $49 million in grants to 27 states to combat fraud in their pandemic unemployment assistance programs.
Nora R. Dannehy, the federal prosecutor who quit the U.S. Department of Justice investigation into how the FBI handled its probe of Donald Trump’s campaign connections to Russia, was named Monday as the top legal aide to Gov. Ned Lamont.
The hiring of Dannehy, who led the corruption investigation of former Gov. John G. Rowland in 2004 and then served as acting U.S. attorney and deputy state attorney, brings a highprofile legal talent into Lamont’s office at the midpoint of his four-year term.
“She joins my administration at a unique time in our state’s history as we fight the COVID-19 pandemic in what we hope are its final months, and having her counsel will be a tremendous benefit to our office, and the people of our state,” Lamont said.
She is a former colleague of the man she will be succeeding, Robert Clark, who has been nominated as a judge of the Appellate Court. Both were top aides to George Jepsen while he was attorney general.
“Nora has spent her career in both the public and private sector, and her time in government with the state of Connecticut and the federal government have earned her a reputation as a problem solver and a champion for the public good,” Lamont said.
Dannehy has had a storied career in Connecticut’s legal profession, most of it spent in government service, prosecuting complex white-collar crime and political corruption cases. She is the daughter and sister of judges.
After graduating from Harvard Law School, she began her own career in public service 30 years ago with the U.S. attorney’s office. In 2005, she represented the government in calling for Rowland’s imprisonment, arguing he had dishonored public service.
She was the acting U.S. attorney from April 2008 until December 2010, leaving to become Jepsen’s deputy. Three years later, she joined United Technologies as its associate general counsel and, later, as its chief compliance officer.
Her last federal post was as senior aide to John Durham, then the U.S. attorney, as he led the highly charged investigation into the FBI’s operation Crossfire Hurricane, an inquiry ordered by then-Attorney General William Barr.
The abrupt departure of the apolitical Dannehy in September, coming as the Trump White House was pressing for a pre-election “October surprise,” was interpreted by former prosecutors as evidence of political pressure by Barr.
Paul Fishman, the former
U.S. attorney for New Jersey, told USA Today: “To fellow prosecutors, Dannehy’s participation lent legitimacy to a probe whose purpose many questioned. Her unexplained departure in the middle of a high-pressure investigation is a huge blow to its integrity.”
Dannehy has not publicly commented on her resignation.
The job of general counsel to the governor often is one of political counselor as well as legal adviser. Gov. Dannel P. Malloy’s first counsel was Andrew McDonald, a former state senator who now sits on the Supreme Court, then the position was held by Luke Bronin, now mayor of Hartford.
Dannehy will not bring the same depth of political experience as those counsels or Clark, but her three years as deputy attorney general give her insights into state government and much of her career was spent in a world where there was no place for reticence.
As a federal prosecutor, Dannehy supervised agents from the FBI, ATF, DEA, IRS and other federal law enforcement agencies.