Have they tried turning the state off and then on again?
Not only did criminals manage to steal around $600 million from the state's unemployment insurance system last year; but an investigation into that fraud was itself hacked, with unknown parties stealing the personal data of 1.6 million Washingtonians. That might've been prevented if the state had implemented reforms in a shoulda-happened-years-ago bill just approved by the Senate. (A previous version of this blog post conflated the two breaches.)
Right now the systems that hold your vital government data are a bit like the computer your parents ask you to âtake a look atâ when you go home for Thanksgiving â distressingly out-of-date, with so many holes it looks like the bathroom at Pony. The just-approved bill, SB 5432, would fix that by centralizing security policies in the state, rather than fracture it between departments, and by establishing rules for handling âincidents,â which is a nice way to describe getting shook down for $600 million.
It unanimously passed the Senate last week and now heads to a committee in the House, accompanied by a loud sigh of relief from cybersecurity experts who have been waiting for reforms like these for a long, long time.
Security experts called in to testify enthusiastically in favor of the bill â but others in the industry have cautioned that beefing up security can backfire if done poorly and that safer systems can involve tough choices.
âYou could start denying everything, worried that itâs fake,â says Alex Gounares, CEO of Seattle cybersecurity firm Polyverse. âOr turn down a legitimate request from a family in need, and a kidâs going to go hungry. ... If you have to choose between a chance of fraud and helping out a kid, Iâm going to help out a kid.â
âThere really is no truly secure network,â says Chad Anderson, a senior security researcher at Seattle-based DomainTools. âReally dedicated adversaries can find some way in.â
And although the stateâs UI system was a high-profile target, itâs almost certainly not the only one thatâs been compromised. Other departments are likely operating a patchwork of out-of-date software as well, to say nothing of private workstations that may be used for future attacks⊠including the one on which youâre reading this article.
âEverybody thinks about a virus,â Alex says, but modern threats arenât like that anymore. âTheyâre kind of mind-control. ⊠they use the programs that are already on the computers.â
For example, your desktop machine may seem like a low-value target to an international criminal ring. (Thatâs not a personal reflection on you, I promise.) But a hacker in Moscow, let's say, probably knows that their traffic will look suspicious to an American network. So theyâll hijack your computer without your knowledge, re-routing their attack to look like itâs coming from Washington. Essentially, sophisticated modern criminals are using your good reputation.
So whatâs to be done? Well, the centralization of SB 5432 is a good start.
âI would probably sit down and do threat modeling,â says Chad, with a strong eye towards ransomware (which locks the victimâs machine until a ransom is paid) and fraud. âWe lost a lot of money with the unemployment scams. Iâm sure weâll be seeing more of that with small business loans as we rush to get our cities back to normal.â
Alexâs company Polyverse recommends a threat model known as âzero-trust security,â essentially treating all traffic as suspicious even if it looks legitimate. He also recommends streamlining the process of updating software, since out-of-date systems were what allowed hackers to access the unemployment system. And, he says, tech companies should be liable for flaws in their products, just as a car or food company is responsible for meeting minimum product safety standards.
âIf you buy a car, you can be pretty confident the car is pretty safe,â he says. âYou donât have to be an automotive engineer to run and manage your car. Why do you have to be a computer expert to run and manage your computer?â