When President Joe Biden told business leaders recently that it was their “patriotic obligation” to protect their networks from likely Russian cyberattacks, security officials in Arizona agreed with a nod – and a shrug.
“It’s kind of like preaching to Noah about floods,” said Frank Grimmelmann, CEO of Arizona Cyber Threat Response Alliance Inc. “Our members were notified months ago to be on high alert and to be aware that that threat is coming.”
And for many, the threat is already here.
Since the invasion of Ukraine in late February, Russian attempts to “attack multiple government agencies” through cyberwarfare have increased in response to U.S. military aid to the Ukrainians and economic sanctions against Russia, Arizona officials said.
Biden, in a March 21 speech to the Business Roundtable, said that Russia has its back against the wall and can be expected to employ more severe tactics against the U.S., including “malicious cyber activity.”
Lester Godsey, chief information security officer for Maricopa County, said, “Given the current war in Ukraine, we have seen a direct correlation with increased attempts by Russia with regards to trying to access networks and things of that sort.”
Maricopa County has thwarted those cyberattacks so far, and Godsey is confident the county can continue to defend itself against further attempts. But he and others say that – short of unplugging entirely – 100% security is impossible to guarantee and that vulnerabilities do exist, even for systems that are on high alert.
One challenge is the number of systems that need to be protected. Godsey said federal, state and other local governments have evidence of similar, deliberate cyberattack attempts by Russia.
“Government agencies interact with each other all the time, you know, on a daily basis,” Godsey said. If attackers are successful at “circumventing security from one organization, it increases the likelihood that then they can use that to their advantage to gain access to other organizations.”
But government agencies aren’t the only ones at risk of being targeted.
Businesses, particularly those in critical infrastructure sectors, are being told to stay vigilant against Russian cyberattacks. Recent successful breaches on U.S. based companies, like SolarWind and Colonial Pipeline, exposed just how devastating, inconvenient and costly those attacks could be on both organizations and consumers.
Another vulnerability is staffing. The increase in cyberattacks comes at a time when as many as 16,000 information technology jobs are unfilled in Arizona, with about half of those being cybersecurity positions, Grimmelmann said.
“And you can’t just simply produce people overnight,” he said. “The problem is you can’t change everything overnight, and money alone is not the solution.”
The challenge is particularly acute in rural areas where businesses and government agencies have an even harder time recruiting highly trained personnel. That can make them “a bigger target and a bigger concern in order to protect,” said Michael Lettman, with Region 9 of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
“And the reason why is because many large organizations, large cities, large corporations, have a lot of resources and a lot of people to help them defend themselves,” he said.
It was not until this year that Navajo County was able to hire a cybersecurity officer, said Ken Dewitt, the county’s IT director. But officials said the new hire does not mean the county has relaxed training for its employees, who still go through a certain amount of training every year and conduct vulnerability tests every month.
“We share that responsibility rather than putting it into a core group of people,” said Jeff Lineberry, Navajo County’s recently hired cybersecurity officer. “We share that with every employee from the top on down.”
That is a theme that was echoed by all the experts, who repeated the mantra that “cybersecurity is everybody’s responsibility.”
Organizations such as Grimmelmann’s ACTRA work with the public and private sector to strengthen their collective defense. Member organizations share and exchange information on the types of cyberattacks they encounter, in addition to crowdsourcing potential strategies that are both preventative and defensive.
“The bad guys don’t care who they attack and who they compromise,” Lettman said. “Because it’s going to make the headlines to say that there was an attack on Arizona.”
Grimmelmann said threat is straightforward, and so is the response: Vigilance, collaboration and preparedness are needed to fend off increasingly sophisticated cyberattacks.
“The mission is very simple: We need to work together to defeat a very capable adversary, particularly given the complex environment and the interdependencies that we all depend upon today, he said.