Have they tried turning the state off and then on again?
Not only did criminals manage to steal around $600 million from the state's unemployment insurance system last year; but an investigation into that fraud was itself hacked, with unknown parties stealing the personal data of 1.6 million Washingtonians. That might've been prevented if the state had implemented reforms in a shoulda-happened-years-ago bill just approved by the Senate. (A previous version of this blog post conflated the two breaches.)
Right now the systems that hold your vital government data are a bit like the computer your parents ask you to “take a look at” when you go home for Thanksgiving — distressingly out-of-date, with so many holes it looks like the bathroom at Pony. The just-approved bill, SB 5432, would fix that by centralizing security policies in the state, rather than fracture it between departments, and by establishing rules for handling “incidents,” which is a nice way to describe getting shook down for $600 million.
It unanimously passed the Senate last week and now heads to a committee in the House, accompanied by a loud sigh of relief from cybersecurity experts who have been waiting for reforms like these for a long, long time.
Security experts called in to testify enthusiastically in favor of the bill — but others in the industry have cautioned that beefing up security can backfire if done poorly and that safer systems can involve tough choices.
“You could start denying everything, worried that it’s fake,” says Alex Gounares, CEO of Seattle cybersecurity firm Polyverse. “Or turn down a legitimate request from a family in need, and a kid’s going to go hungry. ... If you have to choose between a chance of fraud and helping out a kid, I’m going to help out a kid.”
“There really is no truly secure network,” says Chad Anderson, a senior security researcher at Seattle-based DomainTools. “Really dedicated adversaries can find some way in.”
And although the state’s UI system was a high-profile target, it’s almost certainly not the only one that’s been compromised. Other departments are likely operating a patchwork of out-of-date software as well, to say nothing of private workstations that may be used for future attacks… including the one on which you’re reading this article.
“Everybody thinks about a virus,” Alex says, but modern threats aren’t like that anymore. “They’re kind of mind-control. … they use the programs that are already on the computers.”
For example, your desktop machine may seem like a low-value target to an international criminal ring. (That’s not a personal reflection on you, I promise.) But a hacker in Moscow, let's say, probably knows that their traffic will look suspicious to an American network. So they’ll hijack your computer without your knowledge, re-routing their attack to look like it’s coming from Washington. Essentially, sophisticated modern criminals are using your good reputation.
So what’s to be done? Well, the centralization of SB 5432 is a good start.
“I would probably sit down and do threat modeling,” says Chad, with a strong eye towards ransomware (which locks the victim’s machine until a ransom is paid) and fraud. “We lost a lot of money with the unemployment scams. I’m sure we’ll be seeing more of that with small business loans as we rush to get our cities back to normal.”
Alex’s company Polyverse recommends a threat model known as “zero-trust security,” essentially treating all traffic as suspicious even if it looks legitimate. He also recommends streamlining the process of updating software, since out-of-date systems were what allowed hackers to access the unemployment system. And, he says, tech companies should be liable for flaws in their products, just as a car or food company is responsible for meeting minimum product safety standards.
“If you buy a car, you can be pretty confident the car is pretty safe,” he says. “You don’t have to be an automotive engineer to run and manage your car. Why do you have to be a computer expert to run and manage your computer?”