Cybersecurity was on the minds of local leaders at a recent meeting of the Kenton County Mayors Group, where Kentucky Sen. Chris McDaniel (R-Ryland Heights) shared his concerns about what he viewed as a lack of planning throughout the state.
“We’ve all seen enough cases of hacking or ransoms being held for data or this or that,” McDaniel said. “In the back of my mind, I feel like we’re kind of one very bad event–that I can’t define–away from everybody waking up one day and saying, ‘Oh, wow, we’re way behind on this.'”
McDaniels’ concerns echo the worries shared by other local leaders, some of whom are considering ways to build out strategies and plans to address what they see as a woefully underdeveloped cybersecurity infrastructure both in the region and in the state generally. People affirmed McDaniel’s concerns even at the same meeting.
“I think you’re spot on to be putting some attention in that direction,” said Kenton County’s Director of Homeland Security and Emergency Management Steve Hensley at the mayors meeting.
Hensley referenced a recent incident at the Kenton County Commonwealth’s Attorney’s office, where someone had secretly added Commonwealth’s Attorney Rob Sanders’ email address to an email list for the Secret Service.
Hensley didn’t share many details at the meeting, but LINK nky reached out to Sanders to learn more.
In spite of the meeting attendees’ worries, Sanders said that the incident Hensley referenced wasn’t a genuine cyber attack or threat.
“We were never breached,” Sanders said, “nothing along those lines.”
Instead, Sanders said, a disgruntled community member, whom the Commonwealth’s Attorney’s Office had dealt with in the past, had simply added Sanders name to a mailing list as a form of trolling. Still, Sanders shared others’ concerns about cybersecurity in Kentucky.
“We don’t have a lot of resources when it comes to internet crime,” Sanders said, particularly as it relates to consumer scams.
Internet crime comes in various forms. Sometimes it appears as schemes targeting specific people, such as phishing scams, where someone will use misleading or manipulative communications to convince a person to voluntarily give up their identifying information.
Crimes against individual people are bad enough, but many of the people who spoke with LINK nky were more concerned with large-scale attacks on institutions and key infrastructure like water and utilities. As McDaniel alluded to, these often take the form of ransomware attacks, where a hacker will encrypt an institution’s or business’s data, locking out the owners. The attacker will then demand a ransom payment in exchange for a decryption key, which will unscramble the data and allow the owners to use it again.
Campbell County School District was the victim of a ransomware attack late last year. Identifying and financial information for several employees were compromised in the attack, and the incident prompted the district to shore up its security systems. Another attack in May of last year against Louisville-based hospital system Norton Healthcare ended up affecting about 2.5 million people, according to a report from the Maine Attorney General’s Office.
“Anyone that has a computer that’s connected to the internet needs to be concerned about cybersecurity,” said Mark Bell, the cybersecurity outreach coordinator for the Ohio Cyber Collaboration Committee.
Bell works for the Ohio Adjutant General’s Office, which manages the National Guard in Ohio. The collaboration committee is a cross-institutional group that aims to address cybersecurity concerns in the state.
Fort Wright Mayor Dave Hatter, who has a background in IT, has recently been attending workshops and learning about the committee with an eye to perhaps replicating it for Kentucky. Hatter said that he was in the process of meeting with different local leaders to get some discussion going, although nothing official has occurred yet.
“If we could take what they’ve done and implement it, we’d be pretty good,” Hatter told LINK nky.
The collaboration committee focuses on several areas. Much of its work aims to build out Ohio’s IT and cybersecurity workforce, which Bell said is currently undergoing a shortage. He referenced an online tool called Cyberseek that measures data related to the cybersecurity sector. There are currently 2,071 job openings in the cybersecurity sector in the tri-state area, according to Cyberseek.
The committee also offers what they call the Ohio Cyber Range, a cloud-based training platform where students, professionals and researchers can run exercises against malware and other cyber threats to hone their response protocols and best practices without threatening other systems. The range is headquartered at the University of Cincinnati.
“Whether you’re K-12, career tech or higher ed, [the Cyber Range] allows those students to be in there making configurations, patching systems, responding to malware, inspecting, defending and recovering networks in a hands-on, real time way,” Bell said.
The final notable aspect of the committee is the Cyber Reserve, a network of volunteer, civilian professionals who can respond to cyber attacks if called upon. Bell compared them to members of the National Guard and volunteer fire fighters.
There are some agencies in Kentucky that deal with cyber attacks, including programs like the Kentucky Critical Infrastructure/Key Resource Protection and Planning program, administered throughout the Kentucky Office of Homeland Security. The program aims to create intelligence-sharing networks and emergency plans for cyberattacks on important infrastructure, but it’s an extension of a federal agency rather than a local one.
As a result, Sanders said, local agencies often had to appeal to federal ones, such as the Department of Homeland Security and the FBI, for help instead of something more local.
“We’re essentially at the mercy of the federal government,” Sanders said.
Hatter, for his own part wanted to see something more localized and accessible.
“It’s desperately needed,” Hatter said.
Check out some resources on cybersecurity agencies and best practices below: