Fort Wright mayor Dave Hatter has asked Kentucky lawmakers to examine cybersecurity intently statewide and consider using Ohio’s security efforts as a model as hackers ramp up attacks on public and private networks both inside and outside the commonwealth.
Hatter—a cybersecurity professional at Cincinnati-based Intrust IT—testified before the legislative information technology oversight board Wednesday about what’s happening in Ohio and how Kentucky could duplicate the Buckeye State’s efforts. He said Ohio has taken what he called a “whole government approach” to thwart cybercrime and other security threats, which are on the rise.
Ohio has formed the OC3 or Ohio Cyber Collaboration Committee – a public, private, military and education cybersecurity infrastructure effort overseen by the Ohio Adjutant General that has led to the creation of the Ohio Cyber Range, what the OC3 has called “a virtual environment used for cybersecurity training and technology development.” Kentucky should consider a similar approach, Hatter told the oversight committee, chaired by Northern Kentucky Sen. Gex Williams, R-Verona.
“I know in Kentucky we have 120 counties and over 400 active cities,” Hatter told lawmakers. “Just the critical infrastructure they control alone would benefit greatly from some sort of program like this in Kentucky,” he said, referring to OC3.
The OC3 hopes to stem malware attacks in Ohio with collaborative cybersecurity testing, training, increasing the cyber workforce, better governance and a better-informed public.
Kentucky has recently been hit by at least two cyber attacks. The most recent was in July when hackers stole 47 gigabytes of data from the Jefferson County Clerk’s Office and forced the clerk’s office branches to close for days. A Russian hacking group called RansomHub has claimed to be behind the attack. Then, last November, a ransomware attack on Campbell County Schools affected schools districtwide.
Campbell County Schools superintendent Dr. Shelli Wilson told the information technology oversight board in a Feb. letter that the “attack affected every department and building: HVAC, door access, wireless networks, communication system, payroll, copying and printing, etc.”
A ransomware group called Medusa took credit for the attack.
The attack, Wilson said, showed that K-12 schools in Kentucky need a cyberattack response team, annual cyber antivirus training, “frequent DNS examination and reports provided to district CIOs (chief information officers), and funds for K-12 appropriate audits.” DNS is an acronym for Domain Name System, which turns a domain name – like LINKnky.com – into a loadable website.
Some cyber disruptions however are caused by errors and glitches, not hackers. A bad software update is blamed for a massive worldwide cyber crash last month that upended government agencies and critical industries including airlines, hospitals and banks. Multi-million-dollar lawsuits have since followed against the cybersecurity firm CrowdStrike, the company responsible for the update.
Hatter said one way local governments can improve security right now is to change their internet domain from .com to .gov. Fort Wright recently switched its address to fortwrightky.gov for that reason. CISA, the federal Cybersecurity and Infrastructure Security Agency, will help qualified local governments make the switch, he said.
“Once I became aware of this program we switched to a .gov domain,” Hatter told the committee. “You have to go through a thorough vetting process. Which is part of the benefit. It creates additional legitimacy for your website, email and so forth once you have a .gov domain.”
Sen. Max Wise, R-Campbellsville, is a member of Williams’ committee. He called the OC3 concept, in particular, “really fascinating.”
“I look at what we have here in Kentucky. We have an (intelligence sharing) fusion center, we have an Office of Homeland Security, we’ve got everything for the National Guard. This is a great opportunity and it’s something that we as a committee need to keep pushing forth,” said Wise. “This is a no-brainer.”
The Kentucky Association of Counties has published a list of cybersecurity tips for organizations, culled with help from the Kentucky Office of Homeland Security and CISA. Here are a few:
- Make cybersecurity a priority throughout your agency or organization.
- Use multifactor authentication for remote access and cloud services.
- Back up critical data and test the backup.
- Turn on automatic updates for operating systems.
- Take advantage of free cybersecurity services from the Multi State Information Sharing and Analysis Center.
- Conduct cybersecurity awareness training for staff, including reminders about secure passwords.
- Have an incident and disaster recovery plan.
Hatter ended his testimony before lawmakers Wednesday with some words of wisdom and a bit of a warning.
“As family members, as employees, as citizens, you know we are not just protecting our family pictures or our bank accounts,” he said. “This stuff is all interconnected. And the bad people are very smart and very devious and they will steal your money and shut down your electric grid if you make it easy for them.”