Ahead of the Secure Iowa Conference in West Des Moines on Oct. 6, the Business Record spoke with the event’s keynote speaker Dustin Carmack, a technology fellow at the Heritage Foundation, about the changing cybersecurity landscape, the need for better information sharing between the public and private sectors, and how the state of Iowa and its businesses can better prepare for the possibility of a breach.
From ransomware attacks focused on gathering intelligence like the one on software company SolarWinds to ones targeting supply chains as in the Colonial Pipeline or JBS Foods attacks, all industries are vulnerable.
The conference comes on the heels of the recent hack of Iowa-based grain cooperative New Cooperative Inc., whose software powers about 40% of grain production and the feeding schedule of 11 million animals. Among other information, hackers of the Russian-linked BlackMatter group took source code for the co-op’s SoilMap product used in soil testing and mapping. Carmack said having both a prominent position in a supply chain and novel technologies make an organization attractive to ransomware groups.
“Technology has done amazing things for yields and for production, but also it shows you when everything gets connected [it] eventually has massive vulnerabilities to understand,” he said. “We’re going to have to do a better job at really teaching folks up and down the line about maintaining and building good protections into their systems in the front end.”
The agriculture industry is not typically seen as a common victim of cyberattacks, but with the New Cooperative hack, that could be changing.
“People think of banks, they think of the financial sector, they think of the government, but they don’t think of your everyday farm system, and the thing is these commodity markets are rich. There’s a ton of money and trade that moves through the systems,” Carmack said. “Secretary [Tom] Vilsack, the head of the USDA, talked about how we need to double down on all of these different ag sectors, including these co-ops and others, and JBS, in the case of the meatpacking industry, need to do the same type of rigor that we’re doing for the pipeline, that we’re doing for the grid and electricity-wise.”
Fending off cyberattacks starts with cyber hygiene, Carmack said. Adapting password management or eventually going passwordless and integrating multifactor authentication are strategies he said need to be applied across industries.
Secure Iowa is free to attend and registration is open until Oct. 5. Walk-in registrations are also welcome on the day of the event.
This Q&A has been lightly edited and condensed for clarity.
Can you summarize what is unique about the recent ransomware attacks seen in the U.S.?
In terms of the Colonial Pipeline attack, that emanated out of Russian territory from a ransomware group that had popped up within the last year called DarkSide. … A lot of these ransomware groups have really taken off. It’s become a profitable business and it’s almost ransomware and hacking ability-for-hire. An everyday hacker or even a rudimentary cyber-capable person could take this off the shelf and be able to use this type of software and ransomware to be able to do attacks. A lot of times you don’t notice [these attacks] on an everyday basis because they generally go after libraries, small townships, small hospitals, schools, folks that either possibly have a lower level amount of cyber insurance, so they’ll just go ahead and pay the ransom, and usually the amounts are relatively lower amounts so it doesn’t raise a lot of eyebrows.
But Colonial kind of changed the paradigm a little bit in terms of the ransomware game in the sense that [DarkSide] attacked a pipeline that provided 45% of the East Coast, oil and gas up the seaboard, and in that case, they attacked the company’s actual information infrastructure, not the operation technology. But in that case, they were worried that it could bleed over because once they’re in their systems, you’re not sure, and a lot of times there’s very close interoperability between those systems. In that case, Colonial shut that down and they paid the ransom.
Why are more of these larger-scale attacks happening? What has changed in the cybersecurity landscape?
This is kind of where we look at the difference between a country’s espionage capability, and then trying to gather intelligence on U.S. economic interest, or U.S. government business versus straight-up economic exercises. But with SolarWinds, certainly what raised a lot of eyebrows there was — and this is considered essentially a blind spot in the United States — we have a very open network. China has a great firewall, very difficult to penetrate, and they will try to keep really tight controls over their civilization and population, as it relates to internet activity. A lot of these countries are trying to almost close their digital borders. The U.S. is very wide open, it’s great for us, technologically, it’s very great for us economically and innovation-wise. But in the case of SolarWind, this was a campaign that I think it’s been reported that possibly thousands of people with the Russian government have worked on this campaign and built it over a long period of time and they simply took advantage of using a domestic U.S. company to emanate the attack. So that’s where kind of the game has changed.
You propose that responses to ransomware attacks can be improved if the public and private sectors work together. What could this partnership look like?
This is a debate that’s really raging right now. There’s differences between the Senate and the House a little bit on how they want to tackle this, but I think there’s bipartisan interest to look at it. This is something that we just don’t know what we don’t know, and the fact is, there’s a lot of unreported ransomware attacks, and then people just pay out. The cyber insurance industry is under consistent duress now because of the scale of these attacks.
In the case of breach notifications, what the Senate wanted to do, they said you must report [an attack] I think it was between 24 and 72 hours. A lot of times, though, depending on the size and scale of your organization … it may take a few days, and you may not have a good, accurate read on what’s exactly happening. So you want to give some flexibility, but you also don’t want to allow companies off the hook in the sense that they are not reporting incidents to law enforcement [because] they need to be able to spread the word to other organizations to be aware of for future attacks. The concern from businesses in the past has been “What about our proprietary information, and are we going to get sued for this because customers are going to say you lacked cybersecurity and caused me some kind of harm,” so we need some kind of liability protection. … I don’t think the government needs any more information than they absolutely need. What they really need is the technical detail. All of this is really helpful information for [the Cybersecurity and Infrastructure Security Agency], and the FBI and others to start to essentially build dossiers on understanding where these different enemies and the syndicates are operating from.
How can the state of Iowa and businesses and organizations of any size prepare for a potential cyberattack?
The thing is it’s more opportunistic for a cybercriminal to go after smaller organizations, public administrations such as a city, hospital or school for lower amounts of money but consistently get paid and not raise as many alarms, and that’s how they’ve been operating. That’s why every organization or school needs to have an understanding of what that rainy-day environment looks like and they need to do a good job of building relationships with their state and federal entities. What we also have to understand is that the FBI field offices that are based in the region, they will have an army that can go in and help you per se on a rainy day, and they can do a lot better, provide you a lot of resources, and can be a very helpful cog in the wheel so that relationship needs to be built in many ways ahead of time to understand who to call, and have the opportunity to kind of keep it constant engagement with them.
I think one area that I’ve been focused on is looking at how we are building our cyber workforces. There are things that can be done from just even the ability to press into our local school systems and our universities the opportunity to build technology. And the type of technology degrees. A lot of these cyber jobs, you don’t need some kind of cyber or computer science degree, you need to have the skill sets to tackle tough problems, and there’s tons of opportunity, and there’s tons of money to be made because every business needs it. We’ve got a federal workforce, that’s one thing I’m going to talk about too is the need to diversify our cyber workforce and understand what the impact of that is long term if we don’t start getting ahead of that ball, especially those other countries and nation states that are investing heavily.
From the National Guard standpoint, units in some states have actually defined cyber units now, and so one of the opportunities there is we diversify the federal workforce, and in the case of more local and state-based cyber attacks or campaigns, the ability of a governor or law enforcement to call up essentially people that may be working for local companies that have cyber backgrounds to be called up to respond in a case of a lower-level cyber incident I think would be huge.
You were chief of staff for former Director of National Intelligence John Ratcliffe before coming to the Heritage Foundation. What were your takeaways from that experience?
It was an amazing opportunity and a window into how vast and intricate our government is, but [also] how we ought to be working from the same song sheet and how there are still challenges and silos. ODNI [the Office of the Director of National Intelligence] was created, especially in light of 20 years since 9/11, it was created to knock down silos to be able to tackle the threat of terrorism. I think in many ways now, we need to make sure that we’re knocking down any silos, and I think there’s really good people trying to do this. But my worry always is that at times, [action] in the interest of doing something bloats the bureaucracy versus actually putting the lead on target of the problem. That was one thing that I saw, that we were trying to do a good job of breaking down those barriers, removing unnecessary bureaucratic structures, and giving the opportunity to get good counsel and wise decision making in a more quick fashion.