The BDN Editorial Board operates independently from the newsroom, and does not set policies or contribute to reporting or editing articles elsewhere in the newspaper or on bangordailynews.com.
A fire in Utah recently caused temporary website failures for several towns in Aroostook County. If anyone needs a reminder of how interconnected and potentially vulnerable our systems are in the digital age, here is one that simultaneously covers thousands of miles and hits close to home.
It was a cascading event that started with a generator fire at a datacenter in Ogden, Utah. A Bath-based data hosting company used that Utah facility for data storage. A Presque Isle-based website developer uses that Bath company. Several Aroostook County towns use that Presque Isle developer for their websites. Towns had to revert back to older versions of their websites.
Now, this instance was not caused by a cyberattack. And it doesn’t seem to have resulted in debilitating or prolonged website failures (at least one of the town clerks reported her town’s website coming back online quickly). But it emphasizes the importance of safeguarding online systems against disruptions, both accidental and deliberate.
In other recent Aroostook County news, the Presque Isle Police Department was targeted in a ransomware attack. Cyber criminals hacked the city’s server and threatened to release police data on the dark web unless they were paid a ransom. There was even a dramatic countdown clock on the hackers’ dark web site. The City of Augusta was hit with a similar attack in 2019, and decided to rebuild its system rather than pay a $100,000 ransom.
In February, hackers accessed the system of a water treatment plant in Florida, and temporarily changed chemical levels in the town’s water. Though a plant manager reportedly noticed the hack quickly and averted any major damage, the attack highlighted worrying local gaps in cyber preparedness.
“The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system,” according to a joint cyber security advisory from the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, the Environmental Protection Agency and the Multi-State Information Sharing and Analysis Center.
At the federal level, a recent sprawling hack of several U.S. government agencies has been linked to Russian intelligence. By attacking Texas software-maker SolarWinds, the hackers were able to access roughly 100 U.S. companies and approximately a dozen government agencies, according to NPR. Both the scope of this hack and the security gaps it has exposed are alarming.
“Our adversaries have been knocking on digital doors now for more than a decade, with increasing frequency. These attacks are coming from new corners of the globe,” New York Times cybersecurity reporter Nicole Perlroth told WBUR in late April.
The types and sources of threats in cyberspace are diverse, they are being targeted at all sorts of institutions and infrastructure, and they are evolving. Policies to combat them must evolve, too.
This winter, Congress overcame a veto from former President Donald Trump to pass the National Defense Authorization Act for fiscal year 2021, which included several valuable cyber policy updates recommended by the Cyberspace Solarium Commission. Maine Sen. Angus King is a co-chair of that group. Perhaps the most important of these updates was the creation of a national cyber director position to provide centralized leadership on this critical, sprawling issue.
Chris Inglis, who has been a member of that solarium commission, has been chosen by President Joe Biden to serve in that role, though Inglis still needs to be confirmed by the Senate.
“As our adversaries’ attempts to probe our networks become bolder, the need for a leader with statutory authority to coordinate the development and implementation of a national cyber strategy to defend and secure everything from our hospitals to our power grid could not be more clear,” King said in a joint statement with other solarium commission members in April. The members applauded both Inglis’ nomination and the nomination of Jennifer Easterly to be CISA director.
As King told WBUR, cyber policy responsibilities have been “scattered all over the U.S. government” with “no central coordination.” The alphabet soup of agencies included in the joint cyber security advisory related to the Florida water treatment plant attack speaks to that fact.
The Senate should act quickly to fill the important leadership roles, particularly the new cyber director position, that can help provide more direction and structure to U.S. cybersecurity efforts. As we’re increasingly seeing, this national issue has local impacts.