For the record, most Idaho state treasurer messages don't start with the black flag of ISIS. And as a general rule, the message on the page uploaded to the Idaho State Treasurer's Office website last month wasn't the sort endorsed by Idaho State Treasurer Ron Crane.
"You will be held accountable Trump, you and all your people for every drop of blood flowing in Muslim countries," it said. "I Love Islamic state."
The hackers didn't need a password. They didn't need a big network of bots to breach the firewall. All they needed was the knowledge of a flaw in the system: A vulnerability in the state's third-party content management system allowed files to be uploaded directly to the site without permission.
And it wasn't just Idaho. The hackers hit Washington state's Department of Health, as well as sites for Maryland's Howard County and the town of Brookhaven in New York.
Idaho's treasury department managed to prevent the hack from automatically taking over its home page. Most visitors to the site wouldn't even know it was there. But others, like the state of Ohio, weren't so lucky.
"Wake up freedom-loving Americans," Ohio Treasurer Josh Mandel wrote after the hackers publicly hit the Ohio Department of Rehabilitation and Corrections' website with the pro-ISIS message. "Radical Islam infiltrating the heartland."
But Lance Wyatt, acting chief information security officer for the state of Idaho, says that as hacks go, this one was unsophisticated.
"It was the equivalent of digital graffiti," says Wyatt. "It's pretty minimal. No data was exposed or harmed."
Two years ago, Idaho Gov. Butch Otter created a cybersecurity task force — including Lt. Gov. Brad Little — to examine the state's existing vulnerabilities to hacks and cyberattacks and figure out ways to fix them.
In January, Otter issued an executive order to implement the recommendations. In the meantime, hackers are getting more sophisticated.
The barbarians, so to speak, are always pounding at the gates.
SWORDS AND SHIELDS
"On a regular basis, moment by moment, we experience several hundred thousand attacks that hit our firewall," Wyatt says. After all, he says, the entire internet knows where the state of Idaho is. And there are plenty of potential threats.
There are distributed denial-of-service attacks, where hackers summon an army of infected computers — and sometimes internet-connected DVRs, digital cameras or smart fridges — and use it to flood a network with enough traffic to bring it to its knees.
Then there's credential harvesting. Say, instead of replacing a government home page with grammatically suspect ISIS propaganda, a government login page is replaced with what appears to be a government login page. When you enter your personal information, a hacker gets it instead of the government.
Wyatt says that Idaho is able to combat some of these sorts of attacks on its websites by replacing the sites continually; malicious manipulations are swept away in the reset. Security technology is getting better as well.
"Next-generation firewalls are getting sophisticated enough where these smarter firewalls don't even acknowledge the [dangerous] traffic," Wyatt says.
But the best firewalls can be very expensive, and Wyatt is well aware that in the battle between hacker and security, security experts are behind the curve.
"We've had 40 years of the internet, [where] it's all about making it accessible and making it something people can use," Wyatt says. The internet has been about openness and connection, not protection.
Idaho has to worry about more than its own servers. Last year, hackers broke into Active Network, a third-party vendor used by Idaho Fish and Game, potentially compromising the information of 780,000 people who bought Idaho fishing licenses before July 2007.
In the future, Little says, it's crucial that Idaho mandates data protection in any contracts with third-party vendors.
Cities and counties are also vulnerable to attack.
Take a small Idaho county of about 45,000 just north of Pocatello. Writing for EastIdahoNews.com, Stephan Rockefeller lays out how, in February, Bingham County was hit with a hack from servers in the Netherlands, Germany and Russia. The hackers encrypted large amounts of county data on their own servers. It wasn't just the county's website that went down — it wreaked havoc on the county's computer system that helped dispatch police officers to emergencies.
The hackers littered the county's servers with links to a ransom note. Want your files back, it said? Pay $28,000 — in hard-to-track cryptocurrency Bitcoin — in exchange for the password to decrypt the files. Think of a burglar who, instead of making off with your TV and jewelry, changes the locks on your house, then makes you pay for the key.
"Ransomware is one of the bigger concerns, because it's one of the largest attack vectors right now," Wyatt says.
Ideally, there's an easy way to combat ransomware. Keep backups of everything, and make sure that your backups remain protected from the virus.
"There's a whole procedure that you follow to maintain a healthy backup environment," Wyatt says. Ideally, all you have to do is a flip a switch, and the infected files are flushed away and replaced by clean copies. But as a small county, Bingham couldn't afford to pay for the storage space to keep all its data backed up.
So the county decided to pay a partial ransom to unlock data that hadn't been backed up. In this case, the key Bingham County received was valid and its data was released. (Some ransomware hackers take the money and run, leaving data encrypted.)
But the choice to pay up could put Bingham County at greater risk in the future.
"If you pay it, you get marked as someone who pays," Idaho-based Computer Arts contractor Adam Michaelson told Rockefeller. "And so you start becoming a target for other people. Or the same people."
DEFENSE GRID
Part of the state's new cybersecurity strategy, Little says, is to help assist Idaho's cities, counties, school districts — even public utilities — secure their systems. Protecting locally owned utilities is a particularly high priority.
"If you have one of these tough winters and you have the grid blow up somewhere, that's serious, serious stuff," Little says.
Stephen Heath, vice-president of Security Services with Spokane-based IT consulting group Intrinium, says the risks to industrial control systems is one of the things that concerns him the most about hacking.
"Like water, power, those types of things," Heath says. "Data gets stolen? People's data has gotten stolen a lot. If the water doesn't work for a few days, that's a catastrophe."
At the end of the month, Idaho is bringing in retiring Air Force Col. Jeff Weak to serve in the state's newly created role of Director of Information Security to help bring about changes statewide.
"He did cybersecurity for NATO," Little says.
The governor's plan will force agencies to adopt nationally recognized security control, create a central cybersecurity website for sharing intelligence, and conduct annual tests that attempt to breach the state's defenses. Crucially, it will put every Idaho state employee through a new, annual cybersecurity training regimen tailored to their specific roles.
"Anyone who logs on to a state computer is a risk if they're not trained properly," Little says. "Most of the cyber intrusions are the result of somebody clicking on a phishing expedition or something else."
Ultimately, the fact that the government interacts with the public makes it vulnerable.
"It's equivalent to leaving your car parked out on your street overnight," says Wyatt. "Just the fact that it's out in the public, someone could do something to it." ♦
