Local governments, including counties and municipalities, face unique cybersecurity challenges that can too easily disrupt the delivery of mission-critical services. With continuous threats of ransomware and other malicious attacks to derail day-to-day municipality function, like water infrastructure, waste management and more, the security of these entities is of top national priority. Here, we talk to Mike Hamilton, CISO for government cybersecurity firm, CI Security, about the biggest threats to the U.S. critical infrastructure.

Security magazine: What is your background?

Hamilton: I am a high school dropout with 14 years of postsecondary education, ten of which were at the University of Southern California where I earned degrees in Geology, Chemistry, and Oceanography. I transitioned into information security while working as an Ocean Scientist at the Jet Propulsion Laboratory – developing algorithms to measure Carbon uptake by the ocean from space. I started a company in 1995 selling and supporting hand-rolled firewalls for clients in Southern California. That turned into independent contracting and consulting, after which I went to Guardent – a start-up that built one of the first MSSP operations. Guardent was acquired by VeriSign and I became the Managing Consultant. In 2004, I became the CISO of the City of Seattle – a position I held for 7.5 years. During that time, I founded a grant-funded regional monitoring project for local governments in the Puget Sound area and served as the Vice-Chair of the DHS State, Local, Tribal, and Territorial Government Coordinating Council. CI Security started in 2012, while I served for two years as a Policy Adviser for Washington State government. The company is now 80 employees, and the regional monitoring project has become PISCES (Public Infrastructure Security Cyber Education System), which performs no-cost security monitoring for small local governments in return for using data collected from networks as “live fire” analyst training for (currently) five universities.

Security magazine: Currently, what are the biggest threats to the U.S. critical infrastructure?

Hamilton: In my view, the biggest threats are the effect of several conditions that are combined. First, the shift to extortion using ransomware, rather than stealing and monetizing records (PII, health, etc.). The second is the commoditization of tools used to perform this crime, including the as-a-service model. Additionally, the fact that many of our most critical organizations – local governments and the health sector in particular – do not have the funding to compete for human or technology resources. The combination of critical services provided, poor resourcing for IT security, and the inability to obtain qualified practitioners makes these organizations very attractive targets for extortionists. Finally, the threat of collateral damage from Nation-State events.

Security magazine: Which sectors are most at risk?

Hamilton: Those sectors that cannot withstand any operational outage are those most at risk. This can be due to severe financial loss such as in manufacturing, outage of critical services as in the health sector, or deep pockets for paying ransom. Additionally, it has been reported that threat actors are obtaining information on insurance coverage and the parameters under which extortion demands will be paid, and specifically targeting the customers of those companies with a history of paying out.

Security magazine: How can cyberattacks, such as ransomware, easily disrupt the delivery of mission critical services and of critical infrastructure?

Hamilton: By rendering computers inoperable through encrypting the data they process, there is complete disruption of operational continuity. If the infrastructure disrupted provides life-safety, life-sustaining, or quality of life services, the impact is not only potentially loss of life but loss of trust in our ability to continue to reliably provide these services – which will notably be focused on the failure of government.

Security magazine: What are ways to improve the cybersecurity of critical infrastructure services?

Hamilton: By focusing on monitoring and detection of aberrational events on the network, on endpoints, and in the cloud it is possible to manage the risk of what is a foreseeable event. Attacks against infrastructure are occurring constantly, and most do not end up disrupting operational continuity. The difference is the ability to detect when an asset has been compromised and quickly mitigate stop further damage. Investing in endpoint products that allow for remote quarantine and investigation and products and services that support detection and response, cybersecurity events may become less profitable for criminals. 

Security magazine: Are there specific frameworks or exercises that can improve the cybersecurity of these services?

Hamilton: Conducting tabletop and functional exercises is a standard of practice and should be conducted at least annually, against a scenario that is more than a simple malware incident: Examples include (1) being disrupted by ransomware, (2) being identified as the source of incidents with your customers in a 3^rd party attack, etc. Further, the National Incident Management System (NIMS) is a framework around which you can manage incidents, especially those that may involve public communications, and legal and liability issues.