At a recent meeting of the Kenton County Mayors Group, cybersecurity was a concern for local leaders, and Kentucky Sen. Chris McDaniel (R-Ryland Heights) said there was a lack of planning across the state. They shared their concerns about being seen as such.
“We've already seen plenty of examples of hacks and data being held to ransom,” McDaniel said. “Deep down, there's this feeling that there's one really bad thing happening that's hard to pin down until everyone wakes up one day and says, 'Oh, this is way behind us.'”
McDaniel's concerns are the same ones shared by other local leaders, some of whom are considering how to craft strategies and plans to address what they see as a woefully underdeveloped cybersecurity infrastructure both locally and statewide. People at the same meeting echoed McDaniel's concerns.
“I think the interest in that direction is spot on,” Kenton County Homeland Security and Emergency Management Director Steve Hensley told the mayor's meeting.
Hensley pointed to a recent incident at the Kenton County U.S. Attorney's Office in which someone secretly added U.S. Attorney Rob Sanders' email address to a Secret Service email list.
Hensley didn't share many details during the meeting, but Link Nkee pressed Sanders for more details.
Despite conference attendees' concerns, Sanders said the incident Hensley referred to was not a genuine cyberattack or threat.
“We've never been breached, we've never had anything like that,” Sanders said.
Instead, Sanders said disgruntled community members, with whom the U.S. Attorney's Office has dealt in the past, simply added his name to the mailing list as part of a campaign of trolling. Still, Sanders shared others' concerns about cybersecurity in Kentucky.
“We don't have a lot of resources when it comes to internet crime, especially when it comes to consumer fraud,” Sanders said.
Internet crime comes in many forms. Sometimes it can manifest as a scheme targeted at a specific person, such as a phishing scam, in which someone uses misleading or manipulative communications to convince an individual to voluntarily give up personal information.
Crimes against individuals are bad enough, but many people LINK nky spoke to were concerned about large-scale attacks on institutions and critical infrastructure, such as water supplies and public facilities. As McDaniel suggested, these attacks often take the form of ransomware attacks, in which hackers encrypt an institution's or company's data to lock out the owner. The attacker then demands a ransom payment in exchange for a decryption key that will decrypt the data and make it available for the owner to use again.
Campbell County School District was the victim of a ransomware attack late last year. The attack compromised the identities and financial information of several employees and prompted the district to strengthen its security systems. A separate attack against Louisville-based hospital system Norton Healthcare last May affected about 2.5 million people, according to a report from the Maine Attorney General's Office.
“Anyone who has a computer connected to the internet should be concerned about cybersecurity,” said Mark Bell, cybersecurity outreach coordinator for the Ohio Cyber Collaboration Commission.
Bell works for the Ohio Adjutant General's Office, which manages the Ohio National Guard, and the Collaborative Committee, a cross-agency group aimed at addressing cybersecurity concerns in the state.
Fort Wright Mayor Dave Hatter, who has a background in IT, has been attending workshops recently to learn about the commission with an eye toward replicating it in Kentucky. Hatter said nothing has officially happened yet, but he is meeting with various local leaders to move the discussion forward.
“If we can take what they did and do it, we'll be pretty successful,” Hutter told LINK nky.
The collaborative committee is focused on several areas. Much of its work is aimed at boosting Ohio's IT and cybersecurity workforce, which Bell said is currently experiencing a shortage. He pointed to CyberSeek, an online tool that measures data related to the cybersecurity field. CyberSeek said there are currently 2,071 cybersecurity job openings in the tri-state area.
The commission also offers what it calls the Ohio Cyber Range, a cloud-based training platform where students, professionals and researchers can conduct exercises against malware and other cyber threats, honing response protocols and best practices without compromising other systems. The range is headquartered at the University of Cincinnati.
“Whether it’s K-12, career tech or higher education; [the Cyber Range] “Students will be able to create configurations, patch systems, respond to malware, and inspect, defend, and recover networks in a hands-on, real-time manner,” Bell said.
A final notable aspect of the committee is the Cyber Reserve Corps, a network of volunteer civilian experts who can respond to cyberattacks upon request. Bell likened them to the National Guard or volunteer firefighters.
Kentucky has several agencies that deal with cyberattacks, including programs such as the Kentucky Critical Infrastructure/Major Resources Protection and Planning Program, which is administered by the Kentucky Department of Homeland Security, which is an extension of the federal agency, not a local agency, to create an information sharing network and emergency plans for cyberattacks on critical infrastructure.
As a result, local agencies often have to turn to federal agencies, such as the Department of Homeland Security or the FBI, for assistance rather than more local agencies, Sanders said.
“We're essentially at the mercy of the federal government,” Sanders said.
Hutter himself wanted to see something more localized and accessible.
“It's desperately needed,” Hatter said.
Check out these resources on cybersecurity organizations and best practices:
