Businesses, government entities and people must rely on interconnected digital technologies to fully function in today’s global economy. But the necessity and the advantages of modern technology, such as lightning-fast communication and unmatched efficiencies, pose inherent risks. As technology becomes more sophisticated, so do cyberattacks. Recent large-scale cyberattacks, including those targeting supply chains, have had costly and potentially disastrous effects. They also have mobilized Texas leaders and drawn strong responses.
A hooded person working on a laptop in a dark, secret basement is not an accurate representation of today’s cybercriminal. Cybercrime is more likely to be the work of a global, organized business operation than a single hacker, says James McQuiggan, security awareness advocate at KnowBe4, a Florida-based security awareness training and simulated phishing platform.
A cyberattack is any “deliberate and malicious attempt by an individual or organization to breach the information system of another individual or organization,” according to Infocyte. Cybercriminals often target employees to breach the computer networks of companies, government agencies or other organizations.
Some high-profile cyberattacks involve rogue nation-states and have national security implications, such as the SolarWinds cyberattacks perpetrated in 2020 by the Russian Foreign Intelligence Service. Other cyberattacks come from “hacktivists,” cybercriminals motivated by social or political issues. In most cases, however, economic gain is what drives cybercriminals, and that can lead to major financial ramifications for victims.
The COVID-19 pandemic boosted demand for high-speed internet when many aspects of daily life — notably work, education and health care — shifted to the virtual world in response to “shelter-in-place” guidelines and restrictions on in-person gatherings (see February 2021 Fiscal Notes). That sudden shift prompted more opportunities for cyberattacks, particularly on small- and medium-sized businesses, government entities and other organizations operating without adequate levels of cybersecurity.
At the onset of the pandemic in early 2020, many organizations had to quickly pivot to video conferencing services to stay connected and continue operations. It was a rough start for some video conference users, who experienced cyberattacks that compromised personal data, such as email addresses and passwords.
After Congress passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act, cybercriminals launched financial fraud schemes (PDF) and phishing campaigns that targeted unemployment insurance, Paycheck Protection Program loans and other provisions under the CARES Act. Moreover, phishing campaigns baited email recipients into clicking malicious links or opening attachments disguised as coronavirus-related news, such as vaccine developments.
According to the nonprofit Identity Theft Resource Center, which tracks publicly reported data breaches in the U.S., the amount of data compromised from cyberattacks in the first three quarters of 2021 exceeded the total reported in all of 2020 by 27 percent. Ransomware attacks especially are surging. Publicly reported incidents related to ransomware in the first three quarters of 2021 surpassed totals reported in 2019 and 2020.
PHISHING is the gateway to cyberattacks, says McQuiggan, and it is one of the most common and effective methods for breaching an organization’s network. In a phishing attack, an attacker gains access to a device by tricking an unsuspecting recipient to click on a fake link or open a malicious attachment sent via email.
RANSOMWARE is malicious software that locks and prevents access to personal information or critical data on a computer or network. As the name suggests, the attackers do not release the system until they receive a specified payment, usually in cryptocurrency. Ransomware is one of the costliest classes of cyberattacks. According to the Unit 42 security consulting group, the average ransomware payment in the first half of 2021 was $570,000, 82 percent higher than the average payment in 2020. The research company Cybersecurity Ventures predicts that ransomware costs could reach $265 billion by 2031, with a new attack happening every two seconds.
Sources: Cybersecurity Ventures, “Global Ransomware Damage Costs Predicted to Exceed $265 Billion by 2031”; Financial Crimes Enforcement Network, “Financial Trend Analysis (PDF)”; Infocyte, “Cybersecurity 101: Intro to the Top 10 Common Types of Cybersecurity Attacks”; and Palo Alto Networks, “Extortion Payments Hit New Records as Ransomware Crisis Intensifies”
The 2020 Internet Crime Report (PDF), published by the FBI’s Internet Crime Complaint Center (IC3), suggests that the frequency of cyberattacks and resulting financial losses in the United States have skyrocketed in recent years. The IC3 recorded more than 790,000 public complaints of internet crime in 2020, up 69 percent from 2019. The report estimates that the financial losses from cybercrimes in the U.S. were as high as $4.2 billion in 2020, a 20 percent increase from 2019 (Exhibit 1).
In Texas, more than 38,000 victims of cybercrime reported an estimated $313.6 million in financial losses in 2020 — an increase in losses of 42 percent from 2019 and 307 percent from 2016 (Exhibit 2).
Notes: Financial loss data are self-reported by complainants. Financial losses are rounded to the nearest million.
Source: FBI, Internet Crime Complaint Center
Notes: Financial loss data are self-reported by complainants. Financial losses are rounded to the nearest million.
Source: FBI, Internet Crime Complaint Center, Annual Reports
Cybercriminals have discovered it may be more profitable to target large organizations using highly automated data theft methods (e.g., phishing campaigns and ransomware attacks) than to steal people’s personally identifiable information — and it takes less time. Those organizations often include government entities.
Part of this alarming trend targets local government groups, including many Texas school districts that reported ransomware attacks in recent years. A San Antonio-area school district with about 23,000 students paid more than $500,000 to cybercriminals who froze its computer networks in June 2020. Cyberthreats have only exacerbated the financial burdens that school districts have suffered from the COVID-19 pandemic.
State agencies in Texas are also seeing more attack attempts by cybercriminals. “The tools on the state of Texas network block millions of connection attempts a day from known bad actors,” says Nancy Rainosek, chief information security officer for the state of Texas. She adds that phishing is widespread, and cybercriminals are getting better at disguising malicious emails as legitimate. When much of the state’s workforce started working from home during the COVID-19 pandemic, Rainosek says there was an increase in “distributed denial of service” attack attempts, which can “affect an employee’s ability to connect remotely and limit access to public services.”
Cybersecurity initiatives at the state level began in earnest in 2011 when the Legislature created the temporary Cybersecurity, Education and Economic Development Council to study Texas’ cybersecurity infrastructure and make recommendations to the executive director of the Texas Department of Information Resources (DIR).
In 2017, a pivotal year for cybersecurity in Texas, the 85th Legislature enhanced the protection of state agency information resources with the Texas Cybersecurity Act. One promising outcome of this legislation is the Texas Information Sharing and Analysis Organization (TxISAO), a membership program under DIR that serves as a centralized forum for public and private sector groups in Texas to exchange pertinent information about cyberthreats and security strategies.
“TxISAO provided critical intelligence to members across the state during high-profile security incidents, including the SolarWinds attack,” says Rainosek.
TxISAO now has more than 1,500 members and partners with four major organizations:
Most recently, the 87th Legislature passed Senate Bill 475, which created several additional cybersecurity programs under DIR (Exhibit 3). It also funded Endpoint Detection and Response (EDR) technology for state agencies, says Rainosek. EDR is an emerging technology recognized as a major protection against ransomware. All told, the 87th Legislature “passed some of the most significant cybersecurity legislation to date and appropriated more than $700 million for cybersecurity and legacy and modernization projects,” says Rainosek.
PROGRAM | PURPOSE |
---|---|
Texas Risk and Authorization Management Program (TX-RAMP) |
Provide a standardized approach for security assessment, authorization and monitoring of cloud computing services and products used by state agencies. State agencies may only contract with TX-RAMP-compliant vendors for cloud computing services starting on Jan. 1, 2022. |
Volunteer incident response team | Provide rapid assistance to participating entities during cybersecurity events. This team can be deployed by the governor during a cybersecurity disaster declaration. |
Regional cybersecurity working groups | Establish a framework for mutual aid agreements to assist in responding to cybersecurity events. |
Regional security operations center | Assist in providing cybersecurity support and network security for local entities, in partnership with a university. |
Notes: Programs were established by Senate Bill 475 (87R); this does not represent an exhaustive list.
Sources: Texas DIR; Texas Legislature Online
“People are a critical layer within the fabric of [cyber]security programs,” says McQuiggan. Awareness of how cybercriminals breach information systems is an effective and necessary component of cybersecurity.
In July 2021, the Texas Office of the Governor partnered with the R.E.A.L. Friends Don’t, a nationwide awareness campaign to educate parents, caregivers and teens about cyberthreats. The campaign used digital billboards in more than 70 Texas cities to educate the public about online safety practices and resources.
CYBERCRIMINALS increasingly are targeting supply chains, because a single attack on a supplier can disrupt multiple companies across an entire network.
In early May 2021, an organized extortion group attacked the Colonial Pipeline Company, which operates a 5,500-mile-long pipeline moving more than 100 million gallons of fuel daily between New York and Texas. The group held corporate data hostage and demanded the company pay $4.4 million in cryptocurrency. The company shut down its pipeline for several days (the first shutdown in its 57-year history), causing massive fuel shortages up and down the East Coast. Colonial paid the ransom to restore pipeline service.
Later that month, criminals hit the world’s biggest meat processing company, JBS USA, in a ransomware attack that forced the company to shut down certain operations at 13 of its plants in the U.S. as well as others in Australia and Canada. JBS USA paid $11 million in cryptocurrency to prevent more plants from shutting down and further disrupting the global food supply chain.
But it isn’t all bad news. In August 2021, the Port of Houston — a major economic driver for Texas and the U.S. — successfully averted a cyberattack. According to a statement released on Sept. 23, the port followed its security plan and prevented cybercriminals from compromising its network. The statement did not disclose the type of cyberattack.
Texas First Lady Cecilia Abbott, who spoke at the campaign’s launch in San Antonio, said, “as our children spend more time on the internet, the crime of online enticement continues to grow” and that addressing the issue “begins with raising awareness and educating parents and caregivers on the danger signs, and then giving them the tools to fight back.” Beginning this year, the newly formed Texas Broadband Development Office, which operates within the Comptroller’s office, will partner with the First Lady to continue promoting the R.E.A.L. Friends Don’t initiative.
The 86th and 87th Legislatures passed cybersecurity training requirements for state agency and local government employees and elected or appointed officials who use computers or access databases for at least 25 percent of their duties. The DIR annually must certify at least five cybersecurity training programs that “focus on forming information security habits and procedures that protect information resources and teach best practices for detecting, assessing, reporting and addressing information security threats.”
The legislation means that many, if not most, government employees in Texas must complete one of the five available DIR-certified cybersecurity training programs each year. The training will increase awareness of cyberthreats and help reduce the security risk to Texas’ computer networks and data systems.
Cybercriminals never stop looking for ways to exploit people and organizations (including government agencies) for economic gain — and the COVID-19 pandemic has created more opportunities for these bad actors. Over the past decade, the Texas Legislature has taken meaningful steps to defend state agencies and local governments against rampant cyberattacks. But as cyberthreats evolve, so, too, must cybersecurity in Texas. FN
Cybersecurity is crucial as Texas expands broadband internet access and connects more Texans to the virtual world. Read about the state’s broadband expansion efforts.