Connecting state and local government leaders
While such cyberassaults are generally perceived as less harmful than other attacks, they can be just as damaging. Daniel Steeves, the CIO for the Ottawa Police Service, details a useful case study from Canada’s capital city.
OTTAWA — Hacktivists, hackers whose activity is aimed at promoting a social or political cause, have become a real issue for state and local governments, largely because these agencies have prominent media profiles and often lack the resources to fight back. We have seen recent attacks across the country from Phoenix to Maine.
The attack vector of choice for hactivism is usually Distributed Denial-of-Service (DDoS) attacks and they are on the rise and getting bigger. According to the most recent State of the Internet – Security Report, prepared by Akamai Technologies, DDoS attacks have doubled year over year for the past three quarters. They are also getting stronger and longer, and DDoS attacks are predicted to be far more sophisticated and successful in bringing down network infrastructure and exposing critical information.
DDoS attacks are attempts to make a computer resource or network unavailable to users. The targeted system becomes overwhelmed with massive amounts of unsolicited data or traffic and either becomes unusable or crashes completely. Groups of computer criminals use DDoS attacks as a means of extortion, to gain media attention and notoriety from peer groups, or to damage reputations and cause service disruptions in a number of industries. DDoS attacks are also often used as a distraction when other, more serious, attacks are occurring, such as data exfiltration. DDoS attacks are generally perceived as less harmful than other cyberattacks, but they can be just as damaging; DDoS attacks just cause a different type of damage. DDoS attacks are particularly harmful to a police department that needs their network working in order to keep the public safe. Unfortunately, we recently learned this the hard way.
The Ottawa Police Service (OPS) in Canada plays a central role in keeping the community safe during the special and extraordinary events in Canada’s capital. The OPS maintains a website providing up-to-date news and information about the police force along with resources, contact information, an online crime reporting option, crime prevention tips and event listings. On average, 31,000 people visit the site each month.
In November 2014, a group of online hacktivists launched a series of attacks on several government websites, including www.ottawapolice.ca, OPS’ website. These attacks saturated OPS’ physical Web infrastructure, including its firewall, website connection and email pipe.
In a two-hour period, the Ottawa police saw millions of hits to its firewall. In addition, DDoS attacks continued throughout the weekend and threatened the uptime of other sites hosted in the data center of the Internet Service Provider (ISP) used by the OPS. To minimize impact, the OPS site was taken offline. The Web hosting provider then requested that the OPS migrate its website to another hosting environment because the online attackers continued flooding the organization’s pipes knowing that it was hosting the OPS site.
The public was left without access to critical information updates provided by the OPS. In order to get the website up and running again, the OPS needed to move to the cloud on a platform robust enough to withstand targeted attacks, mitigate DDoS attacks and create a shield to deny any future threats to its web infrastructure.
OPS implemented Akamai Kona Site Defender and the IBM Managed Security Solution for attack monitoring and mitigation. These solutions were chosen because they had the ability to scale to address any threat level. Within 30 hours of engaging Akamai, the OPS site had been migrated to the cloud and the Akamai solution was implemented. The quick turnaround helped restore the public’s confidence in OPS and its ability to now protect itself against future attacks.
It is no longer a question of if a local government agency will be attacked, rather it is when. In fact, the National Association of State Chief Information Officers identified cybersecurity as the top strategic IT priority for 2015. It is critical that government organizations take threats seriously and proactively address their cybersecurity posture in order to avoid detrimental attacks that could cause the public to question the security of and protection offered by these administrations. What can agencies do?
- Harden technology. Hardening technology helps you eliminate as many security risks as possible. Agencies can harden technology by removing all non-essential software programs and utilities from systems, which reduces the number of vulnerabilities and potential back doors.
- Educate users. The average person knows very little about cybersecurity. At the same time they pose a huge threat to their work environments. People are using numerous devices and applications that could expose their workplace to harm. This is especially dangerous for government agencies as they possess sensitive information. Agencies should have policies to address employee security and technology use and should spend the time educating their employees on their role in reducing security risks.
- Have a response plan. Most agencies are surprised when they are attacked – we certainly were. Before it happens, make sure you take the time to figure out what you will do when it does happen. Simply stated, your first job is to stop the bleeding. Once you do that, you can begin the process of identifying from where the attack surfaced to fix any vulnerabilities. Finally, if any constituents were affected you’ll need to address that. Be sure to keep your public information officer in the loop as any response plan should involve communication with the public.
State and local governments need to take DDoS attacks seriously. They are on the rise, causing much more damage and pose specific threats to state and local government agencies. Public sector organizations will be well served to take the necessary steps to minimize their risks as much as possible. Hopefully other agencies can learn from our experience and avoid the catastrophic results of an attack, or prevent one from occurring in the first place.
Daniel Steeves is the Chief Information Officer for the Ottawa Police Service in Ottawa, Canada.