Connecting state and local government leaders

What CIOs Can Learn About Hacktivists From Oklahoma’s ‘Hoodie Incident’


Connecting state and local government leaders

“They’re trying to get their message out,” Oklahoma’s CIO said during the NASCIO mid-year conference being held this week near the nation’s capital.

ARLINGTON, Va. — When an Oklahoma state legislator proposed legislation making it illegal to hide one’s face with a hoodie in 2015, hacktivists took notice and responded.

Oklahoma’s state government received threats via YouTube and hackers acquired botnets, pointed them at the state’s public-facing IT infrastructure and bombarded it with traffic.

The goal: To focus citizens’ attention on the hackers’ political views, and since then they’ve brought the similar types of disruptions on county and city governments protesting incidents of police-involved violence.

“A new group, they’re out just trying to make a name for themselves,” Oklahoma Chief Information Officer Bo Reese, said during the “When Rioting Hits Your Server” session at the National Association of State CIOs mid-year conference in Arlington, Virginia, just outside the nation’s capital. “They call themselves ‘journalists’ looking for a social cause.”

Some want to prove how bad a government is or how unsecure citizen data can be, said Andre McGregor, Tanium internal security director and a former FBI special cyber agent in New York City and Washington, D.C., handling intrusions from China, Russia and Iran. But hacking is hacking regardless of the motivation.

If a system has 250,000 to 350,000 machines and one is missing, McGregor said, that’s the one the hacktivist will use. Whether it’s in your finance enterprise resource planning system or another computer in another system doesn’t matter, so long as it’s accessible.

“They’re not going after the machines that you care the most about because, from a hacktivist perspective, they’re not going after you,” McGregor said. “They’re trying to get their message out.”

Oklahoma had a communications trailer sitting in a garage—the camera, heating and cooling, and voice systems for which were managed by a vendor—infiltrated by a self-proclaimed journalist streaming the hack on Twitter.

The hacker wanted to prove the government was vulnerable and was never caught.

“States aren’t there to mitigate, financially, every risk like this that comes about,” Reese said.

At the local level, Tulsa and Tulsa County were attacked separately but at least had the foresight to ask the state for help after detecting the impending threat.

The “hoodie incident” left Oklahoma with a playbook. It had the local governments scan for vulnerabilities, lock them up and shut down unnecessary systems to shrink the target.

All parties were quickly educated on the situation, with a focus on the most appetizing targets like police, citizen bank accounts and government emails.

Oklahoma is currently unifying its systems for added security, but as Kentucky has found, a consolidated data center doesn’t help with federated applications, which remain vulnerable.

The rising tide of hacktivism necessitates not just the onboarding of skilled security personnel but the establishment of a hiring pipeline to the private sector thereafter, McGregor said. The NSA hires the best cryptographers not because it pays better but because the on-the-job challenges are unparalleled, and that’s a selling point for those seeking experience before making a career move—which should be accepted and embraced.

“I was stolen,” McGregor said. “I had a really uncomfortable conversation with FBI Director Comey when I was leaving.”

Dave Nyczepir is a News Editor at Government Executive’s Route Fifty and is based in Washington, D.C.

NEXT STORY: Cities, States Seek to Protect Immigrants’ Data from Federal Officials