The COVID-19 pandemic has re-emphasized the importance of personal hygiene. We have all become familiar with longer hand washings, face masks, and the seemingly impossible task of not touching our faces. But we must also redouble our efforts to maintain good cyber hygiene.

As the pandemic has made our world more virtual—with massive increases in teleworking and teleconferencing—the risk of cyberattacks on local government computer networks has also grown. This heightened vulnerability has two causes: an increased attack surface and an increased threat from malicious actors.

Increased Attack Surface

The formal calculation of attack surface takes a complete accounting of a computer network’s resources and computes the sum of their contributions to the potential for damage.¹ But for our purposes, we’ll consider attack surface to mean the range of individual vulnerabilities that an attacker can exploit to cause damage in a computer network.

We see an increase in attack surface because we see an increase in those vulnerabilities as a result of changes in response to COVID-19. First, fewer people are working behind their organization’s protective barriers; they are “outside the wall” on devices that probably have fewer protections (or protections that are less up-to-date) against computer attacks. They are also likely using their home Wi-Fi networks for connectivity, which may have serious vulnerabilities—or no protection enabled at all.

With so many people working from home, some local governments and other organizations have rapidly deployed new network infrastructure in order to accommodate the surge in demand for teleworking—both equipment for users and equipment for handling the extra processing. If your organization has purchased equipment that is unfamiliar to your staff, there may be a greater chance of misconfiguration, such as unused access ports left open or administrative permissions set incorrectly. This increases the attack surface, leaving holes that attackers can exploit.

Ideally, staff at home are using authorized work computers that allow them to connect to your organization’s network through a virtual private network, or VPN. And these work computers ideally have protections for when they are away from the work environment, such as disabled USB ports.

But instead, many housebound local government employees are increasing the attack surface of government networks by using their home computers for work, whether permitted by organizational policy or not. Some activities have a lower risk, such as accessing work email through a web-based interface on a home computer. But some staff may use their home computer to create files, which they then email to their work email address. The chances of people using their home computers for work increases with their frustration levels with work equipment (“It’s too slow” or “It has too many restrictions”) or simply because they prefer their home setup. (“I have three screens and a killer sound system!”) But the chances they are using infected home computers are high: Adaware estimated in 2017 that hackers had control of 100 to 150 million computers on the internet.² And in 2015, the Anti-Phishing Working Group reported that nearly one-third of the world’s computers had malware on them.

Even people who are not primarily using their home computer for work may be using riskier methods while teleworking from home, such as personal email accounts and transferring files from home computers to work computers. They may also try out tools with new or unknown vulnerabilities. For example, Zoom has become a popular platform for videoconferences. In April 2020, researchers showed that hackers could steal Zoom users’ Windows credentials by sending special links through Zoom’s chat interface.³ Zoom quickly patched this vulnerability, but the incident highlights the risks of using new platforms. It also raises questions about what other yet-undiscovered vulnerabilities may still be active. All of these processes increase the attack surface of your network. This risk comes on top of the normal problems, such as people unwisely posting their Zoom meeting links in public places and having unsavory characters “Zoom-bomb” their meetings.⁴

New equipment, processes, and tasks also mean that staff may be seeing unfamiliar links to websites or receiving emails from new people and places. Many of these will be legitimate; some may not be. With all of the added uncertainty and strangeness from the COVID-19 pandemic, people are particularly susceptible to sensational news, which potentially makes them an easier target for the click-bait lures such as, “You won’t believe what this politician said about COVID….”

In all of these ways, COVID-19 has increased the attack surface for local government networks. As a result, malicious cyber actors have even more entry points to exploit and launch a successful attack on your organization’s computer network.

Increased Threat

It would be nice to think that hackers are lying low at this time of global suffering, busily sewing masks. It would also be naïve. Both the historical record and recent intelligence suggest that attackers will try to take advantage of the pandemic. But who are these attackers, and why do we see the threat from them increasing during the pandemic response?

The threat generally comes from three sources:

1. Amateurs or lone hackers who are acting for general mischief.

2. Criminals who are financially motivated.

3. Nation-state actors interested in gaining intelligence—and maybe also in generating friction.

In the latter case, the threat particularly comes from regimes that don’t like the United States: China, Russia, Iran, and North Korea.⁵ These countries have teams of hackers dedicated to breaking into the computer systems of other nations, and they have the financial backing of their countries behind them to provide the best equipment, tools, and training. Most of these teams target federal government and industrial systems in order to gain access to sensitive information or intellectual property. But some—particularly North Korea—are not above stealing from banks and blackmailing corporations.⁶

Although the Russians have shown a predilection for targeting U.S. elections infrastructure,⁷ the greatest threat to local governments comes from hackers seeking to enrich themselves. Kaspersky reported that at least 174 U.S. municipalities had ransomware attacks in 2019, a 60-percent increase from 2018, with an average ransom of $1 million per attack.⁸ Cyber criminals mostly used phishing attacks, with a variety of malware hidden in attachments, links, or software installers.

All of these attackers, regardless of their motivations, currently have greater opportunities to attack computer networks due to the increase of the attack surface from the response to COVID-19. Criminal activity generally increases in times of turmoil and uncertainty, when less scrupulous individuals decide to take advantage of the chaos and distractions. The U.S. Department of Homeland Security, in conjunction with the Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre, released a report in early April noting that malicious cyber actors were increasingly using COVID-related themes in their cyberattacks. They were phishing using “COVID” in the subject line of emails, distributing malware via COVID-themed lures, and registering domain names with COVID-related words, where they could host their malware.⁹

The Need for Cyber Hygiene

Together, the increase in the attack surface and the increased threat means that local managers need to redouble efforts to keep their information technology systems safe, even as they continue to extinguish all sorts of other fires in response to the public health emergency. It would be easy—and might even seem reasonable—to relax on good cyber hygiene standards, making special allowances during these difficult times. It might even seem to suggest that you are putting human life before computer systems. But safe and secure computer systems are vital to help those very same humans, and they must remain as protected as possible. In fact, the unprecedented demands on unemployment claims systems and emergency logistics networks suggest that strong networks have a vital role to play in countering the pandemic’s effects.

Cyber hygiene does not come easily! In April 2020, the U.S. Government Accountability Office released a report noting that the Department of Defense had not taken action on many of the identified deficiencies in its cyber posture.¹⁰ The report found that by 2020, the Defense Department had not fully implemented seven of the eleven tasks identified in 2015—which originally had expected completion dates in 2016. And local governments must contend with far fewer resources than the U.S. military. It’s easier to identify issues than to implement solutions.

Even so, simple steps can provide powerful protection, such as ensuring that computer networks, operating systems, and programs have the latest patches installed. When the WannaCry ransomware attack hit in May 2017, the exploit used a vulnerability in the Windows operating system to break into computers, encrypt data, and then demand ransom payments in Bitcoin. Months prior to the attack, Microsoft had released patches to close the vulnerability, but WannaCry was able to penetrate institutions and governments around the globe that had not applied the patches. The United States, United Kingdom, and Australia formally identified North Korea as the sponsor behind the attack.¹¹

With the increase in teleworking, local managers can take additional steps by helping staff better secure their home networks. Simple checklists and links to step-by-step resources can help ensure that basic security measures are in place, such as changing the default password on a Wi-Fi network. But even with the latest equipment and updated security measures, it only takes one click on a malicious link or one activation of a bad file to undermine all security measures. Each local government employee sits on the front line of this cyber battle, and their training and preparation will ultimately determine the outcome.

As governments across the globe respond to the COVID pandemic, we have no idea whether we will see subsequent waves of infection, or even what the next crisis might be. What we do know now is that the world can change rapidly and completely, and we need to provide jurisdictional staff with the tools they need to remain nimble and flexible.

The time is now—or in the very near future—for local managers to ask important questions regarding their network security: Did your organization put any IT shortcuts in place? Does your organization have appropriate safety measures in place? Are temporary measures that were put in place during the pandemic still necessary? Can they be updated? Addressing these questions may take time and decrease efficiency for a while. But should a second pandemic wave or some other tragedy hit, they will save more time and increase safety.

And so, as you wash your hands for the recommended 20 seconds—or as you ponder whether that random cough might be something more—don’t forget to maintain good cyber hygiene and “wash your networks,” too!

DAVID BROYLES directs CNA’s Special Activities and Intelligence Program, which does research in special operations, cyber operations, and autonomy and artificial intelligence for the Department of Defense. He also co-hosts AI with AI, a weekly podcast on artificial intelligence and autonomy. (broyled@cna.org)

 

Endnotes and Resources

¹ P.K. Manadhata and J.M. Wing “A Formal Model for a System’s Attack Surface,” Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, Chapter 1, S. Jajodia, A. Ghosh, V. Swarup, C. Wang, and X.S. Wang, editors, Springer, 2011, pp. 1-28.

² Adaware. Spyware Statistics. 10 January 2017.

³ Dan Goodin. Ars Technica. “Attackers can use Zoom to steal users’ Windows credentials with no warning.” 1 April 2020.

⁴ Kristen Setera. FBI Boston. “FBI Warns of Teleconferences and Online Classroom Hijacking During COVID-19 Pandemic.” 30 March 2020.

⁵ Symantec. Internet Security Threat Report. 2019. Volume 24. In particular, this report noted that in 2018, the United States filed 49 espionage indictments against China (19), Russia (18), Iran (11), and North Korea (1).

⁶ Ben Buchanan. Wired. “How North Korean Hackers Rob Banks Around the World.” 28 February 2020.

⁷ Report of the Select Committee on Intelligence, United States Senate. “Russian Active Measures Campaigns and Interference in the 2016 U.S. Election.”

⁸ Kaspersky. “Kaspersky research finds 174 municipal institutions targeted with ransomware in 2019.” 11 December 2019.

⁹ U.S. Department of Homeland Security. U.S. Cybersecurity and Infrastructure Security Agency. U.K. National Cyber Security Centre. Alert AA20-099A. COVID-19 Exploited by Malicious Cyber Actors. 8 April 2020.

¹⁰ Government Accountability Office. GAO-20-241. DoD Needs to Take Decisive Actions to Improve Cyber Hygiene. 13 April 2020.

¹¹ Thomas P. Bossert. The Wall Street Journal. “It’s Official: North Korea Is Behind WannaCry.” 18 December 2017.