Alaska’s chief information officer said in a sworn affidavit that a report on a cyberattack against the state’s largest department must stay private because it contains sensitive information on a federal investigation into the hack and how criminals breached online systems.
William Smith, who leads Alaska’s information technology services, said that “disclosing these details would provide the attackers and others valuable intelligence that could be exploited.”
The Department of Health and Social Services is still not fully back online since the May 2021 cyber attack, which led to the website going offline to stop the intrusion. Smith’s affidavit, signed on Sept. 28, was in response to a request for information by Alaska Public Media on findings in the cyberattack.
The cybersecurity firm Mandiant prepared an in-depth report in June that detailed the attack, including its scope, how much data was transferred from the DHSS network and how the breach occurred, according to Smith’s statements.
The California firm was awarded a contract of close to a half-million dollars to investigate the breach and issue recommendations to fortify online systems.
“Releasing the Mandiant report would reveal vulnerabilities in DHSS’s and other state agencies’ IT security, and information on how the state prevents, detects, contains and investigates attacks,” Smith said.
The state “has rejected Alaska Public Media’s public records requests to release even a redacted version of documents prepared by Mandiant, along with other cybersecurity-related reports, saying that doing so would further jeopardize the security of the state’s computer systems,” Alaska Public Media reported Thursday.
The Mandiant report has been shared on an as-need-to-know basis. Officials who have viewed the report include FBI investigators and top officials in the Dunleavy administration, Smith said.
The CIO’s statements suggest that Alaska officials know more about the nature of the cyberattack than they have disclosed to the public.
Officials have maintained that they do not know how many records were exposed or the extent of theft or removal of data from the DHS server.
In the affidavit Smith indicated that investigators have a deeper understanding of the cyberattack and its impact.
Smith said that “the Mandiant report details attacker attribution, the period and scope of the intrusion, the potentially exposed information, how much data the attacker transferred from the DHSS network, how much data the attacker transferred into the DHSS network, how the attacker undertook the attack and immediate actions to prevent future attacks.”
DHSS Commissioner Adam Crum said in a recent press conference that potentially every Alaskan’s personal information was exposed in the cyberattack but that officials could not be certain. The state has offered free credit monitoring services to all state residents.
The state’s public disclosure that confidential health information may have been exposed in the DHSS hack was a requirement under federal patient privacy laws. But state officials have discretion about what they tell the public in other areas when data is breached.
In the affidavit, Smith said that state investigators and the FBI are urging officials not to release the Mandiant report.
The report includes sensitive information on network locations, device IP addresses, specific computer code related to detection, and techniques the attackers deployed, Smith said.
2018 annual IT report kept private, too
Smith also declined a request by Alaska Public Media to release a 2018 annual cybersecurity report that assessed the state government’s IT systems. He said it could reveal vulnerabilities in the executive branch’s IT security.
Sharing the report would “adversely affect my and my successors’ ability to advise the governor on the security of the executive branch’s IT,” including previous security incident details, he said.
Smith also suggested there might be negative public reaction to the 2018 report’s findings. He said that the public might “wrongly second-guess” preliminary and final opinions and recommendations of the governor’s advisers.
The 2018 report gave Gov. Mike Dunleavy a summary and evaluation of information technology standards, deficiencies and steps the administration could take to strengthen the executive branch’s IT security.
Smith concluded that releasing either the 2021 Mandiant report or the 2018 annual cybersecurity report could result in “irreparably harming thousands of Alaskans and others and catastrophically impairing operations of the state.”