State of Alaska websites are not secure, and state government vendors are providing inadequate protections.
Burke Stephenson, a consultant with Cybersec Innovation Partners, delivered that assessment during a Senate committee meeting that lasted for more than two hours before moving into executive session over security concerns.
“Alaska’s current IT and cyber vendors are not providing adequate protection, and Alaska’s IT infrastructure is insecure,” Stephenson told a joint meeting of the Senate State of Affairs and Judiciary committees.
In the Oct. 28 meeting, Stephenson offered an overview on the “security posture” of Alaska’s information technology services, including the state government website and the electronic data it contains.
“I want to help provide an understanding and education of what we found and why this is important to the state of Alaska in the cybersecurity realm,” said Stephenson, whose company is based in London.
The state of Alaska has been targeted in four disclosed cybersecurity incidents in less than two years. The most recent breach occurred six months ago, when the Department of Health and Social Services was hacked, and services were taken offline.
The cyber criminals have not been publicly identified, and the attack is still under federal investigation.
Stephenson warned that cyber criminals may have access to systems for several months before making a move, in order to gain elevated entry without discovery.
The four publicly disclosed cybersecurity attacks against the state of Alaska since 2018 include:
• April 2018: A trojan containing malicious code exposed information on 100,000 residents after the Alaska Division of Public Assistance was hacked.
• September 2020: A cybersecurity breach of the Alaska Division of Elections exposed the personal information of 113,000 Alaska residents. (Prior to the breach, Stephenson said he contacted the state of Alaska to warn officials that the “website was critically vulnerable and needed immediate attention.”)
• April 2021: Malware was discovered in the Alaska CourtView system, prompting officials to take the service offline to stem the access of the hackers. (Stephenson said he had emailed the attorney general’s office prior to the attack about vulnerabilities in the overall IT system, but he never heard anything back.)
• May 2021: The Department of Health and Social Services was targeted in a cyber attack in May that led to many online services, including background checks, to be taken offline until problems could be addressed.
Stephenson said that “exposed vulnerabilities” in the state of Alaska’s online systems “act like beacons to cybercriminals.” Hackers look for weaknesses in public-facing information.
He warned that voter identification in Alaska remains at risk of manipulation. “The Alaska government is interconnected. If there is an access point the criminals can get in, they will lie in wait and gain elevated privileges,” Stephenson said.
“They can access voter information and voter registration, and possibly manipulate or steal that data,” he added.
Initial access is often to public websites with vulnerabilities that provide a foothold to the hackers.
Sen. Jesse Kiehl, a Juneau Democrat, asked about the best approach organizations should take to enhance their cyber security.
If there are weaknesses with the public websites, hackers will see that, Stephenson said. For example, he said that many web pages for the state of Alaska do not use secure connections, known as https.
A public website with open ports is a sign to criminals that the “inside is not protected either, and you are not prepared for an attack,” Stephenson said.
“The state needs to eliminate attack vectors,” he said. “Once you do that, these vulnerabilities do not pop up, and the criminals move on.”
The committee then went into executive session to discuss issues that members said could give hackers sensitive information and create further vulnerabilities.
The committee did not take a vote or any action on the presentation after returning to end the meeting.