The state of Alaska is not keeping up with best practices for protecting its computer systems, according to an independent cyber review that found problems with patching software, maintaining certificates and securing web pages.
Burke Stephenson, a consultant with Cybersec Innovation Partners, recently submitted the 28-page review to the joint Senate State of Affairs and Judiciary committees.
The state government’s web infrastructure is in “a critically vulnerable position,” according to the findings.
The report pointed to problems on public web pages available to anyone with a computer and internet access. Stephenson’s testimony before the joint Senate committee prompted lawmakers to go into executive session.
They cited concerns about conveying sensitive information to cybercriminals for the decision to go into the private meeting.
But Stephenson said in public testimony the risks are readily known to hackers, as they are vulnerabilities that persist on state government public websites.
He described the problems, which involve system maintenance and upkeep, as prevalent not just to the state of Alaska but across governments and the private sector.
Stephenson’s report was sealed at the Oct. 28 meeting; a copy had been provided to the News-Miner.
Bill Smith, chief information officer for Alaska government, confirmed last week that he saw the report.
“We’re obviously taking a look at the information he provided,” Smith told the News-Miner. “I appreciate you reaching out, but I don’t have any comment for publication.”
At the Oct. 28 Senate committee meeting, Stephenson said that IT vulnerabilities persist on public web pages and create risks of data breaches.
The problems would make it easy for hackers to gain access and move laterally across the interconnected government website, Stephenson said.
Stephenson told senators he has no inside knowledge of the workings of the state’s computer systems. He viewed the public websites when making his conclusions.
But vulnerabilities on public web pages often are an indicator of internal problems that could be exploited, Stephenson said. “Cyber criminals know this and realize the organization is likely unprepared for a cyber attack. They know they are an easy target.”
Stephenson is an Army veteran who works as an IT consultant with Cybersec Innovation Partners. He held a security clearance for more than two decades, and previously worked for the U.S. National Security Agency (NSA).
“What I presented to the Alaska Senate committee isn’t even the viewable (above water) iceberg that is the Alaskan government’s cyber posture,” Stephenson told the News-Miner in an email. “It is the small insignificant ice chunks floating 5-10 miles away, over the horizon, before the iceberg even comes into view.”
Easier access, greater risks
The state of Alaska has been the target of four disclosed hacks since 2020 that federal investigators are saying little about. On April 1, 2021, Stephenson emailed Attorney General Treg Taylor warning that website vulnerabilities on public pages created the risk of more cyberattacks.
“I am writing to inform you that the public facing internet systems for the Alaska State Government are extremely vulnerable to cyber attack, breach, data theft and ransomware attacks, among other vulnerabilities and cyber attack methods,” Stephenson wrote in the email.
Less than a month later, the state of Alaska was the victim of a cyberattack, when the Alaska CourtView system was targeted with malware. That was followed weeks later by reports of a hack at the Department of Health and Social Services, the state’s largest department. (Mandiant, a California IT firm, was brought in to investigate. The company drafted recommendations.)
Stephenson told senators that he never got a response to his email to the attorney general. He included an excerpt of that email in his report to lawmakers.
In the Oct. 28 Senate committee meeting, Stephenson warned that risks that persist on public web pages could lead to attacks of protected data of Alaskans. He named the voter registration website as an example, saying the “integrity of the voter’s [online] identification” continues to be “at risk of manipulation.”
The Alaska elections website, including the personal information of thousands of voters, was previously breached in September 2020.
IBM warns of hacks on public websites
The vast majority of hackers breach systems through public web applications, according to a 2021 IBM security report. The state of Alaska, like many other large organizations, has vulnerabilities on public web pages, domains and IT systems, Stephenson said.
Stephenson said that the checks he did on the state government websites are basic security reviews of public pages.
Some websites do not contain the letters “https” in the browser and have the message “Not Secure” in the url when viewed by users. Without https protocol, any data passed across the connection is not encrypted and would be visible to hackers.
Unsecured public-facing websites at the state of Alaska that do not have the https protocol include the Divisions of Administrative Services, Finance, Motor Vehicles and Retirement Benefits. The lack of protection extends to the state Senate webpage.
Stephenson, who is a vendor, recommended that the state conduct a more intensive review on the cybersecurity posture of the state of Alaska websites.
“Perform a cyber analysis to identify the severity and quantity of weaknesses and vulnerabilities that can be exploited. This will provide a better understanding of the current cyber risk,” he wrote in the report.
He also suggested that the state hold vendors accountable when they fail to provide adequate security with their products and services. He said fines could be levied for failing to comply.
“What I recommend for Alaska is that within their own regulations they could adopt new rules that would hold companies accountable, because right now they are not being held accountable,” Stephenson said.
Stephenson added that he realizes “the state’s IT professionals are under pressure, and I do feel for them,” he said. “But they are still responsible. “These are basic configurations that need to be addressed.”