The state of Alaska detects and thwarts more than two million attempted cyber attacks on its IT systems each month, chief information officer Bill Smith told lawmakers Tuesday.
“We have to make sure we emphasize that the threat is ongoing. We don’t get attacked three times a year,” Smith said at a hearing before the Senate Health and Social Services Committee. “Our firewalls block over two million attempts a month to get into our network from nefarious attacks.”
Smith offered lawmakers an overview of the Alaska government’s work to fortify its digital environment, since the Department of Health and Social Services went offline in 2021 after a major cybersecurity breach.
In September 2021, the state government notified the public that intruders potentially exposed sensitive patient information that is confidential under the Health Insurance Portability and Accountability Act, also known as HIPAA.
The intruders may have accessed the financial and health information of tens of thousands of Alaskans.
Smith updated lawmakers about the work of Alaska’s Office of Information Technology to harden protections and prevent future intrusions. “Our single highest priority is our cybersecurity posture,” Smith said. “The security and integrity of our data across the state of Alaska is absolutely paramount.”
He said his goal at the hearing was to explain the threat environment and how the state of Alaska is responding. Smith described a proliferation of cyber threats globally in the public and private sector.
The increase in the scope, volume, complexity and frequency of attacks points to the evolution of data theft and cyber intrusions into a $6 trillion annual industry.
“No longer do you have individual hackers programming and targeting organizations. You have threat actors that are creating code and then selling it” on the open market, Smith said.
Criminal organizations purchase malware and ransomware and then launch cyberattacks against private businesses, nonprofit agencies and governments. In some instances, the criminals encrypt data and demand a ransom to release it.
Nation states that are adversaries of the U.S. have increased financing and resources to grow the illegal cyber activities. “It continues to drive that economy,” Smith said.
He described as a "supply chain" problem activities by hackers to infiltrate common software to gain access to governments and corporations. In what was known as the SolarWinds breach, hackers accessed the IT systems of the SolarWinds software company as a doorway to agencies of the U.S. government.
The state of Alaska has modernized its IT systems to enable employees to operate productively in a more secure environment, Smith said. “We are moving more to an entire architecture. We are looking at our entire IT environment from a security perspective. We cannot just buy an anti-virus system and think we are covered,” Smith said. “It makes a difference in how we defend today and into the future.”
By taking a whole system view, which includes internal network security scans, the Office of Information Technology is able to identify security gaps and immediately address them.
The state also has been partnering with cybersecurity firms to assess the state’s practices and identify vulnerabilities.
Sen. David Wilson, a Wasilla Republican, asked whether the state government carries cybersecurity insurance. Smith said the question comes up often, and he has been talking with risk management.
“The challenge is that insurance does not prevent incidents,” he said, noting that state governments are not always reimbursed for damages from breaches.
Sen. Shelley Hughes, a Wasilla Republican, asked how the state is monitoring incoming traffic online to deflect attacks.
Smith noted, for example, that the state has platforms that filter every piece of email that comes into state agencies. The software is automated, but staff is continually checking systems, Smith said.
“They also are alerted by platforms of suspected threat activity,” he said.
Hughes asked about last year’s hack of DHSS. “How did you find out? How did you become aware of it?” she said.
“We did have a system that alerted us and office personnel responded immediately to identify, investigate and isolate the problems,” Smith said, adding that he did not have the specific timeline of events.
The state government has taken several basic steps to ensure better security, he added.
The state now requires what is known as multi-factor identification to combat username and password theft. The IT team is migrating data to a cloud framework.
“We can focus on processes and procedures” and not on patching outdated, underlying systems, he said.
The state's IT technicians also are increasing training for users as well as their visibility over all state organizations.
When any new IT system is acquired by government agencies, security protocol must be implemented before it goes online, he said.
“An authorization to operate is issued after platforms and software are evaluated for security concerns,” Smith said.
“We are working hard to be certain that we do not have any security gaps in our processes and to make sure anything that might slip through the cracks gets identified early,” he said.