AUBURN — Hackers don’t take days off. They continue to focus on larger, potential targets as a means of procuring personal information.
Tuesday morning, District 52 state Rep. Ben Smaltz, R-Auburn, and District 14 state Sen. Dennis Kruse, R-Auburn, hosted a forum with representatives of the Indiana Office of Technology, school districts, and township, city and county government agencies at Auburn’s Eckhart Public Library.
House Bill 1169 allows the IOT to assist a state agency with certain issues concerning information technology.
State agencies are required to report cyber security incidents to the IOT within two business days. State educational institutions are required to submit a quarterly analysis.
The bipartisan bill unanimously passed the Indiana Senate 50-0 March 30. On April 8, it passed the Indiana House 88-0, with 10 members absent. It was signed into law by Gov. Eric Holcomb on April 27.
The IOT, which was created in 2005, has been charged with maintaining a repository of cyber security incidents.
As a business owner, Smaltz said, “I’m in the private world and we deal with cyber security issues, but we’re kind of on our own. We deal with it the best we can, but we don’t know if somebody next door to us or somebody down the street has been hacked unless we see it in the paper.
“It’s important for us to know if Garrett’s been hacked or if the county’s been hacked,” he said. “These hackers, it’s a lower return for them but it’s a lot easier to hack a Taylor Rental, City of Auburn, DeKalb hospital or schools, and they have you until you give them their 10, 12 or 15 bitcoin and they move on.”
As of Tuesday morning, one bitcoin was worth approximately $47,000.
“For government, that’s taxpayers’ money to be able to recover hacked data,” Smaltz added.
Tad Stahl, director for the Indiana Information Sharing and Analysis Center, said his agency assists entities by providing threat advisory information as well as cyber security assistance planning and training programs.
Health care, local government and K-12 “are squarely in the crosshairs of attackers,” Stahl said bluntly after a recent conversation with a cyber security insurance company.
“It’s kind of the perfect storm,” he said. “Prior to the advent of Ransomware, those organizations were fairly well insulated. Prior to Ransomware, the big threat was identity theft, so (hackers) were going after these organizations that had huge amounts of data.
“(Now), it doesn’t matter how much data you’ve got, they just take away your ability to deliver services. Without that data, you can’t do so,” Stahl said.
One thing’s for certain: “Attackers aren’t ones to let up and be nice guys,” he added.
Cyber security insurance agencies are pushing for multi-factor authentication.
Steve Snider, chief financial officer for DeKalb Central schools, knew of one school district that was hacked through the back door of a third-party HVAC company.
“All of the partners that you work with, you’re on the hook for them as well when you integrate,” said Graig Lubsen, director of external affairs for the IOT.
“We are so interconnected now — the state of Indiana with all the requirements that might be on local government reporting through the Department of Local Government Finance, the Department of Education, Department of Revenue, you name it.
“All of these systems really start to touch each other,” Lubsen said. “For cyber security, we had to stop looking at the three buildings of downtown Indianapolis that make up the government center and look border to border.”
While cyber security knows no borders, “We’re looking at Indiana’s borders and really trying to reach out to local government, school districts, townships, you name it, and get a sense of what are the challenges you’re facing,” he said.
As part of the new law, IOT has created a simple reporting document for cyber security incidents.
“We’ve got to learn what’s happening out there and take a look in probably two years from now, what is going to be coming next?” Lubsen said.
Incidents to be reported include Ransomware attacks, business email compromises, 0-day exploits, vulnerability exploits, website defacement and denial of service attacks.
“The law gives us much better insight,” Stahl said. “You can’t over-report. It gives us better information.”
Since July, his agency has received reports of about 90 incidents, including phishing schemes, business email compromises and Ransomware attacks.
“We don’t just want to correct something, we want to correct the right something,” Smaltz said.
