Hobbs Called On To Protect Water And Wastewater Systems From Cyberattacks

Hobbs Called On To Protect Water And Wastewater Systems From Cyberattacks

By Daniel Stefanski |

Arizona legislative Republicans are requesting the state’s governor to take action to protect water and wastewater systems from cyberattacks.

On Tuesday, the Arizona State Senate Republican Caucus called on Governor Katie Hobbs “to take swift action to protect Arizona’s critical infrastructure from adversary nations seeking to unleash harm on the United States.”

The demand from the lawmakers follows a letter from the White House to state governors, warning of “the impending threat of cyberattacks.”

In that letter, which was signed by the Administrator of the Environmental Protection Agency and the Assistant to the President for National Security Affairs, the White House identified two of those “recent and ongoing” threats. The first was from “threat actors affiliated with the Iranian Government Islamic Revolutionary Guard Corps.” This threat, according to the letter, has “carried out malicious cyberattacks against United States critical infrastructure entities, including drinking water systems.”

The second threat was from “The People’s Republic of China state-sponsored cyber group known as Volt Typhoon.” This adversary, per the letter, “has compromised information technology of multiple critical infrastructure systems, including drinking water, in the United States and its territories.”

Senate President Warren Petersen issued a statement in conjunction with his Caucus’ call to the governor, saying, “Water is vital to lives and livelihoods. It’s concerning the Governor has yet to share any information with the Legislature, or the public, on this matter. What’s even more concerning is at a recent stakeholder meeting on a completely separate issue, a representative from the Arizona Department of Emergency and Military Affairs expressed to our lawmakers no knowledge of this warning from the White House.”

According to the Administration’s communication, these cyberattacks “have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”

Petersen also shared his thoughts on what the governor should do in order to protect the state from these cyberattacks. He wrote, “I encourage her to prioritize the safety and wellbeing of our citizens by taking steps to protect Arizona’s critical infrastructure from enemy nations who are a known threat to our state and country. This includes signing our legislation crafted specifically to mitigate these threats, such as SB 1403, SB 1340, and SB 1123.”

SB 1403, sponsored by Senator Janae Shamp, would “make it generally unlawful for specified foreign principals to purchase, own, acquire by grant or devise or have any other interest in (hold) real property” – according to the Arizona House overview.

SB 1340, sponsored by Senator Frank Carroll, would “prohibit a publicly managed fund from holding an investment in a foreign adversary, a state-owned enterprise of a foreign adversary, a company domiciled within a foreign adversary, or any other entity owned by or domiciled in a foreign adversary; or investing or depositing public monies in a bank that is domiciled in, or has a principal place of business in, a foreign adversary” – according to the summary from the Arizona House.

SB 1123, sponsored by Senator Wendy Rogers, would “prohibit a business or governmental entity in Arizona from entering into an agreement involving critical infrastructure if certain criteria apply.”

The letter from the Biden Administration officials requested the help of state governors “to ensure that all water systems in your state comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident.”

Daniel Stefanski is a reporter for AZ Free News. You can send him news tips using this link.

New Banking Cyber Security Rule Won’t Stop Attacks But Could Help Identify Vulnerabilities

New Banking Cyber Security Rule Won’t Stop Attacks But Could Help Identify Vulnerabilities

By Terri Jo Neff |

Federally regulated banks across the United States have about 100 days to get familiar with a new rule that requires the reporting of cyberattacks and other computer security incidents to regulators within 36 hours and “as soon as possible” to customers if the incident might materially affect operations for at least four hours.

The rule announced by the Federal Reserve Board of Governors (Fed), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) last month takes effect April 1. It applies to banking organizations such as national banks, federal savings associations, state member banks, U.S. operations of foreign banking organizations, federal branches and agencies of foreign banks, and U.S. bank holding companies and savings and loan holding companies.

Under the new rule, reportable cyber incidents are those causing “actual harm” with respect to the availability, confidentiality, or integrity of a banking organization’s information system or the information that the system processes, stores or transmits. As a result, notification will not be required if an incident only threatens to cause a harm.

A banking organization’s service providers are also subject to the rule, which will now require notification by a service provider to the banking organization of incidents which has caused “or is reasonably likely to cause” a service interruption of four or more hours.

Federal banking officials concede the new reporting requirement won’t stop cyberattacks on the nation’s banks. It won’t even serve as a speed bump in such criminal activity.

What it will do, according to industry newsletter Banking Exchange, is give regulators and federal law enforcement officials a better chance of tracking attacks, identifying patterns, and ensuring local bank executives are doing their part to protect customer data and assets.

Some types of computer incidents involve new account or wire fraud, account penetration or takeovers, and malicious attacks such as ransomware. The disruption or degradation of a banking organization’s operations which would pose a threat to the country’s financial stability will also trigger the new reporting regulation.

OneSpan, a cybersecurity company specializing in banking, recently released its Global Financial Regulations Report which notes the main challenges for banking organization are reducing or preventing cyberattacks, safeguarding sensitive internal and customer data, and keeping up with changes in consumer privacy laws and industry rules.

The new banking regulation emphasizes material disruptions such as denial-of-service (DOS) attacks or data hacking incursions which limit or shutdown a banking organization’s operations regardless of whether customer information is compromised. However, some cyberattacks may also be subject to supplementary reporting under other federal or state laws.

Instructions will be sent to all regulated banks in early 2022 on when and how to process a notification.

Maricopa County Officials Remain Mum About Cyberattack On Voter Data Files 8 Months Ago

Maricopa County Officials Remain Mum About Cyberattack On Voter Data Files 8 Months Ago

By Terri Jo Neff |

Articles published by some media outlets this week that top Arizona officials knew of a cyberattack of Maricopa County’s voter registration files last fall but have kept it hidden are incorrect, as shown by the level of news coverage the hack received in December and January.

Part of the problem, however, is Maricopa County officials did not respond to the cyberattack in a proactive manner when it was discovered during the 2020 General Election. There was no press conference nor even a press release advising the community that voter registration data had been hacked.

The dearth of updates has not helped instill voter confidence in the months since then if social media comments are representative of community mood. And a letter Maricopa County Recorder Stephen Richer has sent to some voters is not helping, as it contains an inaccurate claim about how county officials responded to the cyberattack.

News of the cyberattack was first announced in early December in a Forbes article which revealed FBI agents armed with a federal search warrant raided a Fountain Hills condominium on Nov. 5, 2020, two days after the General Election. The agents went to the residence of Ellen and Elliot Kerwin looking for evidence of the cyberattack, according to court records.

The search resulted in the seizure of several computers from the Kerwin home, along with eight hard drives, and a bunch of electronic accessories.

Megan Gilbertson, a Maricopa County spokeswoman, confirmed the cyberattack to Forbes for its Dec. 4 article and she has insisted that the only voter data the hacker or hackers accessed from Oct. 21 to Nov. 4 was information about voters which is already public by law.

“Analysis by the Maricopa County Recorder’s Office IT Security indicates an unauthorized individual gathered publicly accessible voter information from our website,” Gilbertson said. “Additional security controls were put in place to mitigate against this activity occurring in the future.”

But what Gilbertson failed to say is how someone was able to access the county’s voter registration files and whether the hacker tried to get into other county databases. Other Maricopa County officials have appeared to try to divert attention away from the cyber incursion or to minimize the impact, often stating there were “no problems” with the election.

Steve Chucri of the Maricopa County Board of Supervisors announced just hours before the Forbes article was published that he was considering asking for a third-party audit of the county’s Dominion Voting System machines, even as the canvas was still pending in the nation’s fourth populous county.

Then after Stephen Richer was sworn in as the county’s new recorder in January he sent a notice to some voters addressing the hack. The notice tells “Dear Voter” that the county’s IT Security Department “immediately identified the attack and successfully took steps to stop the activity.”

However, it is apparent from FBI documents that the IT department did not “immediately” stop the breach, as the attack occurred over 15 days.

A spokeswoman for the U.S. Department of Justice told AZ Free News in May the agency cannot comment about the cyberattack as it is part of an ongoing investigation. But voters seem to be growing impatient with the lack of accurate and timely information more than eight months after the hack.

Among the questions left unanswered is whether the cyberattack was undertaken simply to see if it could be done, or was it intended to cast doubt about the election? Also, was the hack possible due to lax county protocols or possibly even by the unintentional actions of a county employee?

More importantly, is Maricopa County’s reticence connected in any way to the board of supervisors’ refusal to comply with a Senate subpoena for access to the election department’s internet routers?

The most critical question, however, is when will county officials come clean with a complete explanation of how someone hacked the voter records of a major government body.

RELATED ARTICLES:

Who Hacked Into Maricopa County’s Voter Files And What Data Did They Get?

Chucri Offers Support For 3rd Party Audit Of Dominion Machines Day Before Voter Info Theft News Broke