Colorado governments — state, county and local — took a critical step in honing cyberattack response plans at the Joint Cyber Workshop Feb. 10-11.
For the first time, C-suite level decision makers from government IT organizations across the state joined the workshop in closed-door sessions, to create a memorandum of understanding formalizing Colorado’s cyber incident response, and discuss how the Colorado National Guard’s cyber response teams would be activated during a cyber crisis.
The two-day event, organized by Regis University, the state of Colorado, and the Colorado Army and Air Force National Guard, focused on threat intelligence, shared information and communication. It also involved the Colorado Information Analysis Center, FBI Cyber Division, Colorado Division of Homeland Security and Emergency Management, Colorado Office of Information Technology, and municipalities.
“The takeaway was that we had the right management people and that was the excitement, the success beyond measure — not just to get everybody talking, but to get the decision makers,” said Dan Likarish, director of the Regis University Center for Information Assurance Studies and associate professor in the College of Computer and Information Sciences.
The memorandum of understanding will lead to “well-defined policies that will allow the Guard to assist during an event,” Likarish said.
In the technical track for frontline responders, the aim was to train and build technical cyber skills with “like” entities in a non-stressful environment, and to create ongoing relationships to build trust and competencies that can be called upon in the time of need, said Chief Warrant Officer Laura Cobert, cyber liaison in the Colorado National Guard Joint Staff.
Preparation is priceless
“It’s so important to know your peers in the field, learn best practices from them, and share your own experiences,” Cobert said in an email. “Building trusting relationships now, learning each other’s skill sets, and growing as a State will be priceless if ever the ‘when, not if’ happens.”
Emergency response runs better when people have worked together before — “Like we’ve always said: A cyber [emergency] event is the wrong time to exchange business cards,” Likarish said.
“When we have the opportunity to get out from behind the computer, shake hands and have fruitful conversations with like-minded people from differing entities across the state but with the same goals in mind, it moves the State as a whole forward,” Cobert added. “Colorado — Denver and Colorado Springs specifically — are always trying to move the dial forward when it comes to cybersecurity. When we can build lasting relationships and work alongside folks, even if just for a weekend, we grow as a State. States get into trouble when they function in silos.
“Companies and business are still wary about sharing what attacks they’ve experienced and what vulnerabilities they may have, and rightly so. But the second we can take the walls down and share information with one another and learn from one another is the second we can start being proactive versus reactive.”
Deborah Blyth, chief information security officer at the Governor’s Office of Information Technology, said the workshop was an excellent opportunity to improve incident response plans and abilities, while enhancing technical skills.
“In the event of an actual cybersecurity emergency, we have already established relationships, assessed critical skills, and have plans in motion to help us to engage and recover quickly,” she said in an email.
Likarish said the aim was not to address “digital Armageddon”-type attacks like taking down the power grid, where federal responders would get involved, but to focus on where the Guard would be most effective.
Protect the crown jewels
“That’s during elections, that’s protecting property rights … sales tax revenue, health records,” he said. “The crown jewels that are held by the state, local and regional governments are the citizens’ data and the state’s data. That has value, so that has to be protected — it can’t be lost, it can’t be taken by the adversary. It has value [for illegal sale] on the Dark Web.
“The [type of attack] that’s going to affect the local people is like the Equifax problem: They lost your personal, identifiable data — and now who you are as a cyber citizen is for sale,” Likarish said.
Cobert said the Colorado National Guard has two small specialized cyber teams: the Defensive Cyber Operations Element and the Cyber Protection Team.
In the event of a cyberattack, National Guard cyber team members would support government professionals and provide services to local governments, Likarish said.
“It’s down to the granular discussion of what they can do and what they’d be responsible for,” he said. “It would be patently unfair to the Guard to say, ‘We don’t know what’s going on, it’s all yours now.’ Years ago that’s probably what we thought would happen: We don’t know what to do, we’ll bring the Guard in.”
Likarish said National Guard response teams could relieve government IT professionals during the days or weeks it takes to deal with a cyberattack.
“During these events, the most knowledgeable people are exhausted after 30 hours, 36 hours — they’re just dead on their feet,” he said. “So the Guard can come in and take systems off, they can do logging. … What that means is you keep the defense measures in place while the people who are most expert with the system can get refreshed. And that’s how you more readily defeat an adversary: You just stay awake longer than they do.”