In January, Akron suffered a “ransomware” attack when hackers shut down the city’s 311 non-emergency phone call system just as city plows were being deployed during a snowstorm.
To undo the damage, hackers gave the city a demand: A five-figure sum.
Ohio lawmakers are considering legislation — Senate Bill 52 — to deal with that kind of scenario in what they say will be a quick and organized way: The legislation would create a civilian force of 50 to 100 professionals across the state who would work to prevent such attacks and respond when they happen.
The all-volunteer Ohio Cyber Reserve would operate under Maj. Gen. John Harris, the Ohio adjutant general who commands the Army National Guard and the Air National Guard.
“There’s so much cyber talent working out there in industry, in business and quite frankly in some municipalities, but we have no way to orchestrate that or organize that,” Harris said in an interview.
Cyber-security is something a lot of people and organizations talk about, said Jack Gerbs, chief executive of Centerville network security and IT company Quanexus. But too often, they don’t invest the resources needed to actually protect computer networks and systems.
In this arena, resources matter. Said Gerbs: “It’s a race between the good guys and the bad guys.”
“My life is mostly spent on the prevention side of the world,” he added. “If you do the right things, you become less of a risk or less susceptible.”
Volunteers in the Cyber Reserve would be expected to work for no pay “most of the time,” unless deployed in response to an Ohio emergency, Harris said. Then they would be paid as state employees.
In the event of a complex event that demands a response, members of the newly formed force would respond with members of the National Guard.
In the Akron ransomware attack, members of the Guard with the 172nd Cyber Security Protection Team assisted the city, which was hit with the malicious software attack as government was preparing to plow snow from city streets.
Attacking cities is an increasingly favored tactic for hackers. Also in January this year, officials in Del Rio, Texas, were forced to switch to paperwork after a ransomware attack closed down city servers. In Atlanta a month after a March 2018 ransomware virus attack, some water and sewer bills still could not be paid online.
And in Dallas in April 2017, hackers were able to set off more than 150 security alarms, overwhelming 911 operators in the city and resulting in the shutting down of the city’s security system.
“This is just an example of why that (Ohio’s response to cyber attacks) needs to formalized and expanded,” Ohio Secretary of State Frank LaRose said, referring to the Akron attack.
Ohio’s force would work for state and local governments, analyzing vulnerabilities and helping municipalities ward off attacks, Harris said. They would also recruit the “cyber-talent of the future,” reaching out to students in high schools, he said.
Election security is another area of concern. Under SB 52, a chief information security officer would be appointed to advise the secretary of state on data security.
In an interview, LaRose said Ohio’s voting machines aren’t connected to the Internet. When Ohio voters cast ballots, they are not “online” in any sense, he said.
Votes are cast either on paper at polling places or on a touch-screen machine that prints a paper receipt record that is printed immediately within the voter’s view, he said. Those methods are not tied to the Internet, he said.
At the end of a voting day, bedrock voting data is physically transported on a memory stick under the control of both a Republican and and a Democrat under a “very clear chain of custody,” LaRose said.
The only time a tally is released from a secure machine to the Internet is when election results are publicly reported, according to LaRose.
“It’s important for Ohioans to recognize that there are good safeguards in place to protect elections,” he said.
However, the state must protect systems that are online, such as databases of registered voters. The state needs to be wary of actions that could “sow doubt” about election integrity, such as disrupting registration databases.
Ohio’s database of new and updated online registrations is backed up every several hours, LaRose said. Information submitted online for voter registration is checked against records with the Ohio Bureau of Motor Vehicles.
The “worst case scenario” in the event of a successful hack of registration information would be the loss of several hours of new data, LaRose said.
“We don’t want to tip the bad guys off on exactly what safeguards we have in place,” he said.
Even with these very real dangers, Ohio is not going to retreat to a “paper-only” world, he also said.
“The bad guys only have to be right once; we have to be right every day,” said LaRose, a former state senator who said he introduced similar Cyber Reserve legislation when he served in the Senate.
Maurice “Mo” McDonald, an executive vice president with the Dayton Development Coalition, has been a member for two years of a group called the “OC3 Committee,” a body that has worked to spark statewide cooperation in education and workforce development in cyber expertise.
The group helped “to gel the entire effort” to consider the creation of a Cyber Reserve, working with Maj. Gen. Harris and others.
“The Dayton region has been a significant player in that effort,” McDonald said.
Ohio needs to unite and make sure municipalities aren’t on their own in facing cyber attacks, McDonald said. This effort would unite not only citizen-soldiers in response, but also commercial and academic talent, he said.
“It’s the National Guard responding, but it’s also industry helping to respond, it’s academia helping to respond,” he said.
Other states have launched similar forces, including Michigan and Texas, and OC3 members have spoken with representatives of those states. McDonald said. Maryland has been a leader in this kind of effort, as has Wisconsin, he said.