Fool me once: How Kentucky can avert next cyberattack

By Buck Ryan

Don’t click on that link!

Adam Clayton Powell: “Security of elections around the U.S. are under attack from expert and well-funded adversaries using new techniques,” said Adam Clayton Powell III, executive director of the USC Election Cybersecurity Initiative.

If I have to tell you once, I have to tell you 10,000 times Or at least that was the challenge for Gary Pruitt, president and CEO of The Associated Press, which last year fended off cyberattacks at the rate of 10,000 phishing emails—a day.

“Cybersecurity is an arms race you can’t afford to lose,” Pruitt told Adam Clayton Powell III, the host of a USC Election Cybersecurity Initiative Regional Workshop held Thursday afternoon for Kentucky and four other states.

Powell is executive director of the University of Southern California initiative, a nonpartisan, independent project funded with a generous grant from Google.

Whether it be a cyberattack last month on the City of Frankfort or the historic one to strike the University of Kentucky and UK HealthCare last year, no one is safe from malicious actors intent on breaching their private information—personal, medical or financial—or holding their institutions ransom.

In the workshop, national experts offered tips and insights on cybersecurity and cyber safety, disinformation and misinformation, and crisis response techniques.

The workshop included practical advice for individuals, such as to use pass-phrases rather than passwords for extra protection. IsntThataGr8Idea!

But don’t use the same password for one account that you use for financial transactions, warned Clifford Neuman, director of USC’s Center for Computer Systems Security. Without your knowledge, your passwords may already be available on the dark web.

“The most believable phishing sites trick almost half the users,” or 45 percent, Neuman said. “Hackers move fast. Twenty percent of the accounts are accessed within 30 minutes.”

Worried about malware and ransomware?

“Every new app you install is a risk,” Neuman said. “Always download apps from trusted sources.”

In an interview before the workshop, Powell flashed this red light for editors and publishers of community newspapers: bad actors have shifted their focus from national attacks to local governments, local elections, local businesses and local news organizations, which offer both more credibility to hack and more vulnerability to malicious interventions.

As the battle continues for open records to understand what exactly happened in the Frankfort cyberattack, a University of Kentucky audit is revealing one year later how much the cyberattack on its hospital cost—$5 million—and how “perilously close” it came to the dire consequences of a system-wide shutdown for UK HealthCare.

The 46-page audit revealed that malware installed on university servers was designed to mine cryptocurrency.

For you Bitcoin investors, I direct your attention to the editor and publisher of a weekly community newspaper in North Carolina who got an anonymous tip that his county’s personnel records, including files from the sheriff’s department, were being viewed on the dark web.

Chatham County’s computer network was hit with a ransomware attack launched through a malicious attachment in a phishing email. The ransom demand in October 2020 was for 50 Bitcoin.

When the threat was ignored, the cyberattack shut down most county functions and temporarily cut off public access to services. The county then started to pay a price with two dumps of sensitive data on the dark web two months apart.

When his newspaper, the Chatham (N.C.) News + Record, broke the story that his county was being held ransom, the first-day story estimated the amount at nearly $700,000 in Bitcoin. The nearby Raleigh News & Observer published a follow-up story in February 2021 that calculated the same 50 Bitcoin ransom amount, for headline purposes, to be worth $2.4 million.

Time is money, and there’s no time to lose to secure your own operations against cyberattacks.

“One thing we learned from talking to cybersecurity experts in our reporting on the Chatham County breach was how fragile computer networks are,” News + Record Publisher Bill Horner III said.

“We’ve learned how these threat actors attack municipalities, universities, hospitals … and getting ‘in,’ for them, is quite simple.”

The News + Record published a screenshot of a counter showing files had been viewed over 30,000 times. The cyberattack was linked to DoppelPaymar, one of more than 20 ransomware groups identified by the FBI.

Another great challenge for community newspaper publishers and editors is the battle over disinformation.

“On average, a false story reaches 1,500 people six times more quickly than a factual story,” said workshop speaker Sarah Mojarad, a lecturer in USC’s Viterbi School of Engineering, citing research on the issue. “This is true about false stories on any topic, but stories about politics are more likely to go viral.”

What’s a good sign that what you’re reading may be disinformation? It causes you to fear or feel outrage, Mojarad said. Take a breath and check it out before sharing it, or asking sources to comment on it, thereby giving it more credibility than it deserves.

Flying under the flag of “Our Candidate is Democracy!” the workshop’s goal was to keep our next elections safe and secure.

“The USC Election Cybersecurity Initiative is an invaluable effort to spread the word about digital threats to American democracy,” said Robert Farley, a senior lecturer who recommended the workshop to his students in UK’s Patterson School of Diplomacy and International Commerce.

“We know that the electoral system has suffered malicious attacks from both foreign and domestic actors,” Farley said, “and understanding both the effects of those attacks and the steps that have been taken to protect the integrity of the electoral process is critical to maintaining faith in the electoral process.”

The University of Kentucky hosted a USC Election Cybersecurity Initiative workshop in February of last year in the Woodford Reserve Room at Kroger Field. At that time, Don Blevins Jr., Fayette County clerk, predicted a dark future and the ultimate challenge for journalists. He now fears that prediction may have come true.

“My primary concern is actually not about cybersecurity,” Blevins said. “My primary concern is that the public will lose confidence in elections through misinformation or other types of activities that might lead them to believe their vote doesn’t count or that the election is rigged … I think that is a far greater challenge we need to watch for.”

This year the USC initiative will cover all 50 states again, but with combinations of states in 10 regional online workshops. The Kentucky workshop included representatives from North Carolina, Tennessee, Virginia and West Virginia.

For a Kentucky connection in Thursday’s workshop, Powell turned to Bob Babbage, a former Kentucky Secretary of State, a lobbyist and a cofounder and managing partner of a consulting and advocacy firm, Babbage Cofounder.

“With global cybersecurity experts,” Babbage said, “we have learned this much: That whatever we do, the bad folks, the criminals, are going to keep coming back and trying to break in. That makes your initiative all the more important.”

Buck Ryan

About the author
Buck Ryan, a University of Kentucky journalism professor, is conducting a “participatory case study” of the Chatham (N.C.) News + Record. He can be reached at buck.ryan@uky.edu.

Leave a Reply

Your email address will not be published. Required fields are marked *