The State of Connecticut Cybersecurity: Q&A with Connecticut State Cybersecurity Czar Arthur House

In the fall of 2017, the State of Connecticut announced a cybersecurity action plan. In order to learn more about this--and the state of cybersecurity in Connecticut in general--we reached out to Arthur House, Chief Cybersecurity Risk Officer for the State of Connecticut. He was gracious enough to fill us in on a wide variety of topics from how Connecticut’s towns and cities are battling hackers, to why countries like Ukraine are looking to CT for guidance on cybersecurity.

While the action plan has been referred to as a task force in the media, Art explained that it’s not an official task force so much as a group of engaged stakeholders. The action plan kicked off with a focus on law enforcement, education, and government, and will be increasing attention on the business community in 2018. In each arena, it is guided by the seven principles laid out in in the Connecticut Cybersecurity Strategy:

1. Executive awareness and leadership
2. Literacy
3. Preparation
4. Response
5. Recovery
6. Communication
7. Verification

Here are some of the highlights of our interview with Art. Below, you’ll find the full transcript and audio of the conversation.

Connecticut is a leader in cybersecurity...

It seems like a cybersecurity strategy and action plan are things every state should have. Yet, Connecticut is the only one that does. In fact, Connecticut is an international leader in cybersecurity:

Art: The State Department in Washington has some countries that it's concerned about because of their cyber vulnerabilities. Obviously, Ukraine is one of them but there are some other Black Sea countries, and it's selected Connecticut to help work with them to make our cyber strategy available to these countries. I've been doing that for the past year.

...but we’re still extremely vulnerable.

Art: Security is not a state. It's not a situation in which you exist. It's a constant battle. I used to work in the intelligence community in the Obama administration. I was Director of Communications for the Director of National Intelligence. When I got this new job, I went down and saw some of my former colleagues and I said, “When you look at Connecticut, what should we be worried about?” First of all, critical infrastructure, but that’s the same answer we give for every state, the fear being that someone could penetrate electric distribution, and shut down the availability of electricity for a population for a prolonged period of time. So for every state, critical infrastructure, public utilities is number one. They say when you look at Connecticut, we make submarines and helicopters and jet engines and so forth, so the defense industry is one. Another is financial services and insurance because we have so much of that.

Closing gaps by committee

Art emphasized that implementing the Connecticut cybersecurity strategy is “a collaborative effort,” pointing out that he has no staff or employees and that he’s relying on those affected by the issue to tackle it.

The business focus for the task force is still coming together, but we can look at what’s been done so far in law enforcement and education to give us an idea of what shape it could take. This year, channels were established for federal and state law enforcement to collaborate with Connecticut municipalities in investigations. In education, an inherently open data environment, the effort has been focused on training and awareness. The same for the Connecticut State Government, 20 percent of which will be trained in cyber security methodology by 2019.

Hopefully, it doesn’t come to cyber audits

Art is working with Connecticut businesses and associations to find a way to prevent hacking from getting to the point where cybersecurity has to be regulated by law.

Art: We’re working with CBIA, MetroHartford Alliance, Fairfield County, all the different business associations we can, and with particular sectors such as banking, insurance, and defense to try to do what we can to help them to focus on cybersecurity. I would not be surprised if in 10 years there would be very widespread cyber audits for companies, just as there are financial audits now.

Obviously, you and I can’t determine what the financial health of a large corporation is, but we as a public have a vested interest in knowing how safe their finances are. And so they bring in an auditing firm and they use generally accepted accounting principles and they report on it annually. We may be getting to the point where there will be cyber audits as well and there will be letters written as to how safe major corporations are because our security, our employment, and the well being of the state depend upon it.

I’m trying to work on a collaborative basis before we get to that kind of system of how can the state work with the private sector to strengthen cyber security defenses and prevent a penetration or disaster from happening.

What’s Next?

To learn more about the latest cyber threats facing CT, what the cybersecurity action plan has achieved so far and what it’s planning, listen to or read the full interview below!

Listen

Complete Interview with Arthur House, Chief Cybersecurity Risk Officer for the State of Connecticut

Matt: This is Matt Kozloski. I'm the Vice President of Professional Services at Kelser Corporation. With me today, I'm pretty excited, I have Art House, Chief Cybersecurity Risk Officer for the State of Connecticut. So Art, want to just share a little about yourself and your background and what you do for Connecticut?

Art: Yeah sure. I most recently was Chairman of the Public Utilities Regulatory Committee in Connecticut and then in October of 2016, Governor Malloy asked me to be the Chief Cybersecurity Risk Officer, which is the position I have today. He asked that I do two things working with Mark Raymond, the Chief Information Officer in Connecticut. The first is to create a cybersecurity strategy for Connecticut for the state government, municipal government, the private sector, higher education, and secondly to turn that strategy into an action plan. We completed the first part. The Governor announced our cybersecurity strategy in July of 2017 and we’re now working to turn it into an action plan for those five areas.

Matt: Tell us a little bit about the strategy itself. What does it encompass? What went into making it?

Art: The strategy has seven principles that we think apply throughout business, government, private world, everyone: executive awareness and leadership, response, recovery, communication and verification. We applied to the five areas I spoke of, the state municipalities, business, higher education, law enforcement and security. We set goals for each of those areas and we’re now turning those into actual action plans. So we’re part way through, we’ve gotten some work done in state government, in higher education. We’re doing some work with law enforcement and we’re proceeding.

I should just say, Matt, it’s not as easy as setting a strategy as an action plan and then declaring victory. Offense is much easier in cybersecurity than defense is and every day we get reports of some new breakthrough in offense. One of the most disturbing ones was at the National Security Agency recently. Some of our our own tools that we had developed to break into the cyber systems of other countries not only had been stolen, but were being turned back and used against the United States. The point being that if the top intelligence and defense agencies of the United States can be hacked, then anything can be hacked. We have evidence of that going on all the time, so this is a growing problem not a diminishing problem.

But a lot of the responsibility has to lay with the states. We're in charge of critical infrastructure, for example, and Connecticut has made a lot of progress in working with the public utilities of the state. That's one of the areas in which we've made the most progress.

Matt: How would you say Connecticut falls in line compared to other states in the country?

Art: Two answers, Matt. One is that we are leading the charge—we're out in front. Secondly that's not cause for comfort. The national media often refers to us as being out in front and the other day one of the national experts said Connecticut is the gold standard for strategy and so forth. It’s not something we can take a lot of comfort in.

First of all, we were the first state to create a program by which the state would review annually the cyber security defenses of our public utilities: electricity, natural gas, and water. It provided that there would be an annual review, that the standards would be picked by the utilities, and that there would be four state officials participating. We did that in 2017. We issued the report recently and what makes it very interesting is it is done by collaboration rather than by legal fiat or a mandate or a formal docket within the utilities regulatory authority, so in that sense, I don’t know of another state which is doing that kind of collaborative review of the state of cybersecurity for its utilities.

The second thing is we have a strategy, and it’s a comprehensive strategy. The other day the former Assistant Secretary of Defense Paul Stockton said that Connecticut was the gold standard in creating a strategy. Now, the State Department in Washington has some countries that it's concerned about because of their cyber vulnerabilities. Obviously, Ukraine is one of them but there are some other Black Sea countries, and it's selected Connecticut to help work with them to make our cyber strategy available to these countries. I've been doing that for the past year and I'm using that as an example because it's a concrete instance of the fact that, Connecticut being a bit out front, the United States is using us as a model to help other countries who are friendly to the United States to strengthen their cybersecurity defenses.

Matt: And I imagine that in turn helps us too, right?

Art: It really does. I’ve got to tell you, I would rather sit down and talk with a country that has been attacked by Russia or penetrated by a foreign power and has had to recover from the attack or is seeing the attacks all the time as Ukraine is. You don’t have to convince them that cyber is a weapon and that cyber is dangerous. They know about it. They’re living it all the time. Their experiences are far more valuable to us and the United States for helping to prepare and prevent that from happening than a whole bunch of seminars and webinars and theoretical exercises. We learn a lot from working with them.

Matt: Specific to Connecticut, are there any threats that we face specifically? I mean we have a sub base here, we have a nuclear reactor, for example. Anything specific to our state that concerns you, keeps you up at night?

Art: I I used to work in the intelligence community in the Obama administration. I was Director of Communications for the Director of National Intelligence. When I got this new job, I went down and saw some of my former colleagues and I said when you look at Connecticut—the question you just posed, Matt—what should we be worried about? First of all, critical infrastructure but that’s the same answer we give for every state the fear being that someone could penetrate electric distribution, and shut down the availability of electricity for a population for a prolonged period of time. So for every state, critical infrastructure, public utilities is number one. They say when you look at Connecticut, we make submarines and helicopters and jet engines and so forth, so the defense industry is one. Another is financial services and insurance because we have so much of that. So each state has a different profile. We hope that these seven principles that I just listed for you can be applied flexibly to anyone, not only those areas of special interest, but to any company or a school system or municipal government because they do apply. I don't need to tell you, Matt, that security is not a state. It's not a situation in which you exist. It's a constant battle, so every day there's a new threat and every day we need to be doing everything we can to contain that threat.

Matt: Along those lines about it being a constant threat, it seems to me that in some ways people maybe have become numb because there's there's so much cybersecurity in the news and either they're separated from it or they just kind of become numb to it. What would you say to that population of people who say, “I’m going to get hacked anyway, so…”?

Art: I think you're right and I appreciate you pointing that out. There are far too many people who say, “Look, there's nothing I can do about it.” No, they're there are all kinds of things you can do about it. Secondly, you do not want to be hacked. Think of the terrible things that can happen to you in life. You do not want them to happen and you certainly do not want someone else to penetrate and take advantage of your system whether you’re a personal individual or a company. Connecticut just for example, we have coming into Connecticut every single month 4.8B connection attempts to the statewide network and external systems each month, inbound and outbound traffic. Two billion of the 4.8 billion are blocked because they don’t meet our protocols and a lot of those are nefarious which could really do extreme damage. Just email—coming into the state there are about 38 million email connection attempts every month, of which 85 percent are blocked. 85 percent!

To answer your question, what could happen if you were complacent and you didn’t care about it? I mean, your business could lose intellectual property. It could lose personal data. What is sellable on the market are health records, personally identifiable information such as name, rank, serial number, social security number and so forth. Already three things that have been stolen in Connecticut that are of great concern for us just for example. The plans for the F35 jet fighter, the plans for the Black Hawk helicopter, and the plans for the Aegis Missile Defense System on ships. Just think of the years and tens of billions of dollars that go into developing those programs and people stole them. Nation states stole them. So the damage that can be done to an individual with identity theft or to a company with ransom theft or intellectual property theft or to the United States by the theft of our weapons systems or other things. The potential damage is massive. For businesses it’s costly and every dollar that you put into cybersecurity defense may be a dollar that doesn’t go into product development or marketing or salaries or whatever. It’s not easy. It’s very difficult and it is costly to have a good cybersecurity defense system.

Matt: What kind of advice would you have for businesses or even a municipality that they agree now, “I don’t want to be complacent with this anymore, but I don’t even know where to begin.” What would you recommend?

Art: I would recommend they download the Connecticut Cyber Security Strategy of July 10, which is available on our website and start there. I would recommend they look at those seven principles.

Matt: Do you want to share your website?

Art: Google “State of Connecticut,” go to cyber security, and there it is. Or go to department of administrative services, BEST, Bureau of Enterprise Systems Technology, and there it is. [Or right here: www.ct.gov/ctcyberlibrary] We’re asking that state agencies use the NIST, National Information Systems and Technology standards, that they report quarterly on risks, that they educate employees on cyber security awareness, use procurement and audit responsibilities. We want 20% of our security personnel to be trained thoroughly in this by January of 2012. We need workforce employment, supply chain.

Five years ago, a lot of municipalities did not have a chief information officer, never mind a cyber security officer. A lot of them still don’t; they’re too small. What they have to do is start with the basics. They have to have firewalls and they have to follow those seven principles. Why? Two reasons. We have had towns in Connecticut that have been subject to ransom attacks for their fire and police services. If you don’t pay, you could lose the ability to communicate with your police force or fire department for a period of weeks, which is absolutely unacceptable, obviously. You can’t live in a town that has no ability to operate in public services. Secondly, they have public information which could be very damaging. They have tax records, they have personal information and so on. This is now a responsibility not only of state government but of municipal governments as well, and they’re starting to rally. They have that starting point and we’re working with them on an action plan to come up with concrete steps that they can take to protect themselves and the citizens in each town.

Matt: It would seem even as a taxpayer of a town that you should start maybe asking your town what they’re doing for cyber security, and maybe as an individual get involved and start rallying the cause so that not just businesses but towns take it seriously as well.

Art: I agree, yeah. It’s a good question to ask. Today there are more and more municipalities that have good answers for that. Some don’t, so I agree. Go ask and see what your town is doing.

Matt: There were a few serious W2 leaks even over the last year, I think.

Art: The W2 forms, the tax forms.

Matt: Yes, the tax forms.

Art: There was a scam in one town. And that happens especially around March when you’re putting together your --

Matt: Tax time.

Art: Tax time, that’s right. And you get an inquiry and so forth and people provide information to it. Yeah, that’s right. There are very clever scams of all sorts. Question them. If it doesn’t seem right, it may not be right. Call someone up. If you get an email that doesn’t quite seem right and it’s asking for information, don’t give it. Or call up the sender and say, “I got this email from you. Is that from you? Why do you need it?” Be suspicious.

Matt: Circling back to the strategy, that’s pretty exciting to me that there is a framework that you all put together in place that not only the state and municipalities can take advantage of, but businesses as well. When we talk about putting that into an action plan and then taking action on it, how far along are you with that in just general terms?

Art: I’d say we’re maybe halfway there. Let me just take an example of the field of higher education, which is included. There are two main tasks facing higher education in Connecticut. One is to protect the institutions. Higher education is not designed to hamper the flow of information; it’s there to share it. You go to a college or university to learn, you put things online, and you have course materials, articles, books, and lectures. And you’re trying to get a large volume of information into the hands of the students who can use it. That, plus neither students nor faculty are inherently suspicious and wary of the cybersecurity threats surrounding them. They are open environments. They have to be. They’re research environments. They want to share information.

The problem is that at an academic institution, you have thousands of students and employees with valuable information. So you have to educate them that there are dangers. Beware of phishing attacks in which it looks like there may be an official communication coming out from the university or the college saying, “Provide this information.” So the first task is to put protection into education, which by its very nature is more given to sharing and to learning than it is to protecting and restraining.

The second thing is there is a very real need for training of cybersecurity people in Connecticut. There’s a heat map that you can go to that shows the level of job demand. In the United States right now, it’s about 350,000 cyber security jobs unfilled. In Connecticut it’s about 4,000. These are good jobs. With a two-year degree, you can get out and you can make $50,000 and north of that right away. They’re good jobs, but we are not producing them in Connecticut. The total production, total education of cybersecurity graduates in 2016 was fewer than 40. We are producing less than 1% of the gap of 4,000 in Connecticut that business wants. So it’s not a marketplace. If these were widgets, somebody would find a way to produce more widgets and sell them. They’re not. It’s far more complicated than that. But in higher education, we need to retool and redesign so that we can produce here the good-paying jobs that businesses want.

Businesses, because it’s so hard to get cyber security professionals, it’s a form of stealing from other companies. A big company finds a very good cyber security professional in a medium-sized company, offers a higher wage, and gets them. And it moves on down so that there’s a manpower training factor here. If those are the needs, what do they do? We’re talking with Connecticut’s colleges and universities, the Department of Education, the Department of Labor and so forth, to see what we can do to fast-track the acceleration of the training of those people. Those are just two specific challenges in one area. That’s what we’re doing in the action plan.

Matt: What would you say is next for the taskforce? Is there something in the works for businesses?

Art: People are concerned about the budget in Connecticut. This is an understatement. There is no taskforce. I have no staff, no employees. But there is a collaborative effort. We’re calling in people to help do it. So in that sense, the taskforce is everybody that this affects. We are working in those five areas to come up with specific action plan objectives that can be achieved in the near term and over a long term, applying the seven principles to each area.

In law enforcement, for example, the strategy identified two specific things we want to do in law enforcement in Connecticut. One was to strengthen our ability to access and analyze intelligence about cyber threats. The second was the creation of an investigations unit in Connecticut to work with the FBI and federal officers and municipals. Those are two concrete things that we’re doing, just as, for example, in education, I talked about the protection of institutions, prevention, and cyber awareness. Within state government, we’ve got a whole bunch of them. By January 1st, 2019, we would like 20% of the state security personnel to be trained in cyber security methodology.

We’re working with CBIA, MetroHartford Alliance, Fairfield County, all the different business associations we can, and with particular sectors such as banking, insurance, and defense to try to do what we can to help them to focus on cybersecurity. I would not be surprised if in 10 years there would be very widespread cyber audits for companies, just as there are financial audits now. Obviously, you and I can’t determine what the financial health of a large corporation is, but we as a public have a vested interest in knowing how safe their finances are. And so they bring in an auditing firm and they use generally accepted accounting principles and they report on it annually. We may be getting to the point where there will be cyber audits as well and there will be letters written as to how safe major corporations are because our security, our employment, and the wellbeing of the state depend upon it. I’m trying to work on a collaborative basis before we get to that kind of system of how can the state work with the private sector to strengthen cyber security defenses and prevent a penetration or disaster from happening.

Matt: What’s the best way for someone to get involved in that if they wanted to, or is there an avenue for involvement?

Art: I am arthur.house@ct.gov. We can use all the help we can get.

Matt: Art, I really, really appreciate you taking the time to chat with us for a little bit today. It was certainly educational for me and I hope it’s beneficial for everyone that hears it as well.

Art: I hope so. It’s a very important public issue and I’m glad that you’re taking the time to share information about it, Matt. It’s good to talk to you.

Matt: Excellent. Thank you, Art.