- State Coordinator for the Cybersecurity and Infrastructure Security Agency offers insight on the increase in cyberattacks as well as ways to protect data from bad actors.
Mississippi residents, businesses, and local governments are not immune from the increased cyberthreats seen across the U.S., the state’s Public Service Commissioners heard this week. As such, officials say it is more important than ever to establish protections to combat bad actors.
The Cybersecurity and Infrastructure Security Agency (CISA), formed in 2018, has been helping owners and operators of critical infrastructure, along with local and state governmental agencies, keep their data safe from cyberthreats.
At a Telecom Summit on Tuesday, William “Greg” Mallett, Mississippi’s Cybersecurity State Coordinator for CISA, informed members of the Mississippi Public Service Commission (PSC) about the services CISA offers. He also offered tips for everyone – from the public to state agencies – to stay safe online.
CISA’s Role
CISA services are offered at no charge to qualifying agencies. Some of the services offered include cyber hygiene vulnerability scanning, web application scanning, aid in establishing cybersecurity performance goals, and incident management reviews. CISA can also help affected parties recover money if action is taken quickly enough.
“Because we have tools we can put in place to try to recover funds if we are notified early enough in the process,” Mallett said.
Currently, there is no rule that requires a ransomware attack to be reported. However, the passage of the bipartisan Cyber Incident Reporting for Critical Infrastructure Act of 2022 is expected to change that, Mallett told commissioners.
The agency, which is housed in the Department of Homeland Security, is currently in the rulemaking process, which is expected to be completed by October 2025. When finalized, “covered entities” would have an obligation to report certain cyber incidents to CISA within 72 hours and report ransomware payments within 24 hours. The “covered entities,” as outlined in the law are those that meet certain size, sector, or function-based criteria related to operating in one of the critical infrastructure sectors or that provide certain information technology or operational technology services.
Protecting Data
Mallett said one of the best methods to protect data from ransomware is to regularly backup all information. By doing so, there is no need to pay the ransom when a system is affected, he added.
Additionally, backups are a better option because some businesses that paid the ransom did not retrieve all of their information, or what was returned was corrupted.
“That’s what we’re trying to do is get people to that point where you can come back quickly,” Mallett said.
The most advanced persistent threats appear to be coming from international bad actors located in China, Russia and Iran, Mallett described. He said there has been a change in that they are attacking operational technology rather than informational technology. Information technology typically includes hardware such as laptops, desktops and routers, while operational technology are those devices connected to a network that control HVAC systems, security systems and access control systems. Even though they are networked, they do not normally receive the same level of defense.
Mallett described a recent attack on a hospital where their record system was accessed through the facility’s 20-year-old HVAC control system. As a result, the patient record system was compromised.
Cyberattacks on the Rise
Of the 16 infrastructure sectors considered critical by the FBI’s Internet Crime Complaint Center (IC3), 14 sectors reported at least one instance of an operator falling for a ransomware attack in 2023. IC3 reports that in that year, the agency received 1,193 complaints from representatives in those 14 sectors.
The five sectors with the most reports included healthcare and public health (249), critical manufacturing (218), government facilities (156), information technology (137), and financial services (122).
The FBI report shows that cybercrimes cost Americans about $12.5 billion in 2023, with losses totaling upwards of $37 billion in five years. Reports of cybercriminal activities increased by about 10 percent in 2023 compared to the previous year, totaling about 880,000. That is up from 467,000 in 2019.
The top five types of cybercrimes reported to the FBI’s IC3 include phishing, personal data breach, nonpayment/non-delivery, extortion, and tech support.
Since not every cyberattack is reported, Mallett suspects the real number is much larger.
“I think that’s a really low number because here in Mississippi we see ransomware attacks approaching seven figures,” Mallett added. “Again, that’s only the ones that were reported.”
Some of the scams businesses should keep an eye on include emails that impersonate a legitimate business or individual with the aim to divert payments or steal sensitive information.
“The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds,” IC3’s report states.
Preventing Online Threats
Mallett told the PSC that the best method to approach cybersecurity is to focus on how to prevent an attack before it inevitably occurs. Today, such attacks are more widespread than ever because they no longer come from a hacker working in a basement; ransomware is now offered as subscription-based service on the internet.
Suggestions Mallett provided during the PSC’s Telecom Summit to avoid cyberattacks include not clicking on links or downloading attachments contained in suspicious emails; using strong passwords with a variation of numbers, letters and special characters at least 15 characters long; and using the strongest form of multi-factor authentication available.
“Other best practices include carefully examining the email address, URL, and spelling used in any correspondence and not clicking on anything in an unsolicited email or text message asking you to update or verify account information,” IC3’s report states.
To prevent attacks, Mallett also said enabling automatic updates allowing software on all devices to remain up to date, utilizing a good virus protection system, and employing tools that allow the system’s administrator to see who is connected to the network.
Jeremy Pittari
