A team of tech experts sets out to build defenses against the growing threat of cybercrime.
uring the 15 years Kerri Fry worked for a small network security firm in Bend, she saw firsthand the debilitating effects that cyberattacks were having on small businesses, organizations and school districts. Poorly resourced, they struggled to scrape together funding to pay for essential services that would make their data secure.
“Most of these organizations had requirements to protect data and secure their networks or perform an assessment to ensure their data was secure. Many chose not to perform those services or weren’t able to perform assessments,” says Fry, who now is a vice president at InfoGroup Northwest, a Lake Oswego IT company.
Two years ago, motivated to help these small organizations, Fry decided to support a new bill, SB 90, that seeks to improve cybersecurity at the state level and create a state center of excellence, a kind of resource hub, for improving cyber defenses in the private and public sectors.
Kerri Fry, vice president of InfoGroup Northwest and chair of the Oregon Cybersecurity Advisory Council
That bill, which Gov. Kate Brown signed into law in June 2017, also launched the Oregon Cybersecurity Advisory Council, which Fry chairs. The council is made up of nine members from the public and private sectors, who are charged with developing a plan for a center of excellence.
The need for a statewide strategy to deal with the threat of cybercrime is critical. Data breaches cost Oregonians $74 million between 2007 and 2017, according to the Federal Bureau of Investigation. And the cost of threats is set to balloon if they are not addressed at the state level.
Despite the urgency of dealing with cybercrime, the council is run entirely by volunteers. All members have executive-level, full-time jobs and work for the council in their spare time.
The members acknowledge their work is unsustainable if they do not have funding. Their goal to improve the skills of the workforce to fight against cybercrime is one of their main motivations.
“Everybody on the council has the same vision: that workforce development is the primary component of why we are here. How can we better equip students, how can we encourage students to go into the cybersecurity industry, how can we reach the marginalized communities and put those students through cybersecurity education?” says Fry.
But they also tout the business opportunities of building a homegrown cybersecurity infrastructure and workforce. Several cybersecurity firms already operate in the state, and with more efforts to develop a skilled workforce, a cyber tech cluster has the potential to take shape.
Meeting of the Oregon Cybersecurity Advisory Council Credit: Jason Kaplan
The origins of a cybersecurity center of excellence go back several years, when Skip Newberry, president of the Technology Association of Oregon, was looking into how Oregon’s cybersecurity infrastructure was faring compared with other states.
His verdict? Poorly. Unlike several other jurisdictions, including neighboring California and Washington, Oregon had no strategic plan to deal with cyberattacks and no programs to train cybersecurity professionals.
Recognizing that Oregon was particularly vulnerable to cyberattacks as a small-business state — 43% of breaches affect small companies — Newberry, who was economic development policy advisor to former Portland mayor Sam Adams between 2008 and 2011, pushed for legislation to create a cybersecurity center of excellence to deal with the threat.
That legislation ended up going nowhere. But fast-forward several years: Lawmakers started to pay more attention to the threat when a handful of Oregon’s state agencies became victims of data breaches, including the Department of Veterans, the Secretary of State, the Employment Department, and the Department of Fish and Wildlife, among others.
“Large employers have huge supply chain networks that consist of a lot of small businesses. They are worried their small-business partners are often connected to their networks, and they don’t have resources to guide against cyberthreats.” Skip Newberry, president of the Technology Association of Oregon
The increasing threat of cyberattacks is indisputable. The number of cybercrime complaints in Oregon rose by 3,455 in 2017, a 259% growth from 2014.
From the start of 2016 to the end of 2018, 218 companies reported data breaches to the Oregon State Attorney General’s office. Businesses must report a data breach to the office within 45 days if the personal data of more than 250 Oregon consumers are stolen.
Organizations that reported data breaches between October and December 2018 include Warby Parker (the online retailer of prescription glasses), wealth manager U.S. Bancorp Investments, the nonprofit Family Tree Relief Nursery, online health-savings account trustee HealthEquity, retailer Nordstrom and restaurant chain Burgerville.
Recent well-reported victims of hacks include Southern Oregon University, which in April 2017 was tricked into wiring $1.9 million into an account used for paying off a construction loan. The university believed it was paying Andersen Construction, which was building a pavilion and student recreation center. Instead the money went into the hands of cybercriminals.
An example of how a hack of one organization can infect several others occurred in a 2014 breach of the Construction Contractors Board, a state agency that licenses construction. Hackers gained access to a database that government agencies use to verify bidders for public-works projects, compromising the log-in credentials for the Oregon Department of Transportation and several county governments.
Although cybercrime is a national problem, Oregon’s lack of infrastructure could cost it dearly, say experts. The average cost of a breach to a small business is between $84,000 and $148,000, according to the FBI. Sixty percent of small businesses close within six months of a breach.
“By most measures, we are far behind in terms of addressing the issues,” says Charles Kawasaki, Oregon Cybersecurity Advisory Council member and chief technology officer of IT company PacStar. “Other states have built cybersecurity centers of excellence and cybersecurity disruption plans and are doing a better job of building awareness than Oregon has.”
Charles Kawasaki, chief technology officer at PacStar Credit: Jason Kaplan
The need to beef up infrastructure to deal with the threat will only become more critical as cybercriminals grow more sophisticated, well-resourced and organized.
Cybercriminals are spread globally in a loose affiliation but can connect quickly and easily through online social networks, says Tom Quillin, a council member and chief technology officer at McAfee, a security software company.
“There is a segment of large enterprises and public-sector organizations that are very well defended. But those are unusual in our economy today. When you get outside of that space, when you look at the average medical center or average small bank or a state or local government, it is extremely difficult for them to keep pace with security requirements,” says Quillin.
Tom Quillin, chief technology officer at McAfee Credit: Jason Kaplan
Cybercriminals can be persistent and specialized, he says. Some may become experts in phishing attacks, while others may specialize in structuring payment arrangements, for example.
“All of these specialties are developing as part of the underground economy, which is increasingly difficult to disrupt,” he says.
The biggest cyberthreat these days comes from so-called business email compromise. In these cases, criminals send employees emails that are crafted to look like they came from a senior manager. They will typically ask the employee to transfer money or request bank account details. The emails can look deceptively authentic, using so-called social engineering tactics that easily fool the employee into thinking the wire-transfer request is genuine. Southern Oregon University fell victim to this kind of attack when it wired money to the bogus construction account.
As a burgeoning tech center, Portland is particularly vulnerable to cyberattack. Every organization, large and small, is a target for criminals if it has valuable data they can steal and monetize. Portland’s growing cluster of third-party technology service providers, which often have weaker defenses against cyberattack than their clients, provides a tempting source of infiltration for criminals.
“By most measures, we are far behind in terms of addressing the issues.” Charles Kawasaki, Oregon Cybersecurity Advisory Council member and chief technology officer of IT company PacStar.
Sean Hoar, chair of the data privacy and cybersecurity practice at law firm Lewis Brisbois, says he regularly handles third-party tech service provider attacks, which increasingly include cloud service providers.
“In the tech community, because so many are third-party providers to a large client or large corporate base, there is a lot of reconnaissance that goes on by the bad guys to get a feel for how they can attack that service and then hit businesses associated with it,” says Hoar.
Hoar’s team of 20 attorneys handles more than 20 data-security incidents a week across the country, he says. All sectors are affected, including areas of the business community that weren’t typically targets in the past, such as manufacturing.
As cyberattacks become more frequent and more consumers have their personal data stolen, regulators will amp up rules for protecting consumers from breaches, and this in turn will make businesses more liable.
Oregon regulators, for example, have expanded the types of data that trigger a data-breach notification to consumers. At one time, consumers had to be notified of a breach if their name and social security number or a name and driving license number were stolen. That has expanded to include medical information, such as biometrics information.
Sen. Ron Wyden has proposed legislation that would require the Federal Trade Commission to establish cybersecurity standards and impose penalties on companies that do not meet consumer data-protection requirements.
The legislation, known as the Consumer Data Protection Act, would allow consumers to control the sale and sharing of their data. “If it were to pass in its current draft, it would implement extraordinary fines and even criminal penalties for lax cybersecurity practices,” says Kawasaki.
Companies can do little to stop cybercriminals from infiltrating their systems, say experts. It is incumbent on companies to make sure they detect a data breach so they can stop criminals in their tracks. “You have to acknowledge the bad guys will find a way in. They are creative enough, persistent enough and resourced enough that they will get in,” says Hoar.
RELATED STORY: CYBERCRIME BUSTERS: AN INSIDE LOOK
Having effective defenses against cyberattacks will set companies apart from the competition and help them win business, experts say. “Security can be a competitive factor,” says Jim Foote, practice director at IT consultant Virtual Information Executives. “They can say in advance, ‘Here is what we are doing with security.’”
The small businesses, nonprofits and local government agencies that do not have the resources to build defenses are where members of the Oregon Cybersecurity Advisory Council hope their role as an information resource and provider of technical services can be the most help.
Newberry hopes the group can protect the broader business community by targeting small businesses and government agencies that can’t afford to boost their cybersecurity defenses. “The council found the most vulnerable aspects of any network are those that are under-resourced: employees, individuals in their homes, small businesses,” says Newberry, who is the treasurer of the council.
He adds the state’s larger corporations are concerned that lax security in the small-business sector could infect them, too. “Large employers have huge supply chain networks that consist of a lot of small businesses. They are worried their small-business partners are often connected to their networks, and they don’t have resources to guide against cyberthreats,” says Newberry.
Skip Newberry, president of the Technology Association of Oregon Credit: Jason Kaplan
One of the council’s main goals is to work with higher-education establishments to improve cybersecurity programs and expand workforce training. About 6,000 people are employed in cybersecurity in Oregon, but 3,000 positions are unfilled. Cybersecurity is second only to computer programming among the highest-growth occupations.
“One of the big issues is that we don’t have a trained workforce that is capable of defending our organizations,” says Kawasaki.
To expand the availability of cyber professionals, employers need to change their expectations of what represents a qualified employee, say experts. Many companies still want to hire people with traditional four-year technical degrees. Council members say this is misguided because cyber professionals need soft skills that can’t be taught, such as curiosity, creativity and storytelling.
“Part of what is important to understanding how to protect an organization is putting yourself in the shoes of the adversary and understanding what they would go after. Those questions really are about the story you would create to design an architecture that would stop that adversary from being successful,” says Quillin.
Community colleges, such as Mt. Hood Community College, offer vocational degrees that council members say are well suited to the workplace. Warner Pacific University in Portland has partnered with coding school Epicodus to launch a new school, uSource, that offers associate’s and bachelor’s degrees in cybersecurity.
RELATED STORY: NEW TECH SCHOOL TACKLES DIVERSITY CHALLENGE HEAD ON
“I have several people at PacStar who have gone through programs like that with two-year degrees, even shorter periods of training. They have turned out to be top performers,” says Kawasaki.
Despite this, employers still hold entrenched attitudes toward hiring cybersecurity professionals. “The other day, I got picked up by an Uber driver who told me he had just finished a two-year program in cybersecurity and he was having a difficult time finding a job — not because he was unqualified, but most businesses somewhat arbitrarily call for a four-year degree,” says Quillin.
One goal of the Oregon Cybersecurity Advisory Council is to provide cyber–security technical services that could be deployed over a high-speed network to small businesses, government agencies and school districts.
This kind of customer support and call-center-like function would require additional staff, for which the council needs funding. The group’s plan for a center of excellence asks for up to $9.3 million to build out services. Newberry envisages the customer support center pairing up cybersecurity professionals with students to provide these technical services, a plan that is a win-win for all, he says.
“The students get the benefit of applied learning opportunities, building up their resumes and getting great experience. And the cyber professionals can give back and contribute to the community,” says Newberry.
As a volunteer organization, the council’s work to date has been “scrappy and bootstrapped,” says Newberry. The group has to show it has a track record to secure funding. And so, over the past 18 months, members have crisscrossed the state, holding events to raise awareness about the risk of cyberattack among members of industry, education, law enforcement and elected office.
“We have a long way to go to raise awareness,” acknowledges Kawasaki. “Across the board, there is a dramatic lack of awareness of the issue.”
At the very end of 2018, members submitted their recommendations for the center of excellence to Oregon’s Office of the State Chief Information Officer. That agency will then pass the plan on to the Legislature for review. In the next several weeks, members will present the proposal to the state’s Joint Legislative Committee on IT.
It will be up to the Legislature to decide whether the center of excellence can come into being. Although the council’s fate rests in the hands of lawmakers, the collaborative spirit of the members and their desire to help small organizations shore up their defenses for the benefit of Oregon’s economy as a whole is what keeps the members going, says Fry.
“My passion comes from those organizations and their struggles,” she says.
As the threat of cyberattacks increases, so has the demand for cyberinsurance. Brent Rieth, vice president and team leader at insurance broker Aon, says the number of clients that buy cyberinsurance doubled between 2014 and 2018.
A few years ago, retailers and health care companies that store large amounts of consumer data were the biggest buyers of coverage. Now demand for insurance is high across all sectors and from both large and small companies, he says.
Insurers have also broadened coverage as they become more comfortable with underwriting cyber risk. For example, policies will now typically reimburse businesses for lost income from a cyberattack, says Paula Miller, West zone cyber growth leader at insurance broker Marsh.
The maximum amount of money insurers will pay for a claim has also grown. The largest policy Miller has seen underwritten provides $500 million in coverage for losses.
Policies typically fit into two buckets: Organizations can buy coverage for costs of dealing with a data breach, such as setting up credit monitoring and call centers for dealing with customer inquiries.
The second type of coverage reimburses businesses for legal costs, such as lawsuits and regulatory claims.
The insurance sector doesn’t typically respond quickly to economic and technological change. As new types of cyberattacks emerge with advances in technology, insurers will have to play catchup.
Policies do not yet cover cyberattacks that cause bodily injury and property damage, for example. “It is a big, glaring gap in the insurance market,” says Miller.
To subscribe to Oregon Business, click here.