Having finished our work on bills initiated in the House, committees turned their attention to bills coming from the Senate and to other matters of importance.
The Biden administration recently issued a nationwide alert for Americans to elevate their cybersecurity posture in anticipation of a Russian response to economic sanctions imposed by the West because of the invasion of Ukraine.
Vermont is vulnerable to such an attack on many fronts, and it is imperative to be prepared to both minimize vulnerabilities and respond quickly if an attack is successful. The House Energy and Technology Committee started taking testimony on the state of preparedness of critical IT infrastructure in both the public and private sectors.
“It’s not if, it’s when, our systems get breached” is a line the House Energy and Technology committee heard repeatedly during our two days of testimony on Vermont’s cybersecurity defenses.
Cyberattacks can take many forms: phishing scams, malware, spyware, data breaches, ransomware and others. It is the responsibility of every entity that relies on a computer system connected to the internet to take the best precautions possible to prevent a cyberattack in the first place and to have a plan of action in case a breach is successful.
In addition to hearing from leadership at the Agency of Digital Services and the departments of Public Safety, Public Service and Financial Regulation, we heard from University of Vermont Health Network about lessons learned from the ransomware attack they experienced in October 2020.
We also heard from representatives from Vermont utilities and banks about their cybersecurity efforts to prevent loss of confidential information, financial resources and service. We explored how these organizations are working together to share best practices, intelligence on cyber threats, and how they are coordinating with state and federal governments to protect Vermonters’ data and infrastructure.
Banks and other financial institutions, regardless of size, are required by the federal government to maintain strong security measures for their systems and to have incident response plans in place. The Vermont Bankers Association told us that inter-bank competition stops at the cybersecurity door, that there is excellent sharing of information among its members. Vermont’s electric utilities are subject to National Electric Reliability Corporation Critical Infrastructure Protection requirements. Also, the Vermont Public Utilities Commission requires Vermont utilities to report annually on their cybersecurity programs.
Be alert and be aware
The testimony we heard gave us considerable assurance that strong protections are in place. But it also brought to our attention that we as individuals also have a part to play.
We need to know how we can be used and how to protect ourselves. The entry point for a breach is often accomplished by “phishing” a user, that is, sending an email or text that seems to be from a legitimate website, colleague or company with a link or attachment to open. The result is the surreptitious installation of malware or spyware on the user’s computer, or asking a user to verify a user ID and password or other personally identifiable information to allow the hacker to bypass security in a system.
With the possibility of attacks coming from many directions, protection of our data and the systems we depend on is both a collective and a personal responsibility. Here are some steps we can all take:
Never click on a link or open an attachment unless you are expecting it or can verify that the sender is who they purport to be.
If the email is from a company you have an account with, go to the website and log in there instead of clicking on a link.
Use two-factor authentication if possible. This is an option that requires not only a password, but a verification code sent to your phone or email account to successfully log in.
Maintain different passwords for different accounts. Password managers like Lastpass, Keeper or Zoho can remove the anxiety of having to remember multiple passwords.