Legislature(2021 - 2022)ANCH LIO DENALI Rm
10/28/2021 09:00 AM Senate STATE AFFAIRS
Note: the audio ![]()
and video ![]()
recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.
| Audio | Topic |
|---|---|
| Start | |
| Presentation(s): Cybersecurity Issues and Solutions | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
ALASKA STATE LEGISLATURE
JOINT MEETING
SENATE STATE AFFAIRS STANDING COMMITTEE
SENATE JUDICIARY STANDING COMMITTEE
October 28, 2021
9:02 a.m.
MEMBERS PRESENT
SENATE STATE AFFAIRS
Senator Mike Shower, Chair (via teleconference)
Senator Lora Reinbold, Vice Chair (via teleconference)
Senator Mia Costello
Senator Roger Holland
Senator Scott Kawasaki (via teleconference)
SENATE JUDICIARY
Senator Roger Holland, Chair
Senator Mike Shower, Vice Chair (via teleconference)
Senator Shelley Hughes (via teleconference)
Senator Jesse Kiehl (via teleconference)
MEMBERS ABSENT
SENATE STATE AFFAIRS
All members present
SENATE JUDICIARY
Senator Robert Myers
OTHER LEGISLATORS PRESENT
Representative Kevin McCabe (via teleconference)
COMMITTEE CALENDAR
PRESENTATION(S): CYBERSECURITY ISSUES and SOLUTIONS
- HEARD
PREVIOUS COMMITTEE ACTION
No previous action to record
WITNESS REGISTER
BURKE STEPHENSON, Freelance Cybersecurity Consultant
Cybersec Innovation Partners
London, England
United Kingdom
POSITION STATEMENT: Delivered a presentation on cybersecurity
issues and solutions.
MEGAN WALLACE, Director
Legislative Legal Services
Legislative Affairs Agency
Alaska State Legislature
Juneau, Alaska
POSITION STATEMENT: Provided legal advice about meeting in
executive session during the presentation on cybersecurity
issues and solutions.
ACTION NARRATIVE
9:02:10 AM
CHAIR ROGER HOLLAND called the joint meeting of the Senate State
Affairs Standing Committee and the Senate Judiciary Standing
Committee to order at 9:02 a.m. Present at the call to order
from the Senate State Affairs Committee were Senators Costello,
Holland, and Chair Shower (via teleconference). Present from the
Senate Judiciary Committee were Senators Kiehl (via
teleconference, Hughes (via teleconference) and Chair Holland.
Senate State Affairs Committee member, Senator Kawasaki and
Senate Judiciary Committee member, Senator Reinbold joined the
meeting thereafter (via teleconference).
^PRESENTATION(S): Cybersecurity Issues and Solutions
PRESENTATION(S): Cybersecurity Issues and Solutions
9:03:27 AM
CHAIR HOLLAND stated that the legislature is in the 4th Special
Session of the year and while cybersecurity is not included in
the call, an opportunity arose to hear from freelance
cybersecurity consultant Burke Stephenson who works for Cybersec
Innovation Partners. He will present information regarding
cybersecurity issues and solutions, particularly as they apply
in Alaska. He asked Senator Shower if he had any opening
comments.
9:04:17 AM
CHAIR SHOWER apologized for not being able to attend the meeting
in person and thanked Chair Holland for stepping in at the last
moment to chair the meeting in his stead.
9:04:50 AM
At ease
9:06:03 AM
CHAIR HOLLAND reconvened the meeting.
9:06:55 AM
BURKE STEPHENSON, Freelance Cybersecurity Consultant, Cybersec
Innovation Partners (CIP), stated his intention to educate
legislators about cybersecurity and why it is important not just
to the State of Alaska, but industry wide.
He began the presentation with a quote from John F. Kennedy who
said, "There are risks and costs to action. But they are far
less than the long-range risks of comfortable inaction."
9:08:07 AM
MR. STEPHENSON said he would set the stage by repeating the
statement he made to Senator Shower last month. He paraphrased
his remarks, which read:
[Original punctuation provided.]
The State of Alaska has suffered 4 separate
cyberattacks in less than 2 years. We have been
informing and providing evidence directly to Alaska
over the last 18 months of why. This is because
Alaska's current IT and cyber vendors are NOT
providing adequate protection, and Alaska's IT
infrastructure in Insecure. This is an obvious
statement, unfortunately what we see every day is that
the obvious is constantly being overlooked.
Over the next few minutes, I am going to define and
explain, with irrefutable evidence why this statement
is indicative of the cyber security posture for all
industries, businesses, business verticals, and is
systemically causing billions in losses and costs,
nothing will change unless we change it. This also
includes the Alaskan Government.
9:09:12 AM
MR. STEPHENSON deviated from his prepared statement to report
that cybercrime is the third largest economy in the world, after
those of the U.S. and China. He reported that in 2021 cybercrime
will produce $6 trillion. It is even more profitable than the
global drug trade, which is more than all national disasters
combined.
9:09:51 AM
MR. STEPHENSON paraphrased the last paragraph on page 1 of the
presentation, which read:
[Original punctuation provided.]
In this special session on voting integrity this
report is one of the most important parts of ensuring
voter integrity. If a voter registration of Alaska
Department of Elections website can be breached, which
have been and still can be, then all data and
information, including the integrity of the voter's
identification, is all at risk of manipulation.
MR. STEPHENSON stated that all state agencies are vulnerable
because the government is interconnected. He advised that he
provided examples to show that cybercriminals eventually will
gain entry if there is an access point. Once they have gained
access, these cybercriminals are able to access information,
including voter information and possibly manipulate or steal the
data.
9:11:09 AM
MR. STEPHENSON paraphrased the introduction on page 2 of his
remarks, which read:
[Original punctuation provided.]
Before I start, I want to again thank you for this
opportunity. I am honored and humbled to be asked to
present to you in one of our Nation's greatest
establishments in the assurance of justice and
freedom. I am honored, that in my realm of experience
and professional expertise I have been asked to
provide this statement to you regarding the cyber
security posture of Alaska's State Government. I am
humbled, humbled because of the constant struggle and
my endeavors against the multitude of organizations
and people that would like to prevent this information
and data from coming to light. I am honored to be able
to demonstrate and prove with evidence and irrefutable
data that our work is paramount to the cyber security
of a company, an organization, a U.S. State, a Nation,
and the World.
I will explain why the current cyber security posture
is in a critically vulnerable position (Code red) for
the entire Alaskan State Government and requires
immediate remediation and addressing. Alaska has been
repeatedly attacked by so called, highly sophisticated
cyber criminals, possibly from adversary Nation
States. We are aware of four (4) reported cyber
attacks. Three (3) of which have occurred after our
initial intelligence and sharing of the insecure
infrastructure with numerous known and available
attack vectors. Two (2) cyber attacks, the voter
website and the Courts were warned as vulnerabilities
by us prior to the attacks
9:13:11 AM
MR. STEPHENSON provided his personal background. He said he is a
U.S. Army veteran with top security clearance. He has worked
within the North Atlantic Treaty Organization (NATO). While in
the US Army he served in the National Security Agency. His
cybersecurity training started with the Rainbow Books, which is
a series of computer security standards developed by the U.S.
Department of Defense (DoD) in the 1980s and 1990s. After
leaving the US Army, he became a DoD contractor in the United
Kingdom (UK) at an intelligence gathering center for Europe. His
understanding of cybersecurity and data manipulation was
enhanced with this assignment. After that he moved into vendor
and partner solutions as a lead engineer and became familiar
with many different companies and the solutions they offer.
MR. STEPHENSON related that for the past five years he has
focused on cybersecurity, working with a technology developed
inside NATO called "truth serum." This work uncovered a Stuxnet
[a malicious computer worm], like a malware solution inside
NATO. This tool also uncovered ways that the Chinese were
attempting to steal data from the Joint Strike Fighter (JSF)
program. He said he mentioned this because several slides in the
presentation show technology the Chinese have stolen through
various DoD contractors and allied partner nations. He said this
work has helped him focus his discovery skills to identify the
penetration access points on public-facing internet
infrastructure.
9:18:25 AM
MR. STEPHENSON said cybercriminals use websites and public-
facing infrastructure vulnerabilities for their initial access.
Once inside, they work to achieve elevated access before running
a malware or ransomware attack. He now ranks the attack vectors
from 1-10 or low to critical, based on national and
international industry standards.
9:20:13 AM
MR. STEPHENSON paraphrased the four known Alaska cyberattacks
described on page 3 of the presentation, which read:
[Original punctuation provided.]
1st Cyber Attack: 26th April 2018. Alaska's Division
of Public Assistance (DPA), a department in Alaska's
Department of Health and Social Services (DHSS) was
breached with a trojan virus. It exposed more than
100,000 Alaskan citizen's Personal Identifiable
Information (PII). It was also found to be
noncompliant with the Health Insurance Portability and
Accountability Act a.k.a. HIPAA.
• https://www.manageengine.eu/log-
management/data-breaches/alaska-households-
cyber-attack.html
2nd Cyber Attack: September 2020. Alaska State
Government's voter registration website was breached
exposing again the PII of over 113,000 Alaskan
citizens. This breach was announced in late November
2020.
• https://www.manageengine.eu/log-management/data
-breaches/alaska-households-cyberattack.html
• In May 2020 we notified Alaskan Government
representatives that this website was
critically vulnerable and needed immediate
attention after having assisted the FBI with a
similar security issue with the Central Voting
system (www.vote.gov) redirecting to a Korean
DNS.
• This Actionable Intelligence was acknowledged;
however, we were informed that the State of
Alaska would not be engaging at that time. This
was due to the recent COVID Pandemic and the
subsequential knock on effects to Alaska.
o We understand that statement, however,
question the rationale. In our vast
professional experience, these exposed
cyber vulnerabilities act like beacons to
cyber criminals.
• To ignore a warning of cyber insecurity is
foolish and unsafe. Failing remediation could
constitute being complicit by being complacent,
or even negligent - especially when the person,
or persons informed include Chief Information
Security Officers (CISOs) and any Chief
Officers (CxO) or Board Member.
• The insecurity across the country is systemic
and not confined to a single sector, but all
sectors including Banks, Healthcare, and
Insurers, just to name a few.
9:24:25 AM
MR. STEPHENSON continued to paraphrase the known Alaska
cyberattacks described on page 3 of the presentation, which
read:
[Original punctuation provided.]
3rd Cyber Attack: April 2021-Malware was placed on
Alaska's court system email.
• On 1st April 2021 I emailed the Alaska state
Attorney General and the State Governor. A copy
of this email is included for reference in
Appendix [D]. Please note in the bulleted
section of warnings of vulnerable web site, I
specifically identified the Alaska Courts
website. This item is highlighted for
referencing purposes.
4th Cyber Attack: Breached in May 2021-The Department
of Health and Social Services (DHSS)
MR. STEPHENSON said the only response he received from the
Alaska government was in early May 2020, indicating they did not
want to engage. A copy of the email is included in Appendix D of
this report.
9:25:57 AM
MR. STEPHENSON paraphrased page 4 of the presentation, which
read:
[Original punctuation provided.]
9:25:58 AM
Even though the data and warnings that have already
been provided to the State of Alaska shows a systemic
lack of cyber security, in preparation of this
statement, I wanted to have a more up-to-date and
deeper understanding of the cyber posture for Alaska's
Government. My preparations initially uncovered
ninety-eight (98) Government websites including
twenty-two (22) main Government Departments, and
organizations linked to the Alaskan Government. One
example of an organization is the Alaska Energy
Authority. These organizations have a .org and not a
.gov ending on their website and domain name but are
still linked via Alaskan Government websites.
9:27:04 AM
As a cursory check I accessed each of the main
Government Department websites just as any normal
person would using a standard web browser. I did this
to confirm that these websites were active and
accessible. Of the twenty-two (22) Government
Departments, eight (8) were 'Not Secure'. That is one-
third (1/3) of the official webpages for the Alaskan
Government Departments have cyber security issues
rendering them not secure. These not secure websites
include:
• Alaska State Legislature
• Department of Military and Veterans Affairs -
Division of Homeland Security Amber Alert
• Alaska Court System
• Department of Natural Resource
• Department of Natural Resources - Division of
Forestry
• Department of Law
• Regulatory Commission of Alaska
• Department of Revenue - Tax Division
MR. STEPHENSON said he circled items in the presentation in red
to highlight that the website is not secure.
9:27:51 AM
MR. STEPHENSON paraphrased page 5 of the presentation, which
read:
[Original punctuation provided.]
A website can be considered 'Not Secure' for many
reasons. In July 2018, Google made an update to its
browser to include a "Not Secure" warning in the
address bar as shown circled in red in the above
screenshots. This means that the website is not using
a secure connection, meaning that the data being
transferred, viewed, and entered is not encrypted. A
not secure warning can result for many reasons. Some
are misconfigurations that can quickly be fixed,
others are more serious including issues with the
encryption or the encryption certificate and keys
being, or sometimes not being used. This action was
initiated by Google, as stated, in 2018, in hopes to
help promote secure encryption connections ensuring
that the data being used and in transit on the
internet is encrypted. Sadly today, 3 years later,
this is an obvious configuration missed by many, but
capitalized upon by cyber criminals.
9:29:09 AM
MR. STEPHENSON continued to paraphrase page 5 of the
presentation, which read:
[Original punctuation provided.]
I wanted to investigate the presence of additional
Alaska subdomains to gain an understanding of the
scope of the Alaskan Government websites and presence
on the internet. This took me to the first of the
recently discovered ninety-eight (98) websites listed
in alphabetical order, www.akenergyauthorty.org. A
great example and opportunity to look at exactly what
an organization under the Alaskan Government might
look like. Unfortunately, this immediately started
with a "Not Secure" website as shown in the screenshot
below. It also identified an additional six subdomains
now taking total websites needing to be investigated
for cyber security to one hundred and four {104). In
addition, two of the subdomains had an additional open
port, and the server hosting the website had two
additional open ports, four ports in total, that will
each require further ingestion.
9:30:51 AM
MR. STEPHENSON continued to paraphrase page 5 of the
presentation, which read:
[Original punctuation provided.]
I decided to take an initial Cyber Rated Index (CRI)
score of the Alaska Energy Authority website. This is
where the cyber security posture started rapidly
spiraling into critical. As shown in the picture
below there are critical cyber security issues with
the Public Key Infrastructure (PKI) certificate used
on the website, 4 Common Vulnerabilities and
Exposures (CVEs) all with a MEDIUM risk rating per
the Common Vulnerability Scoring System (CVSS)
version 3.1, and additional cyber security
vulnerabilities identified elevating this website
and organization to a critical cyber security risk.
In other words, a CRI score of F (FAILURE).
9:31:28 AM
SENATOR KAWASAKI joined the meeting (via teleconference).
9:32:15 AM
MR. STEPHENSON referenced the picture on page 5 and explained
that the Public Key Infrastructure (PKI) certificate shown has a
10-year lifespan and will not expire until 2027. This is despite
the fact that best practice and the industry standard for a PKI
certificate is a maximum of three years, but PKIs are often
limited to months. He highlighted that if cybercriminals gain
access to an organization and have obtained a PKI certificate,
they want the longest certificate lifespan to avoid requesting a
renewal. Simply because the PKI certificate shown has a long
lifespan does not mean a cybercriminal has access, but it is
indicative of cybercriminal activity. He noted that he works
with one of the largest IT and cybersecurity providers in the
world that recently discovered a website with cybercriminals
lying in wait, gaining privileges similar to what happened with
the SolarWinds attack. The PKI certificate hides cybercriminals,
but he is able to find them and investigate them further. He
acknowledged that a PKI certificate may not be indicative of
cybercriminal behavior, but it should be investigated.
9:34:44 AM
MR. STEPHENSON mentioned the four common vulnerabilities or CVEs
listed in the photo on slide 5 [Original punctuation provided]:
• 4 Common Vulnerabilities and Exposure (CVEs) - all
MEDIUM RISK
• Failed every data protection law, regulation and
standard, GOPR, PCI, DSS, HIPAA, NIST, etc.
• Website does not redirect HTTP to HTTPS ensuring
website security (i.e., NOT SECURE)
• Addition open ports
• Potentially managed by a 3rd party - General
Communications, Inc. in Anchorage, Alaska
9:34:49 AM
MR. STEPHENSON said that once a vulnerability is announced
publicly, the company creates a common vulnerability and
exposure and assigns a numeric to that vulnerability and
provides a patch. He clarified that every CVE he cites is known
and exploitable. If it exists on a system, it can be actively
used by cybercriminals to gain access.
9:35:29 AM
MR. STEPHENSON noted that he also mentioned that the website
failed data protection laws and regulations, specifically,
Europe's general data protection requirement regulation. The
Payment Card Industry Data Security Standard (PCI DSS) for
banking, healthcare HIPPA, and the National Institute of
Standards and Technologies (NISTs). Furthermore, the website did
not redirect from http. He explained that when a user accesses a
website through a browser, there are two ports: http and https.
The unsecured http port presents information to the browser,
which was the web interface started years ago. The secure https
port has since been incorporated. Http is typically assigned
port A and https is assigned port 443 on a server.
9:36:29 AM
MR. STEPHENSON stated that he always advises turning off the
http port A because there is no reason to have an unsecure
protocol open. But what he discovered is not only were both
ports open, but if he asked his browser to access the website
over the unsecure http, it would not redirect to the secure
https. All data on that unsecure site is viewable by anybody, he
said.
9:37:27 AM
MR. STEPHENSON directed attention to the screenshot on page 6 of
the cyber rated index of the legislative website. The results
were checked again just last night to confirm these findings. He
said he would explain the security vulnerabilities later in the
presentation.
9:38:00 AM
MR. STEPHENSON turned to page 7 and paraphrased the conclusion,
which read:
[Original punctuation provided.]
CONCLUSION
The cyber security posture of the Alaskan State
Government is not an anomaly. Unfortunately, we
experience many similar cyber postures in many
organizations and industries, including the very IT
and cyber security vendors in which rely upon daily. I
have additional information that I have prepared for
you in this brief.
They are:
• Appendix A: pg.8 - The initial Cyber Rated
Index (CRI) report I provided to Alaskan
Senators just last month
• Appendix B: pg. 16 - Excerpt of email sent on
9th April 2020 warning of elections website
• Appendix C: pg. 18 - Excerpt of email sent on
30th May 2020 to Commissioner at Alaska
Department of Administration
• Appendix D: pg. 19 - The email to Alaska's
Attorney General warning that the Alaska Court
system was vulnerable, among others
• Appendix E: pg. 21 - Weaponizing of the
internet
• Appendix F: pg. 23 - Lack of cyber security
with IT and Cyber vendors
• Appendix G: pg. 25 - Where to go from here?
• Appendix H: pg. 26 - Additional Information and
References - third party professional reports
validating the critical necessity to ensure
cyber security to public facing internet
webpage infrastructure
• Appendix I: pg. 28 - Partners
9:40:03 AM
MR. STEPHENSON continued to paraphrase page 7 of the
presentation, which read:
[Original punctuation provided.]
There is one connection that I would like to highlight
between Appendix E: Weaponizing of the internet and
Appendix F: Lack of cyber security with IT and Cyber
vendors. In Weaponizing of the internet, I briefly
cover STUXNET and how unknown Microsoft zero-day
vulnerabilities were utilized to gain initial access.
Now I want to correlate that to the information in
Appendix F where I briefly cover SolarWinds, codenamed
SUNBURST. Senators and Representatives, understanding
the direct connection between these two are paramount
to understanding the problem.
9:40:38 AM
CHAIR SHOWER interjected to relay a request the committee move
into executive session because of the sensitivity of the topic.
He advised that he had instructed his aide to contact
Legislative Legal Services for clarification.
CHAIR HOLLAND said he was not overly concerned because much of
this information is already available to the public, but he
would like to hear from Legislative Legal. He suggested that the
committee take a short break and noted that a text thread was
running among the committee members. He asked Mr. Stephenson if
he had anything to add.
9:43:12 AM
MR. STEPHENSON confirmed that he was accessing the legislative
system through a web browser interface. He found vulnerabilities
and if he could find them, so can cybercriminals. Nevertheless,
he agreed with Senator Shower that it is not wise to speak
publicly about vulnerabilities. He noted that because of the
sensitivity of the topic, he only invited Mark Sayampanathan to
join this briefing.
9:44:28 AM
At ease
9:54:40 AM
CHAIR HOLLAND reconvened the meeting and advised Mr. Stephenson
to disconnect from the Teams meeting and call the 800 number,
844-586-9085, since the committee plans to go into executive
session.
9:56:38 AM
SENATOR HUGHES asked for the number and Chair Holland repeated
it.
SENATOR SHOWER clarified the area code.
9:57:42 AM
SENATOR KIEHL pointed out that in executive session the
committee could only discuss the things that present a great
threat to the state. Thus far, the presentation has only covered
general cybersecurity items and those topics cannot be discussed
in executive session. He cautioned the committee to be careful
about how it splits the conversations because a substantial
amount of the information would be appropriate for the public
session. He acknowledged that it would be difficult for the
chair to decide how to split the topics.
9:58:32 AM
CHAIR HOLLAND asked Mr. Stephenson whether the committee should
move into executive session immediately.
9:59:05 AM
MR. STEPHENSON replied his intention was to discuss the
vulnerabilities of the Alaska Legislature's website in addition
to some of the others he previously mentioned. He offered to
tailor his comments to cybersecurity for Alaska.
9:59:40 AM
CHAIR HOLLAND clarified that there would be no votes taken
during this meeting or while the committee is in executive
session. This is a presentation so legislation was not being
considered.
10:00:07 AM
SENATOR HUGHES asked if it would be appropriate to have Tim
Banaszak, the Information Technology Manager, participate if the
committees will go into executive session and discusses the
Alaska State Legislature website in particular.
CHAIR HOLLAND offered his belief that it would be appropriate.
10:00:30 AM
MR. STEPHENSON advised that he planned to discuss the
weaponizing of the internet as well as the lack of cybersecurity
with IT and cyber vendors, neither of which correlate directly
to the Alaska government. He said he could either go over those
now or leave it to the members to read in the report. He
proceeded to explain that the weaponizing of the internet
explains how the U.S. and Israeli agencies developed a code for
Stuxnet [malware to adversely affect an Iranian nuclear
facility]. It used a Microsoft vulnerability zero day for
access. Stuxnet showed the world that the internet can be used
for cyberwarfare.
10:01:40 AM
MR. STEPHENSON noted the two screen shots of the U.S. joint
strike fighter and the Chinese passenger airliner on page 22
reference the technologies that have been stolen through
cybertheft. He described the way this correlates to the State of
Alaska:
Think of SolarWinds. They had supply chain into tens
of thousands of companies because they provided a
solution. So every IT cybersecurity hosting whatever
vendor the State of Alaska uses, is inherently a
supply chain vulnerability being brought in, making
your government insecure. And that's how I tie those
two together.
10:02:38 AM
SENATOR KAWASAKI offered his view that much of this information
is available online and that it should be presented to the
entire legislature rather than in executive session to just
these two committees.
10:03:28 AM
SENATOR HUGHES offered her understanding that any legislator
could call and join the executive session.
10:03:54 AM
SENATOR KAWASAKI restated his position.
10:04:30 AM
MR. STEPHENSON interjected to explain that he uses open-source
intelligence (OSINT) available on the internet. He described it
as the interactions of the computers interfacing with web pages
and the browser. OSINT uses information that is publicly
available to anyone. However, this does not mean that people
have the ability to decipher the information or determine
existing vulnerabilities.
10:05:20 AM
CHAIR HOLLAND expressed doubt that 60 legislators could be
convened via telephone in the next hour to listen to the
presentation.
10:05:51 AM
CHAIR SHOWER stated that Megan Wallace, Director of Legislative
Legal Services, was available to advise the committee.
10:07:10 AM
CHAIR HOLLAND recognized Megan Wallace.
10:07:15 AM
MEGAN WALLACE, Director, Legislative Legal Services, Legislative
Affairs Agency, Alaska State Legislature, Juneau, Alaska, stated
that it was brought to her attention that the committee wants to
discuss cybersecurity issues that may potentially affect the
security of state agencies. She cited Uniform Rule 22(b) and
recommended, in conjunction with advice from Tim Banaszak, that
these discussions be held in executive session. She added that
while there may be interest at some point in briefing another
group of legislators or the public on the issues that will be
considered, her recommendation is to delay that until after
there has been a more deliberative process of assessing the
risks.
10:08:55 AM
CHAIR HOLLAND summarized his understanding of her
recommendation.
10:09:25 AM
MS. WALLACE explained that it is difficult to give comprehensive
advice without knowing the matters that would be discussed out
of executive session versus in executive session. Based on her
understanding of the information that will be presented, her
recommendation is to hear it in executive session.
10:10:00 AM
At ease
10:11:37 AM
CHAIR HOLLAND reconvened the meeting and advised that Mr.
Stephenson would speak on the non-sensitive issues he previously
mentioned. At that point then the committee would move from
Teams to the phone lines for an executive session.
10:12:14 AM
CHAIR SHOWER agreed with the plan to listen to less sensitive
topics before moving into executive session.
10:12:39 AM
CHAIR HOLLAND asked Mr. Sayampanathan to put himself on the
record. He stated the committee was having audio issues.
10:13:04 AM
MARK SAYAMPANATHAN advised that he was unable to participate in
the chat committee members were having.
10:13:22 AM
At ease
10:14:14 AM
CHAIR HOLLAND reconvened the meeting.
10:14:21 AM
SENATOR HUGHES pointed out that whoever was controlling the
livestream through AKL.TV is not supposed to stream when the
committee is at ease. She asked if streaming is occurring during
the committee at eases.
10:14:38 AM
CHAIR HOLLAND agreed that when the committee is at ease the
broadcast should stop. He recommended that the committee
exercise caution. Seeing no further questions or comments from
the committee, he asked Mr. Stephenson to continue.
10:15:10 AM
MR. STEPHENSON paraphrased his conclusion on page 7. He recapped
that his intent was to draw a correlation between weaponizing
the internet, including brief coverage of Stuxnet, how unknown
Microsoft zero-day vulnerabilities were used to gain the initial
access, and the information in Appendix F that briefly covers
SolarWinds, code name SUNBURST. Understanding the direct
connection between these two is paramount to understanding the
problem, he said.
10:15:50 AM
At ease
10:16:39 AM
CHAIR HOLLAND reconvened the meeting and asked Mr. Stephenson to
resume.
10:17:09 AM
MR. STEPHENSON continued to paraphrase the conclusion on page 7
of the presentation, which read:
[Original punctuation provided.]
Understanding the problem means steps can be taken to
mitigate the problem. The connection I would like to
make clear is that the same methods of exploitation
and manipulation that were used by the agencies in
STUXNET were also used in SUNBURST. These methods are
being used daily against companies and governments to
devastating effect.
To close my opening statement, and before I dive into
the data and examples, I would like to re-read my
opening statement as now the clarity and understanding
of that statement should ring true and act for the
urgent call to arms before the next attack on the
Alaskan State Government undoubtedly occurs.
"The State of Alaska has suffered 4 separate
cyberattacks in less than 2 years. We have been
informing and providing evidence directly to Alaska
over the last 18 months of why. This is because
Alaska's current IT and cyber vendors are NOT
providing adequate protection, and Alaska's IT
infrastructure is Insecure. This is an obvious
statement, unfortunately what we see every day is that
the obvious is constantly being overlooked."
Inaction will not fix the problem nor make it go away,
it will simply compound the challenges and costs.
Ensuring voting integrity is critical to our
Democracy. Senators, we stand ready for service.
10:19:13 AM
MR. STEPHENSON directed attention to Appendix E on page 21 of
the presentation. He paraphrased Appendix E, which read:
[Original punctuation provided.]
APPENDIX E: WEAPONIZING OF THE INTERNET
The age of the computer and the internet has developed
and rapidly advanced science and technology for the
benefit of the world, the United States, and the State
of Alaska. One such amazing example is the accelerated
advancements in the medical field. This computer age
has also seen the accelerated growth and reliance on
IT systems in our daily lives. It has brought about
the internet and the ability to share and use
information open and freely in seconds to anywhere in
the world. It has provided the ability to have live
video chats, like the one we are on today. Compared to
just 20 years ago this was practically impossible and
required either telephone, satellite link or travel.
In all the immense benefits this has brought, it has
also created the weaponization of the same internet.
The first real display of this weaponization occurred
with the STUXNET malware used to cause catastrophic
effect on the Iranian Nuclear Facility. STUXNET was
first discovered in 2010. That is only 11 years ago.
It was developed to attack targeted programmable logic
controllers (PLCs) manufactured by Siemens that are
used to automate machine processes specifically those
in Nuclear Facilities. It is now widely accepted that
STUXNET was created by the intelligence agencies of
the United States and Israel. So, we have basically
created our own worst nightmare.
10:21:45 AM
MR. STEPHENSON continued to paraphrase Appendix E of the
presentation, which read:
[Original punctuation provided.]
One fact about STUXNET that is particularly
interesting is that it exploits multiple previously
unknown Windows zero-day vulnerabilities to infect
computers and spread. Does that ring a bell for
anyone? Just this past month there have been a
number of newly identified Microsoft zero-day
vulnerabilities including the Autodiscover
vulnerability. What makes the Autodiscover
vulnerability particularly bad is not the fact that
it is a serious attack vector that cyber criminals
can and have used, but the fact that Microsoft was
aware of this vulnerability for 5 years.
Reference: Article published on 27th September 2021 by
the Register states how Microsoft knew of the
Autodiscover vulnerability 5 years ago.
https://www.theregister.com/2021/09/27/microsoft
exchange autodiscover/
10:22:59 AM
MR. STEPHENSON continued to paraphrase Appendix E on page 21 of
the presentation, which read:
[Original punctuation provided.]
We can also learn a lot from the unfortunate and
treasonous release of the thousands of classified
documents by Edward Snowden in 2013. Some of those
documents included classified briefing documents from
the National Security Agency (NSA). They explain the
ability that the United States had to take control of
IT systems even after a fresh and new installation of
software and firmware. What we discern from this is
that the United States had these capabilities before
the Snowden debacle in 2013. What this again reaffirms
is the complete insecurity of every connected system,
especially everything that is Information Technology.
10:24:06 AM
From 2010, to 2013, and fast forward to 2021, Alaska's
Government, just like all U.S. State Governments,
implemented and became dependent on IT systems
throughout every department, organization, district,
and incorporated town. All the Personable Identifiable
Information (PII) and other data considered to be
sensitive or classified has been consolidated and
stored on IT systems, clouds, databases, and such.
This wealth of information is invaluable to criminals
for a multitude of nefarious purposes.
10:24:54 AM
MR. STEPHENSON reviewed the examples on page 22 of the
presentation, which read:
[Original punctuation provided.]
Cyber Threats That are NOT Caught or Prevented by
Other Solutions
If there were others then these and many other cyber
intrusions, attacks, etc., would have been prevented
• https;J/www.cnbc.com/2011/11/08/chinese-theft-of-
sensitive-us-military-technolOft:Still-hua-
problem.html
• China builds the J-20, a new stealth fighter
jet, they were reportedly helped by industrial
espionage. The design resembles the F-22. And the
FC-31 Gryfalcon, in development, resembles the
Lockheed F-35 Joint Strike Fighter
• "What Beijing has been very good at Is
targeting U.S. defense contractors, getting Into
their computer systems through various types of
essentially c:yber warfare and steaUngthe designs
of some of America's best military assets: said
Harry Kezlanls, director of defense studies at
the Center for the National Interest, a think
tank founded by former President Richard Nixon.
• According to Kazlanls, the Chinese have been
able to hack into computer networks to steal
designs and other Information on U.S. carriers,
advanced defense systems as weH as the F-22 and
F-35 jets.
• https?IIJNww,claHyman co ykfscJencetecbllfllde;-
389312?/Chlnese:A: 2fl-stealth-jet-
baR4::rnlljtaCY::Qlanwtplen-
haclcpl'5;;mafres:pubHc- d@byt html
10:26:02 AM
MR. STEPHENSON reviewed the second example on page 22 of the
report, which read:
[Original punctuation provided.]
• https://www.extremetech.com/extreme/300313-report-
chinas-new-comac-c919-jetliner-is-built-with-
stolen-technology
MR. STEPHENSON stated that the new Chinese [C919] passenger
[narrow body jet built by the Commercial Aircraft Corporation of
China (COMAC)] has technology for parts and components stolen
through various means including cyber theft. This photo shows
components and the source of the stolen data.
10:26:25 AM
MR. STEPHENSON turned to page 23 of the report and paraphrased
Appendix F, which read:
[Original punctuation provided.]
APPENDIX F: LACK OF CYBER SEUCITV WITH IT AND CYBER
VENDORS
The level of lacking cyber security is systemic across
our IT and cyber security vendors that we use and rely
on every day. I have personally researched over 150 of
the top IT and cyber security vendors and
manufacturers. The systemic lack of fundamental cyber
security across their plethora of internet facing
websites, domains and subdomains is a standing example
of the lack of knowledge and expertise, by these very
professionals, to close the initial access points used
by cyber criminals.
10:27:12 AM
MR. STEPHENSON described a discovery he made last week. He said
he looked into a main IT provider in the U.S. based on
information he had seen on the internet. He discovered that one
of their VPNs had expired PKI certificates that were running
encryption algorithms that can be hacked in 6-10 minutes. He
notified the vendor of his findings but ultimately the provider
decided not to proceed. Unfortunately, in his view this is the
standard reaction, he said.
10:28:18 AM
MR. STEPHENSON returned to the report on Appendix F on page 23
of the presentation, which read:
[Original punctuation provided]
Take for example the SolarWinds breach. This well-
known cyber attack and breach was an amazing example
of the cunning, patience, and skill that we face in
today's cyber criminal. This breach alone has affected
over 18,000 companies worldwide including the U.S.
Federal Government and Department of Defense. The cost
of the cleanup of this one single attack is estimated
in the $billions.
10:28:51 AM
This attack was so prolific and damaging that it
caused the United States Senate to conduct a hearing
dedicated to understanding how and why this took
place. Testimonies were heard from some of the Chief
Executives and cyber experts from many professional
and top tier cyber companies including SolarWinds
themselves. They answered many questions posed by U.S.
Senators; however, the absolute single and most
important question was never asked by anyone, not a
Senator, not an investigator, no one. That one
question is: How did the cybercriminal(s) gain the
initial access into SolarWinds?
10:29:38 AM
MR. STEPHENSON continued to review Appendix F on page 23 of the
presentation, which read:
[Original punctuation provided.]
While the SolarWinds cyberattack was sophisticate in
the total scope, the initial access was not. It was
simple. It was not by any means sophisticated. It was
a website that the cyber criminals were able to breach
and spoof. This got them inside the infrastructure of
SolarWinds and allowed the criminals to move
internally undetected for months.
The cyber criminals gained access to SolarWinds by
exposing readily available cyber security
vulnerabilities on their public facing internet
webpages and infrastructure. Just like the ones in
Alaska's Government. The cyber criminals were able to
create a duplicate website with a different URL, but a
website that looked identical to an official
SolarWinds website. This tactic is called website
spoofing. They were then able to exploit the known and
readily available vulnerabilities on their internet
systems to gain access, eventually attaining
administrative access. Once they had this, they were
able to use the SolarWinds IT systems to assign a real
PKI encryption certificate to their spoofed website
giving the website the added appearance of being a
valid SolarWinds website. From there the criminals
used their time and privileged access to move
laterally within the company and insert malicious code
into an update of the SolarWinds software that would
eventually be pushed out to their customers.
10:31:47 AM
MR. STEPHENSON continued to paraphrase Appendix F on page 23 of
the presentation, which read [Original punctuation provided]:
So why was this question never asked, or answered in
this emergency U.S. Senate hearing?
10:32:00 AM
Microsoft was notified by us in August 2019 about the existence
of hundreds of security flaws in the CRYPT32.DLL. One of
Microsoft's API modules. This security flaw was discovered by us
using Whitethorn. We contacted Microsoft and disclosed the
information pertaining to the security vulnerability. Microsoft
performed their own internal research to try to discover this
vulnerability and were unable. After their response back to us
stating that they were unable to locate the vulnerability we
replied with further information on the vulnerability and how to
identify it. Again, Microsoft was unable to locate the
vulnerability. In the end it took us hand-walking their cyber
security 'experts' through the discovery of the vulnerability
that resulted in the patch and announcement of CVE- 2020-0601
for Windows CryptoAPI Spoofing Vulnerability. The severity of
this vulnerability is rated as HIGH with a score of 8.1 out of a
possible 10 according to National Vulnerability Database's (NVD)
latest version, version 3.1. The National Vulnerability Database
is a database maintained by the National Institute to Standards
and Technology, a.k.a. NIST. NIST is a physical sciences
laboratory and non-regulatory agency of the United States
Department of Commerce.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-
0601
10:35:10 AM
MR. STEPHENSON continued to review Appendix F on page 24 of the
presentation, which read:
[Original punctuation provided.]
What is worse. The updated version of the CRYPT32.DLL
included a minimum of 4 embedded certificates, i.e.,
vulnerabilities. We know this because we scanned it
with Whitethorn after its release. After the CVEs
release the CRYPT32.DLL that was being used by ZenMAP
(NMAP security scanner) utilized version 6 and held
379 certificates with the same spoofing capability.
A few months later Microsoft was again contacted by us
because I had first-hand discovered critical
vulnerabilities on their internet presence in Israel.
At this time, we agreed to act in the best interest of
all and as conscientious cyber professionals proving
the information to Microsoft. We all want to make the
world and the internet a safer place, right? Microsoft
took the information and were able to remove some of
the most critical vulnerabilities that we identified.
What remains puzzling to this very day is why
Microsoft will not extend the same level of
professionalism and engage us in discussions on the
vast number of other internet vulnerabilities we have
discovered and notified them about. To date, Microsoft
continues to refuse to engage, and only try to push to
their free disclosure program. They are not alone in
this practice. Just last week an Apple iOS zero-day
was released by a vulnerability hunter because Apple
refused to responsibly engage with them and fix the
vulnerability.
10:38:19 AM
MR. STEPHENSON continued to review Appendix F on page 24 of the
presentation, which read:
[Original punctuation provided.]
The final example that I will provide demonstrating
how rife the IT and cyber security industry is with
cyber security vulnerabilities and their negligence to
engaged will be an example using the zero-trust
Rockstar Zscaler. Over the course of a few months, I
compiled the Cyber Rated Index (CDI) scores of over
150 of the top IT and cyber security companies in the
world. Zscaler was included in this compilation
Scoring an F and having discovered a number of
vulnerabilities that places the company's
infrastructure and solutions at unquestionable risk -
think SolarWinds.
10:39:44 AM
MR. STEPHENSON continued to review Appendix F on page 24 of the
presentation, which read:
[Original punctuation provided.]
I contacted a previous co-worker, their vice president
of Federal. He had an employee and mutual friend
contact me. I provided information about the cyber
security vulnerabilities and was given the contact
information for a Mr. Desai, their CISO. Following our
conversation, I reached out directly to Mr. Desai on
22nd January 2021. He never responded that or any of
my attempts to engage and help. Others that I work
with, including the CEO Andy Jenkinson, who is also on
this call, also reached out to a number of Zscaler's
executives including their CEO. Not one response from
all the attempted contacts and warnings we provided of
insecurity, including noncompliance to data protection
laws and regulations.
10:40:46 AM
MR. STEPHENSON said he mentions this because these are global
companies that are in breach of data protection laws, including
Europe's General Data Protection Regulation and California's
Consumer Protection Act. These known vulnerabilities exist on
their websites and infrastructure and their customers' data is
vulnerable and exploitable by cyber criminals.
10:41:51 AM
MR. STEPHENSON directed attention to Appendix H on page 26 of
the presentation to highlight Application Programming Interface
and vulnerabilities, which read:
[Original punctuation provided.]
1. IBM Security: A recent report by IBM Security proving
that two-thirds of all cloud based cyber attacks
originate through insecurities (misconfigured APls) on
the public facing internet webpages, domains, and IT
systems.
a. https://siliconangle.com/2021/09/16/ibm-report-
finds-two-thirds-cloud-breaches-traced-miscon-
figured-apis/
MR. STEPHENSON explained that an Application Programming
Interface (API) is a software intermediary that allows two
applications to communicate with one another. One problem with
APIs is the vulnerabilities provided. For example, files can be
added and deleted on the server at the location of the URL. This
illustrates the potential for malicious code entries through
APIs.
MR. STEPHENSON referred to the second item in Appendix H on page
26 of the presentation, which read:
[Original punctuation provided.]
2. HackerOne: 2021 Hacker Report showing 96% of all
hackers are working on websites
10:43:42 AM
MR. STEPHENSON explained that the use of "hacker" doesn't
necessarily mean "bad guys." This report identifies websites as
the biggest risk for breaching. APIs and Android applications
can be breached because people access websites while using their
devices. Further, operating systems are affected since servers
use the iOS to host the websites. These things cumulatively show
why the public-facing internet is constantly overlooked for
other penetration solutions.
10:44:36 AM
MR. STEPHENSON directed attention to the third item in Appendix
H on page 27 of the presentation, which read:
[Original punctuation provided.]
3.McAfee report referenced in a recent article by CSO
Online stating how the initial infiltration of a
highly sophisticated cyber attack carried out by one
of China's APT groups originated through the
vulnerabilities on the web servers.
a. https:llwww.csoonline.com/article/3633632/how-
apts-become-long-term-lurkers-tools-and- techniques-
of-a-targeted-attack.html
4. The Open Web Application Security Project (OWASP).
A nonprofit foundation that works to improve the
security of software. OWASP publishes a yearly 'Top
10' web application security risks to eliminate and
provides information on cyber security risks and
vulnerabilities.
a. https://owasp.org/www-project-top-ten/
MR. STEPHENSON stated that breaches to Solar Winds, Colonial
Pipeline, Florida School District and health care attacks
happened through the public-facing internet.
10:45:30 AM
MR. STEPHENSON directed attention to the fifth item in Appendix
H on page 27 of the presentation:
[Original punctuation provided.]
EA Games breached through insecure cookies. Cookies
play an important role in today's internet usage. They
have been designed to help improve interaction with
websites and can track, personalize, and collate,
collect, and share Personal Identifiable Information
(PII) about each user's session. Cookies can also be
extremely dangerous as they can contain PII and data
including login ID and passwords, as well as
keylogging and other data entered on a website.
10:46:12 AM
An example on how critical a cookie can be is the
recent breach of Electronic Artists (EA) Games. The
hacker purchased login and password information from a
cookie off the Dark Web for $10. They then inserted
the cookie into an insecure, and exploitable subdomain
and used this to obtain access to EA Games and steal
the source code for the new FIFA 21 game.
MR. STEPHENSON said this concludes all of the non-Alaskan-
specific information he planned to share today.
10:47:07 AM
CHAIR HOLLAND stated he appreciated Appendix G. He related his
understanding that many of the cybersecurity problems are not
with agencies such as the Alaska state agencies but with vendors
using the IT system.
10:47:47 AM
SENATOR KIEHL asked if the hacks to the Alaska Division of
Elections and the Alaska Court System were due to the
vulnerabilities he identified.
10:48:07 AM
MR. STEPHENSON responded that he has not been engaged by the
state so he could not specifically answer this. He said he was
not a first-hand party to those cybersecurity breaks. However,
he was aware of the vulnerabilities that would have allowed
hackers to access the system.
SENATOR KIEHL recalled that he said the Stuxnet virus was
introduced via the internet. He related his understanding that
the two primary theories were that the virus was introduced by a
thumb drive or early installation in the supply chain but not
via the internet.
10:48:48 AM
MR. STEPHENSON answered that he was correct. He explained that
he used "internet" loosely. He stated that they used Microsoft
zero day vulnerabilities, which is across the internet. It was
not specifically a direct attack.
SENATOR KIEHL explained the reason he asked was because he
viewed the presentation as a slice of the broad topic of
cybersecurity. Some things were not discussed, such as delivery
by email, ransomware, or encryption issues. He asked what
approach a large organization, such as state government should
take with respect to cybersecurity.
10:49:51 AM
MR. STEPHENSON stated that he works for the Joint Analysis
Center as a lead IT administrator for a couple of systems. IT
typically divides up the responsibility into sections, including
network, Windows, data storage or a specific email section.
Thus, experts help manage the systems for each area.
Cybersecurity experts must know everything, which is a daunting
task. He stated his approach was to focus on a specific area of
specific vulnerability. Cybersecurity has layers that all need
to be protected. If the web interface is removed the site will
be vulnerable regardless of inner protections. All of the hacks
have resulted from vulnerabilities on the public facing
internet.
MR. STEPHENSON highlighted that cybersecurity has many
solutions. Cyber criminals look at three things. First, if the
public face is exposed; second, their ability to access the
site; and third, that since the face is not adequately
protected, the inside is also not protected from the
cyberattack.
10:53:13 AM
MR. STEPHENSON stated that criminals target any opportunity
based on their open-source intelligence information gathered but
not necessarily to target a specific group or organization. He
said that his role is to eliminate the attack vectors to
eliminate the opportunity to target an organization.
10:54:11 AM
SENATOR HUGHES recalled his opening remarks indicated that he
warned the Division of Elections about cyberattack
vulnerabilities. She said she has four questions. First, how far
in advance of the election was the division warned. Second, what
type of communication he used to contact the division and if it
was by email and any response from them. Third, she asked if the
cyber criminals are able to detect his activity when he is
checking and warning agencies, and if so, if they observe any
precautions taken by the organization.
10:55:14 AM
MR. STEPHENSON responded that he was not sure if he should
answer now or in executive session.
10:55:26 AM
CHAIR HOLLAND said he would leave it to his discretion but
suggested he may wish to hold off and answer it during the
executive session.
10:56:05 AM
MR. STEPHENSON answered that cyber criminals are not able to
track his movements. He sends a request to the server who
responds back with the capabilities. It provides a laundry list
of information that provides him with the webpage and the
infrastructure that he can click on and use. The information he
uses is not trackable but there are organizations that report
and openly track what other people use their tools to do.
CHAIR HOLLAND asked him to repeat his response as part of his
response was inaudible.
MR. STEPHENSON said he responded to Senator Hughes' last
question by saying that what he does cannot be watched or
monitored on the internet because his action is with the server
and the website. He acknowledged that there are organizations
that do track tools others use but they do not track his
movements.
He acknowledged there are a lot of solutions such as the
cybersecurity "onion" model that focuses on one part but not the
entire infrastructure.
10:57:21 AM
SENATOR KIEHL said there are never enough resources in
corporations or government to meet the public's needs or wants.
He acknowledged that the state would be more secure if it hired
his firm and every other cybersecurity firm. He noted the
precautions he takes at home, including a gun safe, and asked
why the legislature should be concerned about its website and
not focus on other things where there is personal identifiable
information.
10:59:26 AM
MR. STEPHENSON responded that what he is presenting is not
commonly implemented across the board. He stated his intention
is to help, educate, and fix. He explained that he engages with
professionals in every industry. Initially, the IT professionals
are affronted by the information he provides.
10:50:26 AM
MR. STEPHENSON referred to the gun safe analogy and pointed out
that the gun safe is locked, the front door is locked but some
things are left outside. CIP could show you that your front door
was left wide open and the safe is wide open in plain view. He
offered his view that the importance to government is connected.
Hackers breached SolarWinds at one location but it was not the
attacker's end goal.
MR. STEPHENSON referred to his initial comments that highlighted
that his firm has been tracking a cyberattack in progress. Just
as at SolarWinds, the attacker spoofed the website, elevated
their privileges and assigned a PKI certificate. This attacker
is slowly finding where it wants to penetrate the system. An
attacker's goal may not be the legislature although the attacker
may use ransomware or encrypt the information it finds and sell
it on the internet. However, their real interest may be to
access other information it can find throughout the government
infrastructure. It could get into critical national
infrastructure such as power, water, and sewage. He said waiting
gives them access through vulnerabilities. It is just a matter
of time, he said.
11:01:15 AM
CHAIR HOLLAND stated his intention to take a short at ease to
break the MS Teams links and then go to executive session.
11:02:22 AM
At ease for the committees to go into executive session.
11:59:47 AM
CHAIR HOLLAND reconvened the meeting and announced the
committees were out of executive session.
12:00:21 PM
SENATOR HUGHES thanked the chair for the extended time for this
hearing. The public heard the presentation at the beginning of
the hearing, including that cybersecurity uses a different scale
for grading. First, she asked if it was possible to raise a
score of "F" to an "A." Second, she asked if he has raised any
government's score. Third, she asked if there is any best
practice for state government portals for reporting and to
ensure review of any warnings issued. She acknowledged that he
wrote to the Alaska attorney general since cyberattacks can be
criminal by nature. She wondered if someone familiar with
cybersecurity would be a better point of contact.
12:02:13 PM
CHAIR HOLLAND asked if Mr. Stevenson was still available.
[An unidentified person commented that Mr. Stephenson was in the
process of rejoining the teleconference].
12:02:28 PM
MR. STEPHENSON advised that he didn't hear the question.
12:02:41 PM
SENATOR HUGHES restated the question.
12:03:49 PM
MR. STEPHENSON answered no, he has not improved any state's
cybersecurity but he has done so with other organizations and
companies. As the legislature's IT manager stated, all of the
findings must be analyzed. Each entity must assess the threat.
Each entity's website is different. Typically, CIP would work
with IT teams to provide solutions.
12:04:47 PM
MR. STEPHENSON said the second question is difficult since a lot
of companies offer cybersecurity solutions. He said the
cybersecurity community is large. He commented that IT personnel
could spend all their time listening to people present their
solutions to issues. He currently works as a freelance
consultant for Cybersec but he works for other companies, too.
He presented data based on Cybersec's interactions with the
webserver. If you have a process it can help. He acknowledged
the need for checks and balances to cut through the chaff to get
to the valuable information. He suggested that this is something
that should be addressed within the IT infrastructure.
12:06:50 PM
CHAIR SHOWER reminded members that this information is not
confidential and the legislature is not breeching security by
meeting to discuss how to improve security to thwart
cyberattacks. The value of this meeting is to identify how
vulnerable the state is to cyberattacks. He recommended that the
state devote whatever time and financial resources are necessary
to address cybersecurity since the state has been hacked. Those
cybersecurity breeches could result in data mining. He said the
third largest economy on the planet is cybercrime, which affects
businesses, government and individuals. He remarked that
reviewing agency security measures is not meant to blame
agencies for not doing a better job but to identify any weakness
and correct them. He characterized it as a continual battle to
"defend your castle." He viewed this as the beginning step.
12:09:58 PM
MR. STEPHENSON said he appreciates when people listen. He
offered to assist the committee.
12:10:32 PM
CHAIR HOLLAND commented that it would likely take time, money
and expertise to address cybersecurity.
12:11:11 PM
There being no further business to come before the committees,
Chair Holland adjourned the Senate State Affairs Standing
Committee and Senate Judiciary Standing Committee meeting at
12:11 p.m.
| Document Name | Date/Time | Subjects |
|---|