Recent cyberattacks on businesses and infrastructure across the country have re-urged a number of cybersecurity projects Hawaii has in the works to help local businesses and nonprofits comply with federal contracts through stricter guidelines.
The changes could mean major adjustments – and significant costs – for some organizations that have benefited from the large military presence on the islands.
“The state is making this effort to educate the local defense industry community about the regulations and the impact they could face if they fail to comply with those regulations as enforcement increases.” said Larry Lieberman, who leads a new compliance initiative for Hawaii-based cybersecurity company Referentia Systems Inc.
“There is literally a tsunami affecting Hawaiian contractors, whether they weather or not, and whether or not they can survive,” he added.
Referentia started his Hawaii Defense industry cyber compliance training program last week under a contract with the Hawaiian Department of Economic Affairs, Economic Development and Tourism providing training on the requirements businesses must meet to maintain military contracts and win new ones.
It is one of several educational initiatives run by DBEDT as. to be launched Federal agencies are preparing to enforce stricter cybersecurity guidelines for contractors wishing to work on government projects, including requiring third party certification.
CyberHawaii, a non-profit that aims to educate Hawaiian leaders and residents about cybersecurity, also offers a government-funded program called Cyber Ready Hawaii, which works with the Cyber Readiness Institute in Hawaii to provide free training to businesses and nonprofits Organizations.
On Monday, DBEDT and a newly formed Hawaii Defense Alliance hosted a cybersecurity workshop in the Entrepreneurs Sandbox in Kakaako to get the word out.
“We are really focused on making sure our small and medium-sized businesses are cyber-ready and, more importantly, that they are ready and able to compete for the emerging federal contracts,” said Jill Tokuda, co-director from CyberHawaii. “It can be anything from defense to health care to education.”
This includes training or hiring new employees to use the technology and understanding new policies, which could be particularly costly for smaller local businesses that are already operating at low profit margins. Some of the new guidelines are expected to come into effect before the end of the year.
“Hawaii is particularly at risk”
As businesses increasingly rely on the Internet, cybercrime and network infiltration become more common.
“They happen very, very often. We’re talking about somewhere near every 11 seconds. ” said John Tobon, Special Agent in charge at Homeland Security Investigations Honolulu. “That is a constant burden on the resources and the security apparatus of our infrastructure.”
Earlier this year, Texas-based Colonial Pipeline paid for a ransomware gang called DarkSide who were believed to be operating out of Russia after it infiltrated the pipeline systems.
Tobon, who has 24 years of law enforcement experience and has spent the past decade dealing with cybercrime, said the perpetrators are often linked to transnational criminal groups, the breaking into banks, hospitals, and other institutions to steal credit card numbers, medical records, and social security numbers that can be used for identity theft and extortion.
Sometimes these activities involve greater effort. China, Russia, North Korea, and Iran have military and intelligence organizations trained in cyber warfare. Tobon said the line between common criminals and state-sponsored hackers can be a “gray area” as governments often work directly or indirectly with criminal groups.
“Hawaii is particularly vulnerable or a particularly important destination because of its strategic importance,” said Tobon. “All military bases and facilities in the state of Hawaii are targets for these state actors, and along with (them) the universities will be targets.”
The Navy helps fund the University of Hawaii’s Applied Research Lab, which develops civil and military technology, including classified projects. Government-backed hackers have aggressively attempted to sniff out intellectual property and designs that the American military could use.
Military bases are also integrated into the state power grid. The military and the state have worked together by investing in renewable energy projects on the islands to reduce their reliance on imported energy sources in the event that utility lines are cut off in a disaster or conflict. But cyberattacks could devastate the network itself, despite no major incidents being reported.
“We saw attacks on the power grid in several states,” said Tobon. “I think that’s a big concern for everyone involved.”
In May, the Army and Hawaiian Electric Co. tested the Schofield Generating Station, a $ 148 million facility built through a public-private partnership between the two.
They took Schofield Barracks, Wheeler Army Airfield and Kunia Field Station off Oahu’s power grid and forced them to leave the station as a test to see how the bases would fare if an event interrupted their power supply.
“Regulations were ignored almost everywhere”
The Pentagon founded the US military’s cyber command in 2010. At the time, analysts criticized American military and intelligence organizations for standing behind the digital curb, while Russian and Chinese cyberwar initiatives had already penetrated deeply into American systems.
“The government passed regulations back in 2016 requiring contractors to tighten their belts on cybersecurity, and those regulations have been ignored almost everywhere,” Lieberman said.
Companies, especially subcontractors, often signed contracts containing references to federal regulations that many workers had never actually read. The Pentagon’s in-house watchdog agency has conducted several investigations over the years that found that both service members and contractors were routinely ignoring cybersecurity guidelines.
In 2018, investigators analyzed the cybersecurity practices of seven contractors working for the Missile Defense Agency and found that five of them “did not always or consistently use multi-factor authentication to access unclassified networks that contained technical information” .
“Many of them start by exploiting a vulnerability created by human error,” says Tobon. Troops and contractors often failed to update passwords or use easy-to-guess codes, left networks unlocked, or clicked on suspicious links from their work computers.
“There is a lot more awareness on the streets now as the government is now saying it will require companies to be third-party certified to prove they have met these requirements that they should have already met,” explained Lieberman.
One of the challenges Hawaiian companies face is finding local cybersecurity talent. Both private companies and government agencies compete for a small pool of skilled workers. The University of Hawaii is receiving military assistance to strengthen its cybersecurity programs.
“It comes down to securing the entire supply chain, because that’s where bad actors know they can infiltrate and really get to the good things,” said Tokuda. “We have seen in the last rounds of attacks and intrusions that it is not the big companies at the top with all levels of protection that matter, but these subcontractors and those across the board.”