The cost of attacks against government infrastructure came into focus last week as agencies warned employees against opening phishing emails disguised as Google Docs requests.
The attack, which targeted journalists, government employees, academics and private company email accounts, cost the state of Minnesota an estimated $90,000 in labor, according to state Chief Information Security Officer Christopher Buse. Other states did not report estimates of what the disruption cost, but similarly noted the time and effort required to ensure such attacks do not grant outsiders access to government networks and data.
Minnesota's estimated cost of the attack is based on 2,500 employees who received one of the 13 variants, with an estimated 3 minutes of work time per employee. This cost was just for one attack and the problem is getting worse, Buse said.
Google quickly neutralized the threat by disabling the associated phony accounts and fake pages while patching the underlying vulnerability that made the whole thing possible. But attacks like this won't be the last, and they're certainly disruptive, said Michael Geraghty, director of the New Jersey Cybersecurity Communications & Integration Cell at the state Office of Homeland Security and Preparedness.
No one in New Jersey state government fell for the spoof, Geraghty told StateScoop, but the incident taught his office "a lot of things."
"If things can get through [Google], things can get through just about any organization, so regardless of whether the email is from a contact in your contact list, you always have to be suspicious of what I'll call unsolicited emails — things coming to you that you weren't expecting," he said.
As of 2016, more than 85 percent of organizations had fallen victim to a phishing scam, according to Wombat Security. The upside, Geraghty said, is that the prevalence of these types of attacks is improving awareness and it's getting harder to trick people. But attacks, like the Google phishing attack, are becoming more convincing.
"The biggest concern I have with phishing emails is that when they're used to gain the credentials of the individuals that are opening it," he said. "Those are the key to the kingdom."
Arkansas State Chief Security Officer Frank Andrews reported that the impact on his agency was "fairly minimal" because state agencies do not use Google Docs, so the emails were obviously bogus. In an email to StateScoop, Andrews said it was different for the state's K-12 system. Many of those schools use Google Docs.
"In most cases, the 'sender' was someone they were familiar with and that aggravated the situation," Andrews said. "They remediated by sending out notifications to personnel and warning them about the threat."
In Florida, the attacks were similarly disruptive as the technology agency issued warnings and kept close watch, said state Chief Information Security Officer Danielle Alvarez, but information sharing efforts and layered security controls stemmed a lot of the negative outcomes that might have occurred. Florida officials reported no signs anyone clicked the emails.
"We have embedded security awareness programs so deeply in each agency that there are a lot of continual outreach activities to downstream staff," Alvarez said.
A "holistic" security program addresses end users, while an information sharing network allows security managers to quickly notify their staff of the issue using the methods they know will be effective, Alvarez said. This is much more effective, she said, because if everyone is getting their information directly from a centralized source, the message is sometimes lost.
"A couple" Florida state agencies reported being targeted by the scam, but email filtering helped show the bogus emails for what they were, she added.