US Regions Most Vulnerable to a Cyber Attack [Updated 2019]
Introduction to US Regions Most Vulnerable to a Cyber Attack
In December 2016, the Identity Theft Resource Center published a report indicating the top 10 cyber-risk vulnerable U.S. regions. The ten regions (ordered from high to low level of vulnerability) are as follows: (i) Washington, D.C.; (ii) California; (iii) Florida; (iv) Massachusetts; (v) Nevada; (vi) Illinois; (vii) Texas; (viii) Michigan; (ix) Missouri; and (x) Connecticut. In the following sections, we examine the possible reasons for the inclusion of each of these ten regions in the rank list. In the end, we provide concluding remarks.
1. Washington, D.C.
Washington, D.C. is attractive for cyber-criminals because the region hosts a large number of governmental institutions and large companies working in the regulatory field (e.g., lobbying, law, and consulting firms). Such institutions and companies are often subject to cyber-attacks by foreign governments.
See Infosec IQ in action
For example, in 2015, CNN announced that Russian hackers, likely working for the government of Russia, are suspected to be involved in a successful cyber-attack against the White House. In 2012, Wiley Rein (a large law firm in Washington D.C.) was hacked by hackers linked to China's military. The purpose of the attack was the collection of information related to a trade dispute.
WalletHub ranked California as the wealthiest U.S. state. It is home to the Silicon Valley and large technology companies, such as Apple, Google, Facebook, and Uber. Such companies generate hundreds of thousands of cyber-attacks per day. By way of illustration, Facebook alone is targeted 600,000 times a day. This means that every 140 milliseconds (a blink of an eye takes 300 milliseconds), someone attacks the biggest social network.
In 2010, Google reported a massive attack across their corporate infrastructure. According to Google, the attack was targeting information about Chinese human rights activists and twenty major companies. As a result of the attack, Google decided to replace its censored version of Google.cn with a new uncensored version.
Florida attracts cyber-criminals for a variety of reasons, including, but not limited to, (i) the lack of state income tax which leads to less scrutiny by state officials, (ii) the existence of a large senior population lacking information security awareness, and (iii) the constant influx of money in the region. Florida leads the nation in ID thefts. The main reason for this can be the frequent data breaches taking place in the Sunshine State. In this regard, John Breyault, vice president of the National Consumers League noted that: "Data breaches regularly expose sensitive personal information about millions of Florida consumers on cyber-crime black markets." According to him, "without reforms in Washington to better protect consumers' data, high identity-theft rates could become the "new normal" for consumers in Florida and around the country."
Charlie Baker, the governor of Massachusetts, stated that cyber-security is "one of the major challenges" which the state faces. One of the reasons for the success of most cyber-attacks on residents of Massachusetts is the lack of cyber security clusters. Although the state ranks ninth according to the number of cyber-security jobs in the country, the state does not have the organizational capacity to conduct a well-coordinated response to cyber-attacks.
In this context, William Guenther, chairman and CEO of Mass Insight Global Partnerships, noted "In the cybersecurity area, we are playing catch-up. Shame on us. We have many more resources here, but less collective organization. We are still too fragmented."
Nevada is home to Creech Air Force Base (a base responsible for launching military drones), highly profitable casinos, and other entities which are sensitive to cyber-attacks. Such entities are often targeted by state-sponsored hackers. For example, the Director of National Intelligence announced that the Iranian government was responsible for a successful attack on the Sands Las Vegas Corporation in 2014. This allegation was probably based on the fact that the attackers did not aim to steal money and/or credit card details. They aimed at paralyzing the corporate infrastructure to the maximum possible extent. According to Bloomberg, the attacks on the Sands Las Vegas Corporation and Sony Corporation "may represent the beginning of a geopolitically confusing, and potentially devastating, phase of digital conflict."
Although it is highly susceptible to cyber-attacks, Nevada did not allocate any money to cybersecurity in its budget for 2015-2017. The state even decreased its annual budget for Information Technology (IT) cyber-security training to less than USD 15,000. In 2017, Nevada decided to improve its cyber-security capability by establishing a Cyber Defense Center operated by a Cyber Defense Coordinator. According to the governor of Canada, "the Cyber Defense Center will help Nevada detect, prevent, and respond to cyber-attacks and stand ready to partner with local governments and the private sector to minimize cyber risks." Only time will show whether the Cyber Defense Center will remove Nevada from the list of the most cyber vulnerable U.S. regions.
Illinois is widely known for the attacks on state government computer systems. To illustrate, the Illinois State Board of Elections system was compromised in 2015. The main reasons for the success of such attacks are two, namely, lack of (i) information security awareness and (ii) funding necessary for implementing cyber defense-related projects.
Kirk Lonbom, chief information security officer for Illinois' Department of Innovation and Technology, stressed the importance of security awareness by saying: "People at their workstations and laptops are really our best line of defense, but they need to be trained and aware of how to defend themselves and not fall prey to phishing attacks, etc." To decrease the number of cyber-attacks, the government of Illinois adopted a statewide security awareness program. The program aims to train 50,000 state employees.
Although the government of Texas has adopted comprehensive information security measures, its governmental computers are subject to more than 5 billion attacks on a monthly basis. Being the second most populous U.S. state, Texas faces challenges related to protecting all of its 254 counties. For example, last year, the computer of a governmental employee working for Tarrant County was compromised by a ransomware program. After penetrating an extensive security system, the malicious program demanded a payment of ransom. The incident response team succeeded to restore the files and neutralize the ransomware within an hour.
Texas aims to strengthen its cyber-security capability by adopting two legislative bills. The first will focus on cyber-criminals, whereas the second will call for cyber-security studies aiming to boost the cyber security of the second largest U.S. state.
Although the state of Michigan invests significantly in cyber defense, its computer infrastructure may still have major security loopholes. For example, in February 2017, The Detroit News reported that private information (e.g., social security numbers and names) about 1,9 million individuals stored on governmental servers was potentially exposed to unauthorized viewers. The security vulnerability was caused by a software update.
Despite the large number of cyber-attacks, Michigan is one of the U.S. states with the most comprehensive cyber security protection. Michigan Cyber Civilian Corp (a group of volunteering cyber experts) and Michigan Cyber Defense Response Team actively contribute to the cyber-defense of the state.
Missouri reports an average of 2 million cyber-attacks attacks on its state computers per month. Mike Roling, Missouri Chief Information Security Officer, stated: "In today's cybersecurity climate, we are all under a constant threat of attack." Many of those incidents are caused by malware and late identification of security threats.
The Missouri Office of Cybersecurity addressed these challenges by adopting a malware detection tool and early warning system. The latter identifies information security vulnerabilities and transfers the collected information to governmental actors. Furthermore, the government of Missouri adopted a comprehensive attack response program which was highly rated by the International Data Group.
Laurent Michel, co-director of the Connecticut Cybersecurity Center, noticed an increase in the number and complexity of cyber-attacks. A cyber-security study published by the State of Connecticut in January 2017 reveals that the state experience three main types of information security threats, namely, (i) data breaches, (ii) disruption of services relying on IT infrastructure, and (iii) failure to maintain information systems in such a way as to minimize the occurrence of cyber-security incidents. The report noticed two areas for improvement of state IT systems. The first area relates to the lack of automation of hardware and software inventories. The second area pertains to the remediation of known vulnerabilities.
Apart from discussing the information security situation in the top 10 cyber-risk vulnerable U.S. regions, this article clearly indicated a large number of cyber-security attacks in those regions. Facebook, a company based in California, is targeted 600,000 times a day. The governmental systems of Texas are subject to 5 billion attacks per month. Every month, hackers conduct 2 million cyber-attacks on state computers in Missouri. Because most U.S. states improve their incident reporting schemes, we can expect a further increase in the number of cyber-attacks. The impact of these cyber-attacks is significant. McAfee estimates that the average loss due to cyber-attacks amounts to more than 0,8% of GDP annually.
Phishing simulations & training
It is worth mentioning that, although most of the attacks originate from outside the affected organization, 6% to 28% of the attacks are conducted with the help of current or former employees of the infected organizations. Therefore, the prevention of cyber-attacks should include not only technical measures, but also legal and administrative measures, such as non-disclosure agreements, information security policies, and administrative sanctions.
- '2016 Data Breach Stats', 13 December 2016, Identity Theft Resource Center. Available at http://www.idtheftcenter.org/images/breach/ITRCBreachStatsReport2016.pdf.
- Ashford, W., 'Facebook admits to 600,000 cyber attacks a day', 31 October 2011, ComputerWeekly. Available at http://www.computerweekly.com/news/2240106175/Facebook-admits-to-600000-cyber-attacks-a-day.
- Arrington, M., 'Google Defends Against Large Scale Chinese Cyber Attack: May Cease Chinese Operations', 12 January 2010, TechCruch. Available at https://techcrunch.com/2010/01/12/google-china-attacks/.
- Bernardo, R., '2014's Richest and Poorest States', 8 October 2014, WalletHub. Available at https://wallethub.com/edu/richest-and-poorest-states/7392/#main-findings2 .
- 'Charlie Baker cites increase in cyber attacks in Mass', 12 March 2012, Mass Insight. Available at http://www.massinsight.com/blog/news/charlie-baker-cites-increase-in-cyber-attacks-in-mass/.
- 'Cybersecurity Study Pursuant to Special Act 15-13', 1 January 2017, State of Connecticut. Available at http://das.ct.gov/images/1090/2017%20DASCybersecurityReport%20SA%2015-13.pdf.
- Finke, D., 'State of Illinois Makes Strides on Cybersecurity', 24 September 2016, The State Journal-Register. Available at http://www.sj-r.com/news/20160924/state-of-illinois-makes-strides-on-cybersecurity.
- Gehem, M. et.al., 'Assessing Cyber Security: A meta analysis of threats, trends, and responses to Cyber Attacks', The Hague Centre for Strategic Studies: 2015.
- Gibson, W. E., Gehrke-White, D., 'Florida leads nation in fraud, ID theft', 3 March 2015, SunSentinel. Available at http://www.sun-sentinel.com/news/florida/fl-florida-leading-fraud-id-theft-20150303-story.html.
- Goodman, M., 'Future Crimes: Inside The Digital Underground and the Battle For Our Connected World', Corgi Books: 2015.
- Hansen, S., 'Cyber Attacks Upend Attorney-Client Privilege', 19 March 2015, Bloomberg. Available at https://www.bloomberg.com/news/articles/2015-03-19/cyber-attacks-force-law-firms-to-improve-data-security.
- Murphy, W., '2016 Cyber Losses and Top 10 Vulnerability Locations', 3 January 2017, Insightful accountant. Available at http://www.intuitiveaccountant.com/people-and-business/top-10-2016-cyber-risk-vulnerability-locations.
- Murren, H., 'Nevada's Cyber Security', 21 January 2017, The Nevada Independent. Available at https://thenevadaindependent.com/article/nevadas-cyber-insecurity.
- Perez, E., 'Sources: State Dept. hack the 'worst ever', CNN, 10 March 2015. Available at http://edition.cnn.com/2015/03/10/politics/state-department-hack-worst-ever/index.html.
- Perez, E., 'How the U.S. thinks Russians hacked the White House', CNN, 8 April 2015. Available at http://edition.cnn.com/2015/04/07/politics/how-russians-hacked-the-wh/index.html.
- Sandoval, B., 'Full text of Sandoval's last State of the State address', 17 January 2017, Reno-Gazette Journal. Available at http://www.rgj.com/story/news/politics/2017/01/17/full-text-sandovals-last-state-state-address/96703466/.
- Shueh, J., '$2 million boost sought for Missouri's cybersecurity budget', 6 February 2017, StateScoop. Available at http://statescoop.com/missouri-governor-proposes-additional-2-million-for-cybersecurity.
- Tinsley, A. M., 'Cybersecurity: Don't mess with Texas, one lawmaker says. Really.', 24 February 2017, Star-Telegram. Available at http://www.star-telegram.com/news/politics-government/state-politics/article134827609.html.
'Top 6 Cyber-Attacks on Law Firms', 11 May 2017, Tritium Security. Available at https://www.tritium-security.com/single-post/2017/05/16/Top-6-Cyber-Attacks-on-Law-Firm.
Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master's degree in IP & ICT Law.