Michigan's battalion of digital defenders raises bar for states' cybersecurity
| ANN ARBOR, MICH.
Kevin Hayes had to act fast.听A town was under attack, and it was his team鈥檚 job to defend it.
It was the first time he was called upon as a new member of the Michigan Civilian Cyber Corps.
Already, criminal hackers had tampered with traffic signals, causing accidents. They were going after bank networks and sensitive personal data from municipal computer files.
鈥淚t happened pretty fast. As we all sat down looking at computers, we said, 鈥楬ow are we going to contain this?鈥 We knew there were bad guys in the system,鈥 said Mr. Hayes.
Locating the source of the breach and reinforcing firewalls were the first priorities.听Still, the danger was ever-present and leading toward a crippling cyberattack that would shut down large parts of the city鈥檚 infrastructure. Fortunately, this town had a reset button.
Alphaville is a virtual reality training ground.听It's also the site of a competition used by the state鈥檚 Cyber Civilian Corp (or MiC3), a pioneering new entity conceived to fight back in the event of a major cyberattack. Hayes is one of its elite fighters. His day job is as an information security officer at Wayne State University in Detroit. And when he's called on, like a volunteer firefighter or National Guard soldier, he will join a group of highly trained digital first-responders.
It鈥檚 a nationwide first, created in October 2013 by the Michigan governor鈥檚 office to be a rapid response force for听computer viruses and hacks affecting state entities and industries across Michigan. After all, the governor鈥檚 office reasoned, state and local governments build plans to counter emergencies including floods, tornadoes, hurricanes, and wildfires, so why not a digital emergency of 鈥渟tate significance?鈥
Though the governor has not yet听mobilized the team to respond to any incidents, MiC3 is beginning to make a name for itself outside Michigan. Other states are expressing interest in Michigan's model,听says Joe Adams,听former coach for the cadet cyber corps at the Military Academy at West Point,听who assembled the group of highly skilled ethical hackers.
In Wisconsin, for example, Dr.听Adams was recently teaching a seminar with state officials there when a massive distributed denial of service attack (DDoS) was launched against the state capitol offices to overwhelm its websites with traffic. It was a catalyzing moment for state officials, who saw 鈥渆very police car taken off the net,鈥 Adams says.
The attack was happening just as Adams was telling officials that a DDoS attack 鈥渋s like taking a sledgehammer鈥 to a system, he says.
It was a 鈥渨ake up call,鈥 Adams adds, that helped spur officials in Wisconsin to begin looking into creating their own civilian cyber corps.
Defending Alphaville听
Adams has been the driving force behind Michigan's civilian cyber corps, leveraging his experience working as the听chief information officer at National Defense University in Washington. He's currently the vice president for research and cybersecurity at Merit Networks, a Michigan nonprofit known best for setting up computer networks between the state's public universities.听
He set out听to recruit team members with a wide mix of backgrounds, with experience at energy companies, the financial services sector, pharmaceuticals, and universities. There are currently four teams in the corps, with five members each, including two computer forensics specialists, two incident responders, and a team lead.
To qualify, Adams designed a highly tricky examination for candidates 鈥 the test has an 85 percent fail rate. Potential team members get just 30 seconds to answer a rapid-fire series of questions.听There have been plenty of complaints, including from the governor鈥檚 office, that perhaps the test is just too tough, and that it keeps the civilian cyber corps from more quickly building up its ranks.
Adams disagrees. 鈥淲e鈥檙e not going to pay them, so you want it to feel elite,鈥 he says. 鈥淵ou have 20 people who have met a very demanding standard, and if you lower it, you鈥檝e cheapened what they鈥檝e done.鈥
Regular training is a key part of ensuring the team is ready when it's called on to defend the state, says Adams. That's why exercises such as the recent one outside Ann Arbor where听MiC3 gathered in a Marriott resort听to defend the virtual town Alphaville are so critical.听
"Teams who have played together in an actual challenge will almost always beat every other team,鈥 says Tonia Cronin, program manager for the Michigan Cyber Civilian Corps at Merit, which also operates听the Michigan Cyber Range, a virtual cybersecurity classroom.
If听MiC3 members aren't familiar听with each other's respective skills and styles of operating, 鈥淵ou lose hours figuring out that stuff. You have to make split second decisions,鈥 she adds. 鈥淚f you think of a football team, you have a quarterback and have three or four wide receivers. They can all catch the ball, but you have to know who you鈥檙e throwing it to, who鈥檚 supposed to be catching, blocking.鈥
Cybersecurity front line
On the day of the Alphaville exercise,听Wayne State University's Hayes 鈥 who placed first in the contest 鈥 was simultaneously听working to contain a real-life, rapidly spreading virus that had broken out on campus computers. He and his security team at the university were able to quickly contain it on the majority of the university systems, but on day two they found that there were a couple of off-campus computers still infected.
The virus was coming from malicious servers in Serbia and Ukraine, and Hayes says the intent was to capture users' login names and passwords.听Time was key when responding to the hack 鈥 it took Hayes and his team 20 minutes to contain it, he estimates.
鈥淏ut this could鈥檝e really run rampant 鈥 these things can unfortunately grow out of control really, really quickly,鈥 he says. 鈥淚t鈥 scary to think you have meetings that are 90 minutes long, and when you come out, the entire landscape of what鈥檚 happening at an organization could have changed. It only takes an hour for something terrible to take root.鈥
It helps, he adds, that MiC3 members are able to troubleshoot with each other.听鈥淲e send a lot of emails to each other--how have you been? What are you working on? Have you seen anything weird at work,鈥 says 海角大神 Kopacsi, the lead forensics specialist on Hayes鈥 MiC3 team.听鈥淲hen you run into a problem, you can shoot an e-mail or give them a quick call,鈥 Mr. Kopacsi says. 鈥淭here鈥檚 a certain level of trust knowing that when we do ask for help, that it鈥檚 not going to be put on social media or anything.鈥
Indeed, sharing intelligence is another driving factor behind the corps. For instance, during other war games听exercises, 鈥淲e start telling our little IT war stories,鈥 says Hayes.听鈥淚t鈥檚 funny how the exact same things I see on a daily basis in my job, they鈥檙e seeing as well. It really hits home that these problems we face, we鈥檙e not alone in them--we鈥檙e not these tiny isolated islands where the problems I have no one else sees,鈥 he adds. 鈥淭hat kind of intelligence is worth its weight in gold.鈥
The civilian cyber corps 鈥渁re the guys who actually work with those systems, and they鈥檝e been doing it for 20 years,鈥 says Michael Yokie, chief warrant officer听with the Michigan National Guard, which also teams up with MiC3 for exercises. 鈥淚 can go to class, or even build a simulated environment that looks like it, but where else are you going to get that experience?鈥
Now, with the MiC3, 鈥淲e have a volunteer system that can jump in with us and help us.鈥澨鼺or this reason, the Michigan National Guard is actively courting the Michigan Civilian Cyber Corps to join their ranks as well. 鈥淚 actively try to recruit people from the Civilian Cyber Corps,鈥 Mr. Yokie says.
Adams hopes the success of the civilian cyber corps not only spawns similar initiatives in other states but also generally helps improve cybersecurity awareness across Michigan. 鈥淚f you really take the volunteer fire department model, they not only responded to emergencies, but they taught preventative lessons," he says. It's a sort of "McGruff the Crime Dog" model for the Digital Age.
听
