C O N N E C T I C U T

Cybersecurity
Strategy
DANNEL P. MALLOY
GOVERNOR
July 10, 2017
 Connecticut Cybersecurity Strategy Page 1

Photo: User:Colin /
Wikimedia Commons,
via Wikimedia

Table of Contents
Introductory Note 3 Business 19
Executive Summary 4 Critical Infrastructure 19
The Threat 5 Financial Services 21
Our Shared Vulnerability 6 Insurance 23
Our Marching Orders 7 Defense 24
Higher Education 26
Strategic Vision and Principles 8
Law Enforcement and Security 29
Vision 8
Principles 9 Conclusion 34

Sectors 15 Appendix 35
Connecticut State Government 15 A Cyber Defense Primer 35
Municipalities 18 The Catastrophic Attack 35
Page 2

This page left intentionally blank.

 Connecticut Cybersecurity Strategy Page 3

Introductory Note
The digital age has put us in a tug-of-war The Connecticut Cybersecurity Strategy that
with technology. Every part of our lives I announce today is a significant step. It
and our work is touched byif not driven specifically highlights state government,
bydigital technology. Were not going municipalities, business, higher education
to change that, nor should we. But the and law enforcement. But its principles apply
dangers that go with that digital exposure universally, and will form a pathway to a
are relentless and escalating. more detailed, operational action plan.
We have to confront and figure out This strategy makes it clear that we cannot
this problem. Every person, agency, ignore the problem of digital insecurity. We
organization and business in Connecticut cannot wish it away. And we cannot wait
faces some degree of vulnerability. for someone else to solve it for us. I firmly
You are affected whether you are a major believe that, if we embrace cybersecurity as a
corporation or the convenience store down perennial priorityas a daily responsibility
the block, the General Assembly or part of the safety and competitive advantage we can
our judicial system, a millennial or a senior gain for our state could be immeasurable.
whos off the grid, but whose health history I am grateful to Chief Information Officer
and tax returns are sitting in government Mark Raymond and Chief Cybersecurity Risk
databases. And you must be part of Officer Arthur House, and to all those who
Connecticuts effort to control the effects supported them in crafting this strategy.
of digital exposure. Security is not an end point; it is a process. I
In 2014, I called for a cybersecurity call on everyone in Connecticut to be part of
strategy to cover our vital public utilities. the effort to turn this strategy into action.
We did that and launched an action plan
now in operation. I am proud that our
state got out front in that effort. In 2016
we went further to see what we could do to Dannel P. Malloy
make Connecticut more secure and one of Governor of the State of Connecticut
the most cyber-savvy states in the nation.
 Page
Page44

Connecticut State Capitol

photo by Anthony Calabrese

Executive Summary
This strategy has a dual mission. First, it is aimed at putting the entire state on the same page when it comes
to cybersecurity. We must be unified in understanding the nature, ubiquity, urgency and persistence of the
cyber threat. Second, it is to put the entire state on the same path. The strategy sets forth seven foundational
principlesexecutive leadership and awareness, literacy, preparation, response, recovery, communication and
verificationthat will lead the way to an action plan and adapt to any public or private entity.
Such an ambitious mission requires leadership. That is why the primary audience for this strategy is Connecticuts
leadersthose who oversee our General Assembly, Judiciary, municipal governments, businesses, civic
organizations, higher education institutions and law enforcement units.
This strategy discusses these principles and challenges from the perspectives of five sectors:
Connecticut State Government;
Municipalities;
Business (emphasizing critical infrastructure, financial services, insurance, and defense);
Higher Education; and
Law Enforcement and Security.
These sectors were selected because of their statewide importance, as well as their special status as both prime
targets and prime defensive players in the event of a major incident. They matter, and cyber adversaries know
that.
However, the authors hope that all readersindividuals and representatives of other sectorswill see themselves
in the issues raised, the principles offered and the path toward solutions.
Several themes are woven throughout this strategy:
1. Education and training are vital to the culture change Connecticut needs to optimize prevention and to be
always at the readyalert and prepared to manage response and recovery;
 Connecticut Cybersecurity Strategy Page 5

2. While respecting privacy and proprietary Any data passed through the Internet and
information, government and businesses any Internet-connected device is susceptible
must break down silos and embrace to compromise. As a result, cyber attacks
communication and information sharing. are potentially life-altering. We are utterly
No one has a corner on insights and best dependent on networked devices and systems,
practices; and for better and worse, our digital world
3. Our state must adopt cybersecurity is built for speed, access and information
as a perennial priorityas immutable as sharingall qualities that are incongruous with
essential services and public safetyand the security principles needed to protect us.
factor it into decisions about both short- Threats range from dissemination of
and long-term resources and actions; embarrassing or false information about an
4. No one and no organization is immune. individual all the way to use of cyber attacks
Everyone and every organization has a stake as a weapon of war. In between is the growing
in this game and a role to play in making industry of ramsomware, estimated by some to
Connecticut more cybersecure and cyber- have harvested global revenue of over a billion
savvy. dollars in 2016. Hackers paralyze systems and
demand payment to release the computers,
5. Robust cybersecurity can become a often requiring payment in bitcoin. Normally
Connecticut hallmark, making our state it is not possible to identify the hackers or to
an even more sought-after place to live and trace bitcoin transactions. Some insurance
work. companies and law firms now have practice
areas devoted to bargaining with hackers,
arrange payment and ensure restoration of
THE THREAT service, and understandably so.
Cyber attacks are different from information Police departments have been forced to manage
technology system break-downs or natural dispatch calls manually. San Franciscos
disasters, which can be remedied with standard, public transit system was unable to receive
operational best practices. Cyber attacks are fares during a Christmas shopping weekend.
crimesmalicious acts intended to steal data, Attacks recently hit hospitals in England and
disrupt services or corrupt and disable systems. Scotland. Business and municipal services
Attackers are stealthy, often invisible and able in Connecticut have also been hit. Initial
to strike from anywhere in the world. Methods reaction to a ransom notice is often anger and
of attack are so mercurial they can shift while an defiance. But when one considers the impacts
attack is underway. of losing police or fire services, shuttering a
hospital or losing all of a law firms client files,
ransom is often paid. And ransoms tend to
be deliberately calibrated to be affordable.
The firm Symantec estimates that, while
ransomware demands are rising, the average
demand tripled in 2016 to $1,077.
The tension between enjoyment of online
services and exposure to compromise is
especially notable with the Internet of
Things. Companies are not just selling goods
online, they are enticing us to have smart
homes and offices, by enabling us to use
devices remotely to adjust thermostats, activate
cameras, open garages, even manage complex
equipment.
Page 6

The means of potential attack vary from simple

phishing intrusions to the implantation of
malware into corporate operating systems or
public utility critical infrastructure. Larger
scale regional or national attacks could
involve shutting down a natural gas pipeline,
coordinating events in several states or
detonating a nuclear weapon from a satellite to
trigger electro-magnetic effects that knock out
electricity distribution. Whatever the intention
The flip side of such innovation is that if we
of such attacks, their second and third order
continue on the current track, by the end of
effects could be catastrophic.
2018, a Business Insider report projects that the
number of devices creating inadequately secured, The messages are clear: cyber dangers are
potential attack vectors to our homes and diverse and serious; offense is outpacing
businesses will grow from 6.6 billion in 2016 to defense; and our daily digital life is a threatened
22.5 billion in 2021. environment.
Connecticut and the country do not need
an Internet of Things. We need an Internet
OUR SHARED
of Secure Things. We need to reach a point VULNERABILITY
where security is addressed at the design stage Connecticut must act with a sense of
rather than as an add-on or correction, and community. All individuals and entities
when production standards for secured device face the potential for severe harm. We must
technology are consistent among states. But we collaborate to raise awareness of the dangers,
cannot wait. Connecticut must move to protect strengthen our defenses and prepare to respond
itself. and recover. We are connected in this effort.
Where do threats come from? Powerful potential National experts confirm that almost everyone,
adversaries such as Russia or China could be including in rare instances the Intelligence
perpetrators. But the concept of asymmetrical Community and cutting-edge firms, has
warfarethat a weaker opponent can best a been or will be penetratedbanks, utilities,
stronger one with unconventional tactics and hospitals, schools, manufacturing and services
weaponrycertainly applies to cyber warfare. firms and national, state and local governments.
Aggrieved nations, such as North Korea or Iran We saw it happen when the identities of
could act. Individuals or groups for hire (cyber Americans with security clearances were
mercenaries) and even our own citizens are stolen from the federal Office of Personnel
potential sources of attack. These adversaries Management, and when some of our largest
have the ability to disguise their locations companies had devastating security breaches.
and identities, complicating attribution and
The Privacy Rights Clearinghouse estimates
retaliation.
that, during 2016, all government and military
Former President Obama warned that, at in the United States had a total of 5,329,961
low cost, both state and non-state actors can breaches; remarkably only 27 were made
penetrate core functions in our society, and public.
that ability is moving faster than our defenses.
Here at home, of the roughly 4.8 billion
Admiral Michael Rogers, Director of the
connection attempts per month to the
National Security Agency and head of United
state network from external computers,
States Cyber Command, warned in 2016 that, at
approximately 2 billion, or 42 percent, are
some point, the United States will see an attack
blocked by perimeter security, based on known
on our critical infrastructure. We have already
malicious Internet protocol addresses or threat
seen such an attack, he noted, against Ukraines
signatures. In a typical month, state anti-virus
electric grid.
 Connecticut
ConnecticutCybersecurity
CybersecurityStrategy
Strategy Page
Page77

Connecticut State Capitol photo by Anthony Calabrese

protection catches about 2,400 malware infections before they install. Despite this protection, state
third-party monitoring detects an average of 66 infected or compromised state systems per month.
The severity of potential harm and the fact that no one is immune must be heard loud and clear, not
to stoke fear, but to prod us to act, particularly those involved in protecting the security and wellbeing
of our state.
If the public and private sectors do not commit fully to this reality, strategies and action plans
developed by the state, individual agencies or private entitieswill not be effective, and we will never
realize the benefits and competitive power that come from living in a safer, more cyber-aware state.
OUR MARCHING ORDERS
There is no international or national governing regime for cybersecurity. Thus, we
must defend ourselves, which demands new habits and sensibilities. At the same
time, we can never stop inventing and investing in knowledge and systems that
improve our lives and ability to compete.
To both embrace and protect our digital lives, and to make Connecticut a
more resilient, safe, competitive state, Governor Malloy called for a statewide
cybersecurity strategy. It will be followed by a more explicit cybersecurity action
plan to execute the strategy.
Page 88
Page

Statue of Nathan Hale

Strategic Vision and Principles

VISION
Cyber attacks are different from information technology (IT) system breakdowns, which can be addressed
with standard, operational best practices. Cyber risk management means preparing for and responding to
deliberate, malicious acts designed to disrupt services, steal data, inflict terror or misuse IT systems.
Our ability to connect anything to anything and anyone to anyone is now a cornerstone of our economy and
lifestyle. Using the Internet is virtually effortless. Protecting ourselves from the Internet takes work, and that
is what the Governors directive and this strategy are all about.
The Connecticut Cybersecurity Strategys goal is to strengthen the awareness and resilience of public and
private entities to reduce the likelihood and severity of large cyber attacks. Achieving this goal requires
making cyber defense a shared priority.
Americans are effective responders to tragedy and emergency but are less apt to act pre-emptively. If
Connecticuts public, private and corporate citizens embrace cybersecurity as a unifying goal, and work
together, we can be among the states leading the way to enhanced, nationwide cybersecurity.
In other words, managing cyber risks can provide a competitive advantage for Connecticut businesses, a
more secure living environment for Connecticut residents and better stewardship of information and services
by Connecticut state and local governments.
Achieving this visionin which every citizen and organization has a stake and a role to playwill make
Connecticut an even more sought-after place to live and work.
 Connecticut Cybersecurity Strategy Page 9

PRINCIPLES Executive Awareness and

The strategic path to this vision is built on Leadership
seven principles: Executive awareness and leadership will largely
1. Executive awareness and leadership define the success or failure of this strategic
undertaking. Business and government leaders
2. Literacy
may have full plates and limited time, but
3. Preparation there are ample reasons why cybersecurity
4. Response should be one of their persistent priorities:
5. Recovery A single incident can be devastating.
Virtually all organizations house large amounts
6. Communication
of information on people and businesses.
7. Verification. Cybersecurity losses can have serious, material
These foundational principles apply to all effects on financial performance and personal
five sectors highlighted in this strategy security. Should this information be corrupted
Connecticut state government, municipalities, or stolen, those in charge potentially face loss
business, higher education and law of reputation and trust, financial reversals,
enforcement and securityacknowledging fines and penalties and inability to focus on
that each has its own strengths and limitations. business, while recovery and remediation are
These principles are complementary and underway.
encompass the range of efforts required to There is No Status Quo. Todays firewall
build a secure cyber environment statewide. is tomorrows soft spot. Cyber risks are
In putting them into action, it is important, inherently complex and changing. Attackers
and heartening, to recognize that experience are stealthy, and their motives and tactics
counts. Existing disaster recovery, continuity are in constant flux. Failure to recognize
and contingency plans can and should be and address threats as they emerge or change
incorporated into cybersecurity planning. escalates the impacts.
Lessons already learned about resilient design, All eyes are on you. To mold organizational
redundancy, failover, clustering and network behavior into a cybersecurity culture,
and application architectures have roles to play executives must attend security awareness
in cybersecurity response and risk reduction. training, practice safe computing and
There is no reason to reinvent defenses that are recognize that subordinates emulate their
already compatible with cybersecurity. leaders.
This threat demands a wide-angle view.
Often, only executives have a sufficiently
broad view across an organization to ensure
crossboundary compliance. Leaders have a
special responsibility to execute cyber policies
based on their encompassing perspective.
Improvement requires attention. Items
that executives keep at the top of the agenda
receive staff attention. Cyber risk deserves
the same attention executives give to financial
and market risk. Asking about the status of
cybersecurityincluding requiring quarterly
updates, annual dashboards and trend
reportingsustains a sense of urgency and
leads to action.
Page 10

Leaders ask critical questions. An effective To improve literacy:

executive can influence organizational behavior Training and educational programs should
by asking: begin in grade school and build throughout
What are we doing to protect important data? ones life. Schools, libraries, employers and
senior centers can all become hubs for the
How would we know if we had been basics on fraudulent email and websites;
breached? All employees should have refresher and
How quickly could we recover from a cyber professional development training in
attack? cybersecurity;
Workplace communications, professional
Are we leveraging our human and technical
development, accountability and training
assets appropriately to protect our information?
should emphasize that best practices,
How complete is our understanding of responsibility, security and risk mitigation
current cyber threats? are part of every function;
Auditors should be trained to include
To what extent have we reduced our risks in
cybersecurity as a priority focus; and
the past year?
Our educational systems should support the
To what extent have we reduced cyber development of curricula for cybersecurity
incidents in the past year? professionals and encourage post-secondary,
advanced certifications in the field.
Literacy
Almost every major cyber intrusion, at home Preparation
or work, starts when an individual unwittingly
This principle, like Response and Recovery, is based
opens a door to attackers. Our strategy
largely on the states experience responding to
recognizes that we must both establish a
emergenciesprimarily natural disastersthrough
minimum base of knowledge to identify and
the State Response Framework.
prevent cyber intrusions, and continue to build
specialized skills to address the more complex Of course, a cyber incident differs from a natural
cybersecurity tasks. disaster in that: 1) an attacker has intent to steal or
harm, and 2) the technology environment changes
A literate, mindful citizenry and workforce
every day. Still, preparation for cyber incidents,
create a strong cybersecurity culture.
large or small, can benefit greatly from these known
and understood structures.
 Connecticut Cybersecurity Strategy Page 11

Helpful, adaptable lessons learned include:

Conduct regular risk assessments in accordance with industry standards. The State of
Connecticut recently conducted an agency-by-agency self-assessment against Center for
Internet Security (CIS) critical controls. There are also sector-specific tools for industrial
control and financial systems.
Use a credible information security framework from a source such as the Center for
Internet Security (CIS), the National Institute of Standards and Technology (NIST) or
the International Organization of Standardization (ISO) to create a proactive protection
program.
Include cyber risks and risk assessments in strategic and operational planning, including risk
identification and assessment.
Train constantly to hone literacy and technical skills, and to rehearse and modernize
continuation of operations (COOP) and continuation of government (COG) plans. Well-
planned training and exercises can enable local, state and federal partners to teach and
mentor each other to enhance both situational awareness and their chances of avoiding or
mitigating cyber threats.
Share information with public and private entities via the State Cybersecurity Committee,
through public service announcements and, when appropriate, with law enforcement and
Connecticuts intelligence fusion center. Develop plans for use of a web portal and social
media.
Institute incident response plans aligned with the State Response Framework, following
the National Incident Management System (NIMS). Planning should include continuity
of operations and continuity of business plans. Rehearse on a stand-alone basis and with
federal, state, local and private partners.
Staff an incident response center and practice its use. The field of cyber defense and threat
mitigation is in its initial stages. Connecticut needs to be part of the national discussion on
how the federal government and states can collaborate to contain or eliminate harm from an
active attack.
Take advantage of mutual aid, if an incident warrants additional resources, via the Intra-
State Mutual Aid Compact, state-to-state Emergency Management Assistance Compact or
International Emergency Management Assistance Compact.

Response
Cyber events are virtually always complex because attackers will employ a variety of tactics and even
change tactics during an attack. A common example is a denial-of-service attack that distracts from
an actual system intrusion, until it is too late.
Response requires:
Executing incident response plans;
Activating a cyber disruption response team;
Reporting to a sector-specific Information Analysis and Sharing Center (ISAC) for
coordination and, when appropriate, to Connecticuts intelligence fusion center and/or the
national level;
Escalating authority and responsibility, when appropriate, to a multi-jurisdictional, multi-
discipline response team following the State Response Framework;
Page 12

Providing situational awareness and subject matter expertise to the State Emergency Operation
Center, if activated;
Launching business continuity operations.
Recovery
Recovery operations must be as nimble as Response operations, because consequences of attacks
are increasingly difficult to predict. The fallout could include financial, physical, reputation and/
or other damage. Connecticut has a State Disaster Recovery Framework that provides a general
recovery structure in the event of an incident affecting public safety. Cyber threats add new
demands to that recovery structure.
Recovery requires:
Identification of damage from the attack;
Investigation and data collection;
Root cause analysis;
Eradication of the threat and restoration of operations;
Creation and distribution of an after-action report that summarizes the event, lessons learned
and follow-up remediation activities; and
Follow-through to execute recommendations and mitigation actions.

Communication
Organizations and individuals do not enjoy equal access to threat intelligence about the extensive
array of wily and pernicious cyber foes. That is why an important goal of this strategy, and the action
plan to follow, is to foster coalitions and information-sharing behavior across Connecticut and with
regional and federal colleagues.
Even recognizing the need, in some organizations, for discretion or secrecy, cybersecurity demands
that organizations break down silos and embrace information-sharing habits. Vertical and horizontal
information flows allow coordinated action and lead to better decisions about resource allocation
within and among organizations.
In addition, formalized groupssuch as the Multi-State Information Sharing and Analysis Center
(MS-ISAC), regional chambers of commerce or groups organized around common interests, such as
insurance, finance, law enforcement and the Connecticut intelligence fusion centerenhance shared
understanding of risk, response and recovery.
Leaders and their communications professionals should:
Advocate common understanding of risks, threats, potential consequences, operating
environments, goals and objectives;
Use common terminology and measurements internally and with outside
partners. Promote communication standards, such as TAXII (Trusted Automated
eXchange of Indicator Information), STIX (Structured Threat Information
eXpression) and CybOX (Cyber Observable eXpression) to automate situational
awareness;
Assure coordinated actions within and among organizations;
Use the Connecticut Cybersecurity Committee for information exchange with
judicial, legislative and executive branches of government, federal partners, state
agencies, local governments and/or private sector leaders;
 Connecticut Cybersecurity Strategy Page 13

Initiate or support industry and area-specific forums to foster regular dialogue and share policy
templates and best practices. Recognize and support the role the non-profit Infragard plays as a
communications nexus between the corporate world and the FBI in cyber matters;
Support the use of social media and development of a cybersecurity website as a hub for
Connecticut residents, businesses and public sector organizations to find information, report
incidents and obtain access to resources.
In addition, in the event of a major incident, the importance of the media cannot be overstated.
Crisis managers need to ensure that the media are able accurately and coherently to communicate the
facts of a cyber crisis. National security officials warn that an attack by a nation state on state systems
or critical infrastructure would most likely include disinformation, rumors and messages to instill
panic and thwart order. The Governor must have considered, ahead of time, and perhaps already
composed, messages to pre-empt fake news and/or reassure the public with instructions and updates.
The media will be a critical ally and conduit in this effort.
Crisis communication plans must also include practical, technical considerations. Any intrusion that
affects electricity will eventually disable devices that require recharging and backup. It used to be that
if electricity went down, the landline system remained operational. No longer. Cable, broadband
and other ways of sharing news are vulnerable to the disruption of electricity. Without the ability
to recharge mobile phones and without secured management of generator fuel for cell towers, much
of the population will need other ways to receive communications necessary for reassurance and
potentially for survival.

Verication
Verification answers the question: Are our efforts actually working to lower cybersecurity risks?
Public and private entities must measure and report progress, or lack thereof, against each of this
strategys other six principles. Without this introspection and candor, it will be difficult to determine
if efforts are making a difference for the organization and for Connecticut.
For those concerned about cybersecurity, questions to pose:
Executive Awareness and Leadership
Do leaders (Governor, legislators, mayors, CEOs, et al.) receive regular briefings on threats,
incidents, risks, mitigation and workforce needs?
Page 14

Are policies and actions being updated or Recovery

amended based on such briefings?
Are we experiencing similar cyber events
Are leaders using their bully pulpits to repeatedly?
reinforce cybersecurity awareness and risk
reduction? Are all incidents scrutinized in after-
action reports?
Literacy Are all remediation steps followed to
How many public service announcements completion?
have focused on cybersecurity? Communication
What percentage of school districts and
libraries teach safe computing? Do all appropriate organizations,
entities, disciplines and sectors have
What percentage of businesses and representatives participating in the
employers include safe computing and monthly Connecticut Cybersecurity
security awareness in their orientation and Committee meetings?
refresher protocols?
Have inter-governmental and business
How many post-secondary cybersecurity cybersecurity forums been established,
class options are available in the state? and are they ongoing?
Preparation Have repositories for policy templates,
best practices and tools been established,
Is a recent security risk assessment in and who has accessed them?
place, and has management reviewed it?
Are organizations sharing cybersecurity
Is a Cybersecurity Incident Response Plan information using automated exchange
in place, updated regularly and available standards?
to those who need access?
Are standardized terms used across
Have there been at least 10 meetings documents and organizations, and
of the Connecticut Cybersecurity are they boosting understanding and
Committee within the past 12 months? response?
Has cybersecurity threat been part Has a website been established as an
of Connecticuts annual, statewide information hub, and does it provide
emergency response exercise in the past accurate information and links to useful
two years? resources?
Response
Have all cybersecurity events been
managed according to the Incident or
Disruption Response Plans?
Have all incidents been reported through
the applicable ISAC, to law enforcement
or to the Connecticut intelligence fusion
center?
Have changes been made to reflect lessons
learned?
 Connecticut
Connecticut Cybersecurity
Cybersecurity Strategy
Strategy Page
Page 15
15

Connecticut Legislative Office Building

CONNECTICUT STATE

Sectors GOVERNMENT
In the Crosshairs
A damaging cyber hit on any Connecticut
office or business is unacceptable, and all of Hackers actively attack Connecticuts state
Connecticut needs to be proactive. While government daily.
the points raised in each of the sections below Of the roughly 4.8 billion connection attempts
can be extrapolated for other sectors, this plan per month to the state network from external
highlights a select group of government and computers, approximately 2 billion, or 42
business entities because they occupy a special percent, are blocked by perimeter security,
position relative to cybersecurity. based on known malicious Internet protocol
All are prime targets. An assault of sufficient addresses or threat signatures. The state receives
magnitude on any of them potentially would close to 38 million emails per month, of which
have impacts that radiate beyond their walls, about 85 percent are blocked by the enterprise
affecting most, if not all, Connecticut residents. email gateway system. In a typical month,
All are also prime defensive players. Each has state anti-virus protection catches about 2,400
essential resources and skills to help the state malware infections before they install.
through a major cyber-induced emergency. Despite this protection, state third-party
monitoring detects an average of 66 infected or
compromised state systems per month.
As a target, the State of Connecticut, like all
states, is a prize, because it is a trove of data that
Page 16

can be exploited or sold. Due to its responsibilities and issuing a strategy and action plan
for revenue collection, law enforcement, public focused on public utility cybersecurity;
health, including Medicare and Medicaid, among and
many other things, the state has information on Collaborating with the National
virtually all 3.5 million residents and health records Governors Association.
for about 1.2 million.
In addition, the Connecticut Bureau of
On The Right Track Enterprise Systems and Technology in the
Department of Administrative Services (DAS/
Strategically, Connecticut has already taken positive BEST) provides security standards for the
steps by seeing cybersecurity for what it isan executive branch and manages IT systems for
existential threatand for being proactive. the state. In 2016, DAS/BEST facilitated risk-
State government promotes cybersecurity defense assessments by each state agency, and plans to
in all executive branch offices and the five sectors repeat them annually.
addressed in this strategic plan. Oversight is Each Connecticut agency is also responsible
consequential in the cyber arena, because the for its own awareness program and defense
agencies with greater cyber awareness are those that mechanisms, and for working with DAS/
are regulated by state or federal authority (or both). BEST on network perimeter safety and
When Internal Revenue Service, Social Security firewall management, employee access to
Administration or state management and budget unsafe websites, malicious email and antivirus
officials evaluate agencies, reveal weaknesses and measures and backups.
explain how to improve, better outcomes result.
Enduring Responsibilities
State initiatives have included:
Operating the state intelligence fusion center, The state must keep asking how every agency
managed by the Department of Emergency and authority can play a constructive role in
Services and Public Protection; cyber defense, just as they are obligated to act
on fire hazards, fraud and drug problems.
Operating as a clearinghouse for cybersecurity
information sharing; Ways to improve:
Matching cybersecurity demands with training DAS/BEST must keep conducting
and personnel resources; assessments, and help, particularly
smaller state agencies, to boost
Conducting network penetration tests,
adoption of standardized technologies
security assessments and cross-sector exercises;
and security protocols, contracting
Negotiating contracts that balance the cyber- standards and centralized approaches to
related risks and rewards of service providers; multi-factor authentication for critical
Monitoring for and responding to incidents; systems;
Designing active defenses and recommending
statewide and agency-specific technologies,

Photo by Kevin Nodwell

 Connecticut
Connecticut Cybersecurity
Cybersecurity Strategy
Strategy Page
Page 17
17

View of Hartford Photo by J. Carlos Velez

The Office of Policy and Management must State auditors should assess cyber culture
advance its work in classifying categories of in their evaluations;
data by risk level; The Department of Consumer Protection,
The Department of Emergency Services in managing citizen complaints, should
and Public Protection (DESPP) Division direct people to investigation and
of Emergency Management and Homeland prosecution authorities;
Security (DEMHS) must continue to The Attorney General, already active in
coordinate planning, training and exercises, cyber matters, should increase attention to
and integrate cybersecurity issues in its work; potential damage to the state from cyber
Agencies, the General Assembly and compromise;
Judiciary should cultivate cybersecurity The States Attorneys can increase their
cultures to underscore that cybersecurity criminal awareness and prosecution
is not simply an information technology activities, by working with a Connecticut
problem. To ensure that it is part of every cyber incident response team or task force
agency mission and job description, Human to assist investigations;
Resources must tailor recruitment to a
The state must encourage more
workforce that lacks adequate cybersecurity
municipalities to join, either directly or
skills, by seeking new hires with the talent
through trade association representation,
and attitude to commit to cyber awareness
Connecticuts Cybersecurity Committee,
amid resource scarcity;
a venue for state and town representatives
Agencies should examine critical systems to discuss threats, priority concerns
requiring special protection and use and best practices. Each of the five
centralized approaches to multi-factor DEMHS Regional Emergency Planning
authentication; Teams (REPTs) should have at least one
representative on this committee;
Page 18

More municipalities should utilize

the shared firewalls and other Internet
protections available through the
Connecticut Education Network (all school
districts and roughly 100 municipalities
currently participate); and
Connecticut must take full advantage of
federal, cyber-related grant opportunities
available to state agencies and municipalities.
State and local officials must never stop working
to improve preparedness by considering questions
such as: What federal, regional and/or statewide
coordination is required? What steps are necessary an intrusion could bring. CIRMA now
to maintain public order and distribution of vital provides cybersecurity insurance coverage for
supplies, such as food, pharmaceuticals and water? Connecticut municipalities.
Have the media been included in crisis planning, In 2015, Governor Malloy signed legislation
since their credibility and ability to distribute news expanding protections for personal data. In
are essential to recovery? the event of a breach involving residents Manager of Fac
Next steps for Connecticut state government will personal information, municipalities are
prioritize: subject to Connecticuts Data Breach Statute,
Connecticut General Statute Section 36a-701b,
1. Working with agency heads to assess the
requiring notice to both the affected residents
current state of cybersecurity defense and law
and the Attorney General. In response,
enforcement and identify gaps;
many municipalities have implemented
2. Offering the services of DAS/BEST to the written information security plans (WISPs),
General Assembly and Judiciary to assess the documenting the measures they are taking to
current state of cybersecurity defense and to protect the integrity of the information they
identify gaps; collect and maintain.
3. Helping smaller agencies lacking Thus, Connecticuts municipalities are taking
cybersecurity programs to identify basic needs, positive steps to identify, prevent and manage
secure applications, manage contracting cyber threats, and they are motivated to build
standards and pursue other initiatives to start defense programs and join together to identify
building cybersecurity defense; and common vulnerabilities and best practices.
4. Seeking federal grants to bolster To build on this momentum, some initial
Connecticuts efforts. strategic objectives for municipalities should be
to:

MUNICIPALITIES Increase civic awareness of cyber dangers

to municipal government, citizens and
Until recently, cybersecurity was not always local businesses; identify prevention
recognized as a municipal issue or responsibility. It measures; investigate compromises; and
is not a common budget item in Connecticut cities prosecute cyber crimes when possible;
and towns, nor is it a frequent agenda item at the
Connecticut Conference of Municipalities. Join together to make defense a
shared learning experience and reduce
Things are changing. costs. Shared work with CIRMA and
Some cities and towns now have information through the existing DEMHS Regional
technology officers, and some retain IT vendors. Emergency Planning Teams (REPTs)
A recent briefing on cybersecurity threats by the and their Emergency Support Function
Connecticut Interlocal Risk Management Agency (ESF) groups provides a framework for
(CIRMA) raised alarm about the potential damage communication and action plans;
 Connecticut Cybersecurity Strategy Page 19

Embrace collaboration with DAS/BEST to requirement that any business holding electronic
strengthen network defenses; and personal information on Connecticut residents
Assess municipal work underway in other must report to the Attorney General and affected
states and consider tapping other existing residents if the business experiences a security
resources, such as the Connecticut Center breach.
for Advanced Technology. The state has also vested interests in maximizing
Next steps for Connecticuts municipalities will the financial wellbeing of companies, the
prioritize: safety of their employees and the integrity
of their products, and in giving Connecticut
1. Identifying steps each municipality can businesses a competitive edge. Therefore, it has a
take to begin effective cybersecurity defense responsibility to engage the business community,
programs; and vice versa, about how to defend against
2. Investigating how best to use CIRMA disruption. In addition, should issues resistant to
as a resource and clearinghouse to share or not addressed by voluntary solutions emerge
useful information and best practices, in the future, legislative or regulatory approaches
and participating in the Connecticut have to be considered.
Cybersecurity Committee; and However, as is clear in the discussions below,
cilities Planning
3. Encouraging participation in the free it is encouraging that Connecticuts business
services of the Multi-State Information community is taking the initiative to embrace
Sharing and Analysis Center (MS-ISAC). cybersecurity.
For example, Infragard Connecticut, a
partnership between the FBI and the private
BUSINESS sector, is a non-profit organization that seeks to
Cybersecurity has emerged as a top business protect local, state and national infrastructure.
concern, receiving serious attention in business Many Connecticut businesses, as well as academic
publications, at trade association meetings institutions and state and local law enforcement
and through the difficult experience of cyber agencies, have sought Infragard assistance to
compromise. prevent and respond to exploitation of cyber
vulnerabilities.
Government and business share the responsibility
to enhance the states and the nations There are still chief executives, primarily in small
cybersecurity defenses, and they depend on each and mid-market companies, who believe that
other to do it well. cyber problems can be solved with software or
by hiring a security vendor. However, they are
Thomas Bossert, Assistant to President Trump
fewer in number every day, and in the industries
for Homeland Security and Counterterrorism,
highlighted below, cybersecurity is clearly and
in March 2017, suggested a role for the federal
appropriately top of mind.
government is to urge business leaders to think
through the cybersecurity challenge. The goal,
he explained, is not to intrude on business Critical Infrastructure
operations, or to ask businesses how secure they
Critical infrastructure includes a broad array of
are, but rather to ask: how can we help you be
structures and services, beyond the public utilities
more secure?
addressed in this report. Effective cybersecurity
By and large, Connecticut is in sync with this defense compels attention to highways, rail
position. Our state government generally asserts networks, seaports, airports, dams and any other
that it should not and cannot regulate all the ways facility or service that affects lives, safety and
business responds to cybersecurity challenges. economic activity in Connecticut.
That said, Connecticut General Statute Section Public utilitieselectricity, natural gas,
36a-701b, referred to above, includes the telecommunications and water suppliesare
Page 20

highlighted here because their cybersecurity is There would be mutually agreed standards
more than a matter of health and wellbeing; it is to measure progress on cybersecurity
a matter of survival and national security. defense. PURA asked the participating
Utilities are susceptible not just to phishing and companies which standards they preferred,
other social intrusions but also to penetration and all selected the Cybersecurity
through their supervisory control and data Capability Maturity Model (C2M2),
acquisition (SCADA) systems, because SCADA a voluntary evaluation process using
systems can be reached through the Internet, industry-accepted practices to measure the
supply chain devices and other vectors. maturity of an organizations cybersecurity
capabilities.
Because of the potentially profound
consequences, even devastation, of an attack There were further rules of the road agreements
on public utilities, Connecticut issued a regarding non-disclosure, protection of
dedicated strategic plan for public utility confidential information and concurrence on
cybersecurity in April 2014 and an action language used to report results to the Governor
plan in April 2016. Both are available on and General Assembly.
the website for Connecticuts Public Utilities Both of Connecticuts electric and natural gas
Regulatory Authority (PURA). Governor distribution companies (Eversource Energy and
Malloy and members of the General Assembly Avangrid) and its two main water companies
requested the plan, reflecting their increasing (Aquarion Water Company of Connecticut
desire to understand the state of public utility and Connecticut Water Company) agreed
cybersecurity and how it could be improved. to proceed. Major telecommunications
The time had passed when constituent questions companies refused to participate. Broadband
regarding critical infrastructure cybersecurity and cable communications are vital to effective
could go without informed responses and cybersecurity, and PURA has left the door open
assurances that designated officials were for these companies to join the process in the
responsible for overseeing defense. future.
(See Appendix for a discussion of the impact and The 2017 annual reviews started in February
response a catastrophic utility attack could unleash.) and were completed in April. A summary
The public utility action plan called for report by the state and utility participants will
technical meetings in which the electricity and be forthcoming. The consensus assessment is
natural gas utilities, major water companies and that the reviews were very successful and that the
telecommunications companies would work decision to pursue a process designed by mutual
outside the formal docket/regulatory framework agreement rather than formal docket decision
to establish a process to review progress in produced an excellent model for future years.
cybersecurity defense. A spirit of responsible corporate citizenship,
and a desire to respond to the publics need to
Negotiating in the public interest, PURA and understand the state of cybersecurity defense, have
utility officials agreed on three basic points: produced thorough, educational, professional
Annual meetings would review the state of reports and candid discussion of progress and
cybersecurity for each participating utility; areas where performance could be improved.
Participating utilities would bring to these Critical infrastructure in Connecticut is more
annual meetings whomever they wanted, secure, and regulators and emergency managers
internal or external to the company, and understanding of that security is materially
four State of Connecticut representatives advanced because of this new program.
would attendtwo from PURA and Energy industry leaders have called for
two from the Division of Emergency measures to close the gap between the need for
Management and Homeland Security cybersecurity threat intelligence and the scarcity
(DEMHS); and of employees with top secret security clearances.
 Connecticut Cybersecurity Strategy Page 21

Connecticuts critical infrastructure There are understandable reasons for wanting to

public utilities have some access to threat keep cyber breaches secret. Breaches with legal or
intelligence, but need to rely on specialized regulatory implications can involve loss of records
vendors with access to such intelligence to try and damage to a brand name. An April 2017 study
to fill information gaps. of 65 firms by IT consultant CGI and Oxford
During a U.S. Senate hearing in April 2017, Economics found that, since 2013, share prices fell
a number of energy representatives stated on average 1.8 percent on a permanent basis after a
that the U.S. Department of Energy should disclosed breach, with financial services companies
facilitate such clearances so that companies being the most adversely affected.
and government can share valuable Financial services businesses have the advantage of
information. Their plea was supported by long-time experience protecting their processes, data
Colonel Gent Welsh of the Washington and money. Before cybersecurity was a recognized
State National Guard, who underscored the problem, the industry was managing computer
need for the National Guard to work with records and responding to problems with electronic
the private sector, saying that there can be information and systems caused by deliberate or
no partnership without access to needed accidental interruptions. In some ways, traditional
intelligence. financial crimesskimming, over-invoicing and
automated clearinghouse network fraudhave been
adapted to the cyber world.
Financial Services
Financial services firms, in general, and especially
The financial services industry encompasses
banks, consistently underscore that they are already
investment banking, asset management,
thoroughly regulated and do not want further
pension fund management, large commercial
regulation of any sort. Many emphasize that they are
and small community banks and credit
willing to cooperate in strengthening cybersecurity,
unions, and businesses with significant
but want to do so voluntarily rather than through
financial components, including mortgage,
new laws or regulations.
property development and real estate firms.
Other businesses, such as accounting and law Progress
firms, also deal with financial transactions.
The past few years have seen some dramatic cultural
While each firm faces its own cyber
changes in financial services firms to harden defense
challenges, all must treat cybersecurity as a
against phishingone of the most widespread
priority and ensure that public authorities are
threats to the industry. Also known as business
aware of major threats. The cyber threat is
email compromise or BEC, this growing activity
serious in financial services, as is the ardent
has triggered active CEO and board of director
desire to avoid publicity about it. The
involvement, in-house town hall meetings,
Privacy Rights Clearinghouse estimates that
onboard training of new hires and regular training
during 2016, for both financial services and
and testing for all employees.
insurance firms combined, there was a total
of 1,009,897 data security breaches, of which
33 were made public.
Page 22

Intelligence assistance is available from the companies and other financial services regulated
FBI and for subscribing members of the by the New York Department of Financial
Financial Services-Information Sharing and Services to institute:
Analysis Center (FS-ISAC), a global resource Governance controls requiring that a
for intelligence analysis. While the extent and cybersecurity program be adequately
quality of cybersecurity defense vary among funded and staffed, overseen by qualified
banks, some have robust programs, including management, and reported on regularly
twice-yearly penetration tests (both physical to the most senior governing body of an
and network) and red teaming (designating a organization;
group to attempt penetration and compromise).
Some engage external security services to Risk-based minimum standards for
provide constant surveillance. technology systems, including access
controls, data protection and encryption,
One interesting innovation that could be and penetration testing;
adapted to other banks is the Mid-Atlantic
Automation Group, a coalition of about 12 Minimum standards to address cyber
mid-sized, non-competing banks, organized to breaches, including an incident response
share threat information and best practices, and plan, preservation of data to respond
to offer members alternate facilities capable of to such breaches and notice to the New
backup outside their operating areas. York Department of Financial Services of
material events; and
More to Do
Accountability by requiring identification
Beyond these promising steps, cybersecurity in and documentation of material
financial services can be enhanced by: deficiencies, remediation plans and annual
Adopting a shared communications plan certification of regulatory compliance.
to disseminate information and updates Connecticut and other states, including Rhode
among financial institutions in the event Island, Illinois and Kansas, have passed broad
of a cyber incident, possibly through a but flexible statutes requiring entities that deal
common website or defined protocol in personal information to institute reasonable
managed by the FS-ISAC; security programs.
Creating a cyber incident response team However, New Yorks regulations are more far-
in Connecticut that banks and their reaching creating new, cyber-related standards
customers could use. At present, the only in financial services. While the efficacy of these
such service is the FBI, which is normally regulations has yet to be determined, they may
not able to respond to retail, individual well prove to be appropriate in New York, which
compromises; and is the nations (some would argue, the worlds)
Expanding the availability of cybersecurity foremost financial center.
personnel, who are in intense demand; However, Connecticut must pay attention.
positions in Connecticut are going unfilled, The effects of New Yorks regulations reach into
forcing some banks to poach experts from Connecticut and affect our business community.
competing institutions, which favors large Our institutions work with those in New York
players that can offer higher salaries. and face the same cyber threats. If financial
The Regulatory Balancing Act cybersecurity risk rose to the point that it
A question facing all states is whether, and to warranted special regulatory attention from the
what extent, regulatory authorities should insert State of New York, Connecticut needs to consider
themselves into business affairs. A prominent the conditions under which it could make sense
example is New York State, which established to take similar action.
first-in-the-nation regulations that took effect
on March 1, 2017, requiring banks, insurance
 Connecticut Cybersecurity Strategy Page 23

Insurance A common industry theme is a desire for

cooperation with government regarding
Not surprisingly, the insurance industry and
cybersecurity, but with as little publicity as
the State Department of Insurance are active
possiblein other words, data protection with
members of the Cyber Security Committee.
no public attention beyond that required by
For itself and its clients, this industry faces a regulators or other legal requirements.
huge, dual challenge. Given that cyber breaches
The insurance industry has, in fact, identified
are among the most dangerous assaults on a
ways to expedite such collaboration:
companys value and reputation, insurance
companies not only must protect their own Some national organizations provide
data and security, but some forums for information exchange
in the property-casualty regarding threats, defense and best
business are also responding practices. A few Connecticut insurers
to the growing demand have expressed interest in the state
for cybersecurity insurance helping to organize a forum of insurance
coverage. company Chief Information Security
Officers to exchange information about
Protecting Themselves
threat traffic, the evolving nature of
Insurance companies differ penetration attempts and defensive
in their views regarding the best practices. Connecticut should be
value of external security available to initiate such discussions if
vendors. Some use them there is sufficient interest;
to supplement their own
This cybersecurity strategy and the push
security programs. Others
to establish Connecticut as a leader in
are so sensitive to the
this fieldthrough business-to-business
integrity of their data,
collaboration, government-business
they resist outsourcing.
forums, drills and exercisescould
The larger insurance
provide a competitive benefit for insurers
companies in Connecticut
Travelers Insurance, Hartford and all other businesses; and
have designated senior-
level cybersecurity officers; Insurance companies could step up
teams of support staff, on which at least one the use of their macro-level, settled
member has intelligence security clearance; and claims data to perform risk and trend
security programs that include trade association assessments that determine, more
collaboration, such as with the FS-ISAC. precisely, how companies are breached,
the most targeted industries and the
Given their avid attention to data security,
kinds of data sought.
insurers have paid great attention to the
breaches that have beset government agencies Underwriting Others
and companies, such as the Office of Personnel The business of providing cybersecurity
Management, Sony and Target. Such reviews insurance is in the early stages; its a relatively
have resulted in risk assessments and heightened new market. According to a February 2017
security measures. report from Deloitte, of the total $505 billion
Because the insurance industry is regulated, in all insurance premiums in the United States
cybersecurity is an important facet of state in 2015, cyber insurance premiums comprised
oversight. There are several basic assessment less than $3 billion. The report also estimated
mechanisms available, such as the International that only 29 percent of businesses in the United
Organization for Standardizations (ISO) States have cyber insurance.
information security management process, which There are several reasons for coverage being low
tracks security trends over time. for such a widely recognized risk. Defining
the challenges, products and market segments
Page 24

has not fully matured. There is lack of sufficient supplier companieshave the added attraction
cybersecurity data regarding both expected of manufacturing advanced weaponry and
frequency and severity of loss. The field also needs other defense hardware and systems. Nation
more attention to standard definitions of terms and states and non-state actors have long sought
hazards, which can hamper precise underwriting. to steal information, plans, designs and other
And customers report that they are not receiving data related to the ships, aircraft and other
enough risk mitigation guidance. None of which is products manufactured and overseen here in
surprising in a new market. Connecticut, as well as potentially to corrupt
There is ample precedent and experience in other or disable the information systems the defense
areas of property-casualty coverage. The public industries use. Today, such actors use cyber
hears admonitions not to drive while drinking penetration in addition to more traditional
or using smart phones. Medical doctors receive means of extraction.
guidance from underwriters about how to avoid Connecticuts defense companies face ongoing
malpractice suits. The same goes for fire prevention probes and penetration attempts from the full
and accidents in the home. Just as the industry spectrum of attack vectors, including human
has specialized experts in the range of commercial compromise, technical intrusion and supply
sectors, so too can it provide cybersecurity insights. chain weakness. Cybersecurity, for them, is an
The bottom line is that insurers will surely immediate and dangerous threat.
emerge as critical cybersecurity underwriters and Supply chain management is a particular
mentors. What better place to foster such growth concern. Defense companies rely on
than Connecticut? Underwriting cybersecurity thousands of suppliers who have varying
insurance could be a growth area for our state, both degrees of competence in cybersecurity. One
in terms of business and jobs. company noted that there are many small,
sole-source suppliers whose products are
essential but whose cybersecurity protections
Defense are limited. Others point out that, given the
industrys constant acquisitions and spin-
In reviewing exposure to potential cybersecurity
offs, an inadequate level of cybersecurity can
threats in Connecticut, national security officials
complicate or even doom acquisitions.
focused on three areas: critical infrastructure,
financial services/insurance and defense. The
defense industry must be part of the discussion for Forewarned is Forearmed
reasons that go beyond its size and employment
Yet another complication for this industry
level.
is that, due to its ties to national security,
While most businesses are penetrated by invaders guarding secrets is integral to defense
in search of valuable data, Connecticuts defense operations. That means sharing as little
companiessuch as General Dynamics Electric
Boat, United Technologies Pratt and Whitney,
Lockheed Martins Sikorsky and their related and
 Connecticut Cybersecurity Strategy Page 25

information as possible externally, only are well advised, and likely, to move in their
voluntarily sharing information with colleague direction in coming years.
companies and establishing vigorous internal The effort starts with extensive employee
programs to limit communications. Defense training in threat awareness, phishing tactics,
companies also resist cybersecurity legislation use of social media and the need for vigilant
and regulation, preferring to manage security on suspicion and verification. Defense companies
their own and receiving threat intelligence from combine information technology, employee
the federal government. communications and operations to enforce
knowledge and habits, starting at employee
onboarding. Efforts also include elements
common in the military and intelligence
community, including need to know
enforcement (restricting information to personnel
whose jobs specifically demand it), penetration
testing, security exercises and careful vendor
management.
Help Wanted
As in all other sectors, finding cybersecurity
professionals in the defense sector is difficult
because of a scarcity of talent. One corporate
officer confirmed the challenges of dealing with
Photo by By PA2 Sarah Foster-Snell - USCG the serious national shortage of cybersecurity
professionals and noted that the United
Despite this concern about secrecy, external States does a bad job of training cybersecurity
collaboration and access to intelligence are manpower. It is often necessary to recruit talent
critical to defense industry cybersecurity. The from other companies or hire infrastructure or
main vehicle for both is the Defense Industrial network server specialists and train them to be
Base-Information Sharing and Analysis security professionals.
Exchange Organization (DIB-ISAO), created
Next steps for all Connecticut businesses will
pursuant to the 2015 Presidents Executive
prioritize:
Order 13961. It has about 70 members,
including Connecticuts defense industry. 1. Supporting the newly-created, critical
Working with the FBI and Departments of infrastructure annual assessment program
Defense and Homeland Security, it encourages involving electricity, natural gas and water
voluntary partnerships with government utilities managed by the Public Utilities
organizations so members can alert each other Regulatory Authority;
to threats, share mitigation and protection 2. Promoting collegial discussions among
strategies, exchange actionable intelligence, financial services and insurance companies,
consolidate analysis and develop tools to address using non-attribution procedures (Chatham
emerging threats. House rules) to share information regarding
threats, defenses and best practices;
Defensive Role Model 3. Assessing the benefits of participation in
the Financial Services Information Sharing
Connecticuts defense companies recognize
and Analysis Center (FS-ISAC);
the value of state focus on cybersecurity and
express willingness to help. A brief look at how 4. Sustaining communications with
those with a vital stake in cybersecurity protect Connecticuts defense companies to be
themselves is instructive. Other U.S. companies aware of any assistance the state can provide
Page 26

and to request assistance from the defense analyses, including heat maps to identify and
industry as needed; and prioritize cyber risks. Larger institutions retain
5. Working with Connecticut business outside vendors to detect and deflect penetration
representatives to find solutions to the attempts.
personnel shortage in cybersecurity,
Significant Exposure
including, as explained below, increasing
continuing education/certificate programs Despite these efforts, operations are incompletely
to renew and upgrade the skills of current protected. Higher Education in Connecticut has
cybersecurity professionals. a tough row to hoe, given its extensive financial
and medical data on employees and students, need
to protect proprietary research, large number of
HIGHER EDUCATION personnel who use common systems, constant
Education is key to creating an effective turnover of students and faculty and limited
cybersecurity culture in the state, and the effort cybersecurity cultures.
must start in kindergarten. Limiting the scope of Academic culture, like the Internet itself, is
this strategy to higher education is not meant to designed for discovery and sharing. Thus, colleges
diminish the full range of educational activities and universities, particularly when it comes
the cyber challenge demands. to students and faculty, may lack the level of
This strategy has repeatedly noted the need for cybersecurity urgency and awareness that one finds
cybersecurity experts throughout the public and in the business community, especially in finance,
private sectors. Higher education in Connecticut defense and critical infrastructure. For this reason,
has the potential to support state efforts to Connecticuts cybersecurity strategy underscores
strengthen cyber defense and to assist response the inherent vulnerability in higher education.
and recovery. Penetrations continue, despite efforts to train
Higher education takes cybersecurity seriously. rotating cadres of students and faculty regarding
Private and state institutions have security the damages of cyber compromise. Universities
programs and pay attention to staff training, report that personnel are subject to the same
monthly security updates and designation of tricks that endanger the non-academic world,
personnel responsible for checking inventories and too often respond to phishing attacks with
of confidential data and reviewing access to compromising behavior. There are warnings
sensitive personal data. They also conduct risk and notices regarding cybersecurity at state
assessments of common controls and perform institutions, but security programs continue to fall
short.
Nationally, the Privacy Rights Clearinghouse
estimates that, during 2016, all educational
institutions had 64,989 data breaches, of
which 19 were made public.
Colleges and universities also cite the reality
of budget pressures and the need for skilled
personnel and vendors.

Southern Connecticut State University photo by Anthony Calabrese

 Connecticut Cybersecurity Strategy Page 27

Tightening Internal Discipline federal cybersecurity jobs unfilled. One

subcommittee chairman raised the idea of
Connecticut colleges and universities need creating a Cyber National Guard that could
regular exercises, agreed measurement standards, pull workers from private business for short
penetration testing and evaluation of new periods of time when their services were required
protection systems to boost their security efforts. at the federal level.
As in other public and private sectors, higher Non-academic entities look to colleges and
education would benefit greatly from cybersecurity universities for personnel and knowledge to
collaboration. Academic institutions can help help them build cyber defenses. Information
each other with both systems protection and technology professionals are always seeking to
recovery plans. There are ample grounds for hone their skills and learn new ones through
academia to expand its relationships with business, courses and seminars. Business leaders report
government and civic organizations. For example, that the availability of continuing education and
the University of Connecticut has announced efforts to bring cybersecurity professionals up to
partnerships with two corporations to pursue work speed on current challenges are inadequate.
in detection, prevention and analysis of cyber
compromise. In their educational offerings, private
universities, the University of Connecticut and
Knowledge Transfer Opportunity the Connecticut State Colleges and Universities
are starting to pay attention, especially to the
Strategically, it is in Connecticuts interest to theory and science of information technology.
capitalize on its relatively large number of higher But there is no comprehensive effort to meet the
education institutions to build its contributions growing demand for cybersecurity professionals.
to cybersecurity. As already discussed, there is
At the University of Connecticut, about 150
a wide gap between the pool of qualified cyber
freshmen enroll as majors in computer science;
professionals and open jobs.
the degree offers a cybersecurity concentration.
In the United States, CyberSeek, part of the
Four Connecticut Community Colleges offer
National Initiative for Cybersecurity Education
degrees or certificates in cybersecurity studies:
(NICE), a program of the National Institute
Capital, Gateway, Naugatuck Valley and
of Standards and Technology and the U.S.
Norwalk. Manchester Community College
Department of Commerce, keeps a running
offers training in information system security.
estimate of cybersecurity jobs filled and unfilled.
Charter Oak State College offers a Bachelor
In March 2017, it reported 778,402 employed in
degree and has a certificate program. Three
cybersecurity in the United States, job openings
Connecticut State Universities (Central,
for 348,975 and 4,153 unfilled positions in
Southern and Western) offer Bachelor or Master
Connecticut.
of Science degrees in computer science with
The National Governors Association reported cybersecurity concentration. Adding all of
in 2017 that every state faces a cybersecurity these programs together, 13 students completed
workforce shortage. Some are trying innovative cybersecurity studies during 2015-2016 and 149
ideas to compete with higher-paying private were enrolled in autumn 2016.
sector jobs. Virginia offers two years of tuition
There are cybersecurity programs at private
for two years of state service, as an incentive to
colleges and universities in Connecticut. Yet,
attract technical professionals to state service. In
combining currently enrolled students at
late 2015, Virginia estimated its cyber-related
UCONN and Connecticuts Community
employment gap at 17,000; in February 2017 that
Colleges and State Universities plus Charter Oak
number had ballooned to 36,000.
State College, the total of enrolled students is
The federal government also faces the problem about 300, less than one percent of the estimated
of not being able to hire enough cybersecurity 4,153 unfilled cybersecurity jobs in the state.
professionals. One Congressional committee Addressing this discrepancy needs to be a
estimated that, in 2015, there were 209,000 priority of our cybersecurity action plan.
Page 28

Easier Said Than Done Emergency Action

The nature and pace of the cyber world pose There is one other areaspecifically related
difficulties for curriculum development. It takes to response and recoveryin which higher
up to a year or more for course material to be education institutions can play a special role.
considered, organized, vetted and assembled into Should there be a major cyber incident disabling
presentation form. With an associates degree critical infrastructure in Connecticut or a
taking two years and a bachelors degree four, neighbor state, Connecticut needs to be ready to
cyber-related material introduced in the first year manage dislocation and out- and in-migration of
of instruction may be out of date by graduation. populations. Colleges and universities manage
Still, cybersecurity can have a greater presence large populations, with resources that cover
in higher education as a concentration in other workspace, housing, food, medical care and other
fields and as certificate programs for non- essentials. At present, Connecticut has no plans
matriculated students. Certificate materials to manage large numbers of migrants or dislocated
are not developed more quickly than normal residents. That challenge needs to be examined.
curricula but can be more tightly focused. Either Our higher education institutions can and must
type of program would prepare graduates to be contribute to this important aspect of strategic
more immediately productive than graduates contingency planning.
with general technical or professional degrees. Next steps for higher education in Connecticut
will prioritize:
Training the Trainers
1. Supporting collegial discussions among
Higher education also faces a scarcity of Connecticuts higher education institutions,
educators in cybersecurity and questions using non-attribution procedures (Chatham
regarding how to develop new ones. There House rules) to share information regarding
are, at this writing, three nationwide searches threats, defenses and best practices;
underway for computer science faculty at the 2. Addressing the cybersecurity personal
University of Connecticut. As other institutions training gap in Connecticut.
create cybersecurity programs, the challenge will
grow more acute.
Developing teachers of cybersecurity is difficult
because:
People with technical skills, who can prevent
and diagnose cyber threats, prescribe
response and recovery steps and exercise the
seven principles discussed earlier, are scarce;
Instruction needs to cover both pedagogy
and the demands of the latest technology;
and
Credentialed cybersecurity professionals
tend to find careers in business more
attractive and lucrative than careers in
academia.
On this last issue, some academic leaders have
proposed attracting professionals nearing or in
retirement to join the academic world to train
the next generation. Retired military personnel
are also a good resource for such training.
 Connecticut Cybersecurity Strategy Page 29

LAW ENFORCEMENT AND should convene a study group to consider

possible codification of cyber crimes.
SECURITY
CSP also needs to provide incoming recruits
Connecticut State Police with a basic understanding of detection of cyber
The Connecticut State Police (CSP) within the crimes and reporting requirements. A dedicated
Department of Emergency Services and Public cyber crimes investigation unit, whose services
Protection (DESPP) has critical roles to play in would be available to assist municipal police,
helping the state respond to and recover from would considerably strengthen Connecticuts
cyber intrusion. efforts. There should be a central cyber incident
response team with the tools to investigate,
CSP leadership is aware of the growing array of
collect evidence, share intelligence and assess
cybersecurity threats facing Connecticut and
whether further police action is required. The
of the requirements to address them. It also
action plan should consider the appropriate size,
recognizes that the time and attention of its force,
structure, composition and management of such
totaling approximately 1030 troopers, must
a unit.
constantly address changing threat scenarios.
While CSP has a unit focused on Internet issues Federal resources lack jurisdiction and personnel
related to child exploitation, it does not have a to address many state and local cyber crime
dedicated cybersecurity crimes unit addressing challenges, and they face monetary thresholds
network intrusions.
The CSP has adapted with speed and skill to
developments in areas such as organized crime,
terrorism and drugs. Cybersecurity is one of
the most critical new challenges it faces. A
citizen reporting threatening individuals at a
home or business, demanding money or private
information, would trigger a police response.
There are no comparable, assigned responsibilities
for cyber threats.
Most cyber crimes do not have specific statutory
definitions and are often grouped with charges
that require a less complex response. An example
is data hostage taking (ransomware). We need
to consider policies and capacity to manage
situations in which data is held hostage and
ransoms are demanded from vital entities, such as
hospitals. The action plan to follow this strategy
Page 30

before investigating others. But developing cyber intelligence from Connecticut, federal
cybersecurity skills in a dedicated CSP unit, sources and other states.
similar to the Major Crimes Units, could leverage CTIC is an all-crimes fusion center focusing
their effectiveness statewide. on intelligence related to such activities
An alternative approach would be for the CSP to as organized crime, gang violence, human
lead the establishment of a task force, including trafficking, drug trafficking and terrorism. In
municipal police chiefs and other participants, as several states, including Connecticut, fusion
has been done for organized crime, terrorism and centers have seen a dramatic increase in the
drugs. Such task forces have been used effectively volume of information about threats and actors
by the Connecticut Intelligence Center (CTIC). in the cyber domain.
In the event of a cyber attack on critical Today, when CTIC learns of a cyber crime or
infrastructure, the CSP, and with local police, threat, it may refer that information to a federal
other first responders and the Division of agency, the CSP or a municipal police cyber
Emergency Management and Homeland Security crime unit. CTIC staff work with federal, state
within DESPP, would be heavily involved in and local partners to maximize quite limited
response and recovery. Its duties would cover resources in order to perform intelligence and
maintaining law and order, responding to investigative duties related to cyber issues.
emergencies, protecting critical facilities and There are three challenges to enhancing the
helping to manage out- and in-migration of operational strength of the CTIC:
people and vehicles.
Staffing. Despite its reputation for helpful,
While the CSP has plans for virtually all professional work, the cyber function at
contingencies, a cyber attack could present the CTIC is sparsely staffed, relying on the
new short- and long-term challenges, including services of several analysts, one of whom is
acute public insecurity, prolonged absence of a professional with cybersecurity expertise
critical infrastructure and CSP personnel facing and other duties. That analyst holds federal
competing responsibilities for public duty and security clearance and works with others in
care of their own families. While none of these the CTIC and the CSP with federal security
problems is new, cyber disruption could present clearances, enabling the center to draw sensitive
management issues quite different from those of intelligence from national sources. The action
other emergencies. Examining and gaming the plan to follow this strategy should consider the
possible new scenarios would be instructive and appropriate staffing requirement for current
prudent. and projected volumes of work to receive,
analyze and distribute cybersecurity intelligence
to the CSP, municipal police or their federal
Intelligence
partners (FBI, Secret Service, Department of
At all levels of law enforcement, a dimension Homeland Security).
of the cyber crime challenge is to establish
Investigative Capacity. At present, intelligence
intelligence capacities. Procedures for businesses,
findings are offered to federal, state and local
citizens and civic organizations to report cyber
authorities, yet often nothing happens because
intrusions, and for protecting the confidentiality
those who look into cybersecurity problems are
of such information, need to be part of our
not organized into a coordinated system with
defense efforts.
effective, consistent communication. A cyber
Connecticut has a state fusion center, known as incidence response team capable of taking
the Connecticut Intelligence Center (CTIC), intelligence and using it for appropriate police
which is part of the Department of Emergency action would fill a major void.
Services and Public Protection. The fusion center
Confidential Reporting. There is an
is the only state facility collecting and analyzing
understandable fear of embarrassment,
reprisals and reputation damage if government
 Connecticut Cybersecurity Strategy Page 31

entities, businesses and citizens report cyber Service, which share information with the law
crime, and it becomes public knowledge. enforcement community.
There are currently no standard instructions Municipal police forces may offer advice about
or suggestions for how individuals or cybercrime prevention, but they are not equipped
organizations should deal with cyber to prevent intrusions. Some aspects of cybercrime,
intrusions. A properly staffed intelligence such as ATM skimming and organized credit card
operation could receive and manage cyber theft, are treated as fraud cases.
threat information and warn others in similar
situations to be aware of the threat, without Municipal police cite three familiar obstacles
divulging who had been compromised. hindering their efforts to fight cyber crime and
Connecticut would also benefit from having assist citizens:
an anonymous reporting system managed Inadequate Authentication. Citizens too often
through a web portal, which could be tied to use standard, easy-to-guess passwords, or they write
federal reporting as well. down passwords and leave them unsecured. They
An innovative New Jersey program, the New also do not know how to recognize and defend
Jersey Cybersecurity and Communications against social engineering or information gathering
Integration Cell (NJCCIC), is worth exploring via subterfuge.
as a useful model. It is a one-stop shop for Inadequate Resources. Police lack the skills,
cybersecurity information sharing, threat money and infrastructure to participate in resisting
analysis and incident reporting intended cyber crime, including data communication
to promote shared, real-time awareness systems and software tools. Some police frankly
of cyber threat challenges for New Jersey admit that they are outgunned in fighting cyber
residents, local governments, businesses and crimes. When faced with ransom demands against
critical infrastructure. It offers small and their own operations, some have understandably
medium-sized businesses an open door to negotiated settlements, rather than lose the ability
bring cybersecurity problems to state law to protect their citizens.
enforcement authorities. Reports are that Inadequate Procedures. Unfortunately, many
the program is well received by the business citizens do not call the authorities to report cyber
community, and enables law enforcement to crimes. When they do, local police forces often
be aware of problems as they develop. lack the type of guidelines and standard operating
processes they have when dealing with other
Municipal Police crimes. A publication or other guidance to all
law enforcement regarding how to handle cyber
Consistent with Connecticuts home rule problems would help to clarify procedures. It
form of municipal government, each city and might also help to have a central website to report
town manages its own police function, with cyber crimes and threats.
either municipal police or, in smaller towns,
the State Police through the local barracks or Regarding their own response to and recovery from
Resident Trooper program. These forces are intrusions, municipal police are more focused on
the front line in most citizen and business law physical security and maintaining order than on
enforcement interactions. the consequences of prolonged
outages. Some smaller towns
Cities and towns with their own police without IT staff have no plans
belong to the Connecticut Police Chief s for defense or recovery.
Association (CPCA), but the CPCA has no
cybersecurity strategy. Each police force Each town also has its own
addresses cybersecurity on its own, and emergency management
normally contributes relevant information to capacity, distinct from the
the Connecticut Intelligence Center and other police department, and the
federal centers, such as the FBI and Secret strength of that capacity varies
by town. It is common to find
Page 32

emergency shelters and police, fire and emergency intrusions. But in the event of a catastrophic
medical stations relying on redundant power disruption, it would be one of the most valuable
sources, especially natural gas. There are normally players in the states response and recovery.
no rules or regulations regarding emergency If a critical infrastructure outage, for example,
operations of private enterprises. were to last beyond 10 days, with breakdowns
To strengthen police capabilities to be partners in associated with water, sewage, food, medicine,
cyber defense, strategic attention should focus on: heat, shelter and/or law and order, the Governor
Skills and training to respond to cyber crime could turn to the National Guard for a number
and to help citizens defend themselves against of vital tasks. One of them is logistics, under
intrusions; the State Response Framework (SRF). The
SRF includes a resource support/commodities
Codification of certain crimes into state law distribution annex that outlines the states plan to
and strengthened ability to track and manage obtain and distribute commodities coordinated
cyber crime; with state agencies and the National Guard.
Infrastructure in the form of software and Whenever an emergency exceeds the resources of
data communications; municipalities, the states Division of Emergency
Capacity to determine attribution and bring Management and Homeland Security manages
charges, or to refer intrusions to those who requests for assistance, which can include the
can; capable forces of the National Guard.
Best practices, through CPCA or another It has personnel dedicated to public service and
organization; and prepared to go into harms way. It has equipment
Drills to rehearse responses to prolonged able to respond, as well as the command
utility outages. structure and organizational discipline to sustain
integrity, during crisis situations. It has access to
intelligence, communications, public relations,
Connecticut National Guard transportation and reinforcements from other
Internally, like all organizations, the Connecticut
National Guards (CNG) primary focus in the
cyber domain is to protect its network and employ
countermeasures if an attack or disruption
occurs.
While in-state cyber capability is relatively
small, utilization of the Emergency
Management Assistance Compact gives the
Guard access to cyber warrior capabilities
from across the nation. It coordinates with
the National Guard Bureau, Department of
the Army, Department of the Air Force and
United States Cyber Command.
The Guard also frequently participates in
multi-service, multi-agency, regional and
national cyber exercises; Cyber Yankee and
Cyber Shield are two such recurring drills.
National Guard as Mutual Aid Partner
Externally, the Guard does not play a direct
role in the detection and prevention of cyber
 Connecticut Cybersecurity Strategy Page 33

states and the federal government. It has lists and Wing of the Air National Guard, saw a need for
plans of Connecticuts vital facilitieseverything the federal and state governments to plan for
from hospitals and health care facilities to airports, recovery from a cyber attack, rather than focus
trains and train stations, highways and bridges, on prevention. Colonel Welsh emphasized
ports and ferries and power generation facilities. that, while a cyber attack starts in the virtual
And like municipal and state agencies, the Guard world, it is likely to have physical impacts
has all hazard responsibilities covering the on pipelines, electric grids and other parts of
sobering range of natural disasters, terrorism, critical infrastructure. His unit is working with
chemical spills, radiological and nuclear attacks Washington State on how to respond to such
and pandemics. attacks.
All-Important Integration Next steps for law enforcement and security in
Connecticut will prioritize:
It would be productive for the National Guard to
1. Strengthening Connecticuts cybersecurity
hold exercises with state authorities on postulated
intelligence gathering and analysis
cyber attacks, including prolonged power outages.
capacity and sharing this work with the
The task facing the state is to articulate the
Connecticut State Police and municipal
demands the Guard could face, then to game
police;
out potential scenarios. Connecticuts strategy
must include planning the National Guard role 2. Creating a cyber incident response team
in the states management of prolonged critical with the ability to investigate, collect
infrastructure outage. evidence and assess the need for police
action, and to make its services available to
The challenges of having National Guard units
municipal police; and
respond to a cyber attack are receiving national
attention, because Congressional committees have 3. Working with the Connecticut National
expressed concern that neither federal agencies Guard, state and local police, emergency
nor state emergency management agencies are management and other first responders
adequately prepared to manage crises they have to rehearse scenarios of a cyber attack on
not experienced, and because the role is relatively Connecticut to enable the Guard to plan
new to Guard units. for all dimensions of such a crisis.
In his April 2017 testimony to the U.S. Senate
Energy and Natural Resources Committee,
Colonel Gent Welsh, commander of Washington
State National Guards cyber unit, the 194th
Page 34

Conclusion
Cyber threats are a fact of life. Cybersecurity must be a universal priority for every public and private
entity in the state. If Connecticut accepts cybersecurity as a mandatory, daily responsibility, it will realize
measurable economic and quality-of-life gains.
The strategys seven foundational principlesexecutive awareness and leadership, literacy, preparation,
response, recovery, communication, verificationform a logical, progressive pathway to this vision of a
cyber-secure, cyber-savvy state. They are adaptable to any individual or organization.
The next step is to engage each of the highlighted sectors in active dialogue, in order to follow this big-
picture strategic plan with more operational action plans. Those plans will clarify the steps we need to
take and the resources we will require to: protect our networks and critical infrastructure; implement
information-sharing mechanisms that also respect privacy and secrecy; address the cybersecurity talent
gap for our state and nation; support the efforts of our legal and law enforcement communities; and
activate our citizenry to be life-long learners, when it comes to protecting themselves against cyber crime.
A basic question is whether Connecticut will press forward, continually creating and updating its
protection and recovery measures, or wait until after a truly debilitating cyber event. In other words,
do we have the will and vision, not only to regard cyber threats as a fact of life, but also to realize that
committing energy and resources to cybersecurity must become a fact of life?
Given the severity and breadth of the cyber threats we face, Connecticut must proceed with its strategy
and action plans, not because work to date has been inadequate, far from it. Our states efforts have been
important and impressive. Rather, we must act because cyber crime is a relentless foe, evolving virtually
every day. We cannot run from this problem, wish it away or hope that someone else will solve it for us.
By facing our responsibility head-on, Connecticut can enrich its quality of life and economic
competitiveness, and help lead the way for other states in our national cyber defense effort. True to our
motto, Connecticut must adapt to sustain.
 Connecticut Cybersecurity Strategy Page 35

Appendix
A CYBER DEFENSE PRIMER
Small businesses express the need for information about how best to defend against cyber attack and
what to do to recover. A primer with basic information and solutions might help them, and any
organizations becoming aware of cyber threats, to learn from the experiences of others.
A business association might find it valuable to write such a primer for its members. State
participation would also be helpful.
Here is a sample of the issues the primer might address:
What basic perimeter defenses are necessary?
Why should defense begin with a general risk assessment, and how is one conducted?
What assets should a business protect?
How does cybersecurity extend beyond the IT function?
What is the role of corporate culture in cyber defense?
Why is phishing the most basic threat to cyber integrity?
What are entry threat vectors?
Why are supply chains a potential vulnerability?
Is cyber insurance necessary?
What do we do if our business is hacked or we receive a ransom notice?
How do we communicate with employees, customers, shareholders and the public after a
compromise?
What role do the police play in cyber crime?
What legal protection does our business need, and are we obligated to disclose, based on state
breach laws?
How do we find the right vendor to provide defense?

THE CATASTROPHIC ATTACK

No cyber incident is out of the realm of possibility. For that reason, this section addresses the type
of incidenta major attack on critical infrastructurewe have, fortunately, not yet experienced,
and one that we dismiss at our peril.
Also of concern would be an attack timed to amplify the effects of a natural disaster, that is, a
hurricane, tornado or extreme cold or heat spell.
Right from the start, a cyber attack alone or in conjunction with another emergency would be
a challenge far different than anything the state has seen. Unlike a natural disaster, which has a
defined end, a cyber attack could involve not knowing the extent of damage, when the attack is
actually over and whether it might return.
Critical Infrastructure: The Achilles Heel
Government and private experts have called our electric grid the glass jaw of American industry.
In addition, national security officials note Connecticuts vulnerability to severance of natural
gas transmission pipelines from the Pennsylvania/New Jersey area to Eastern New York and New
England.
Page 36

There are many ways to attack the grid and other utilities, from employee compromise through
phishing and social engineering to take-over of operational controls, supply chain compromise and
unsynchronized generators that cause kickback or an aurora effect that knocks out generation.
Cascading Consequences
Direct consequences could be a shutdown of roughly half of the electricity generation in New
England and cessation of the ability to refine and transport gasoline, diesel and propane fuel.
Indirect consequences could be depletion of reserves and liquefied natural gas and, over a few days, a
shutdown of electric service, followed by depletion of gasoline, diesel and propane reserves.
Such an event would likely require authoritative communications to the public and potential
declaration of emergency by the Governor, which could include an invocation of his or her powers to
suspend statutes and take emergency actions to ensure public order, safety and health.
Transportation in and out of the region would become difficult; generators would cease to function;
and ports would close. Remaining assets, including Connecticuts Millstone nuclear plant, producing
2,100 megawatts of electricity, and other generation facilities, such as fuel cells and renewable energy
systems, would be pressed to provide electricity, but their combined capacity falls just short of 50
percent of the electricity generated in New England.
Other emergency management triggers, after about eight days of no electricity, could be lack of
capacity to purify and deliver potable water and process sewage, resulting in forced dumping into
waterways.
The result, from those who have examined such scenarios, would be attempted out-migration of
possibly hundreds of thousands of people to reach safe areas with functioning utilities. Conversely,
should an attack affect areas to the east, north or west of Connecticut, our state could be on the
receiving end of these migrations.
There are other scenarios worth noting that would require response and recovery efforts beyond
what Connecticut, indeed the United States, has previously managed. One study conducted by the
Chinese military, subsequently declassified, concluded that a military engagement with the United
States would be difficult for China to win. However, the study found, should parts of the United
States be crippled by a critical infrastructure cyber attack, and should the U.S. military be forced to
dedicate resources to response and recovery, China could prevail.
The point is, there are potential attackers, vulnerable places they could attack and many ways to
amplify the effects of a cyber attack by combining it with other emergencies.
 Connecticut Cybersecurity Strategy Page 37

Prepare, Prepare, Prepare

We can never adopt the attitude that it cannot happen here. Connecticut needs strategic plans to
confront situations it has not experienced.
The following is a partial list of challenges we must address:
Communications. Given the unknown consequences of a cyber attack, the Governor and state and
local leaders must anticipate scenarios and prepare communications ahead of time, with scripts pre-
written that can be tailored to fit circumstances.
The Governor and Connecticuts emergency management team must ensure their ability to
communicate securely, under stressed conditions, with: emergency management services; appropriate
federal, regional and state authorities; local and private sector partners and national leadership,
including the President.
Planning and preparation need to involve the media and use of social media. In times of crisis,
people turn to trusted sources. Reporters and editors need to know, through planning and rehearsal,
how authoritative news will be conveyed, and understand the vital role they would play in reporting
the truth and correcting rumors.
It is possible that a cyber attack could include disinformation from a state or non-state actor. All the
more important that official information be prepared and delivered credibly, directly by the state and
through the media.
Emergency Management. In the event of a cyber attack, emergency management professionals
and first responders would need to manage new levels of anxiety and panic. Municipal police, State
Police, National Guard, the Federal Emergency Management Agency and other state and federal
players need to plan for fear-driven behavior that could exacerbate the difficulties of emergency
management. Public messaging would be a critical component of maintaining order. Partners such
as United Way 2-1-1 would be especially important. Lack of food, medicine, fuel, electricity, potable
water and the ability to communicate requires alternate planning to direct people to those services.
In addition, it may be necessary to maintain public order and prevent harmful, desperate acts.
The December 2016 Liberty Eclipse Energy-Cyber Incident Exercise, sponsored by the United
States Department of Energy, postulated a cyber incident affecting the energy infrastructure of the
Northeast and Mid-Atlantic regions. Two of its key findings deserve special attention.
One is that, The public will face a great deal of uncertainty following a significant cyber incident
that causes physical damage (such as a long-term power outage or petroleum disruption), creating
a considerable challenge for public information and expectation management, particularly around
restoration times. Social media would be an important mechanism to reduce misinformation,
provide response and recovery information and communicate measures to ensure safety.
The second is that, While the consequent management activities for the physical impacts caused by
a cyber incident are largely the same as they would be for any other hazard.the unique conditions
of a cyber incident pose additional challenges that necessitate new capabilities
and the use of new authorities.
Emergency Powers. Cyber aggression could present a dimension not present in
storm management: the possibility of electricity outage beyond 10 days and the
consequences described above. Storms have a natural end; cyber attacks do not.
There are extensive protocols for assigning emergency command and control
authority, tapping emergency supplies, alleviating shortages from reserves and
coordinating information and resources. But once the resources are depleted,
the Governors extraordinary powers may be the only option for relief and might
come into play.
Page 38

Early morning view of the Connecticut River photo by Kevin Nodwell

Section 28-9 of Connecticut General Statutes gives the Governor the authority to declare a state
of emergency, which in turn gives the Governor extensive powers regarding vehicles and routes for
evacuation for all or part of a stricken population, and states in part (b)(7):
The Governor may take such other steps as are reasonably necessary in the light of the emergency to
protect the health, safety and welfare of the people of the state, to prevent or minimize loss of destruction
of property and to minimize the effects of hostile action.
Section 28-11 conveys the power to take possession of land, buildings, vehicles, fuel and provisions to
protect the welfare of the state or its inhabitants.
Game plans. Clearly, Connecticut has civilian, police and military players and adequate special
authority vested in its Governor to take extreme measures in case of prolonged damage to its critical
infrastructure. Connecticut also has a detailed State Response Framework and State Disaster
Framework that provides structure to response and recovery. However, it lacks a game plan for the
various, possible needs discussed above involving prolonged outage of electricity, natural gas and the
lack of potable water.
Connecticut must have an action plan to identify potential sources of emergency supplies and their
allocation to allay the most vital public needs and assign roles to emergency responders. And various
scenarios need to be rehearsed with all players, including private sector representatives and the media.