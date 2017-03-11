BURLINGTON — Sen. Patrick Leahy, D-Vt., says the internet is an ecosystem like Lake Champlain that requires collaboration from the public and private sectors to stay healthy and safe.

Leahy offered the analogy during opening remarks at a conference Friday intended to help Vermont businesses and nonprofits respond to digital threats. The event was hosted by Champlain College and the U.S. Department of Justice.

Gov. Phil Scott praised cyber security programs at Champlain and Norwich University for training the next generation of experts in a growing field. He called on other institutions to follow suit.

“The fact is businesses of all sizes are vulnerable to cyber attacks, as well as state government,” Scott said.

In the past two months, the state’s network faced 65,000 malware phishing attacks — attempts to fool people into clicking a link or opening an attachment infected with malicious software; 90,000 remote scans, attempts to identify targets for attack; and 575,000 other digital bombardments — all of which the state successfully repelled.

“Our goal is to develop a culture of awareness where everyone thinks about what we’re doing and has a better understanding of what impact their actions may have on the security of our entire network,” Scott said.

Duane Dunston, a cybersecurity professor at Champlain College, said awareness must pervade all business processes.

Some highly sophisticated attacks from foreign government hackers may be impossible for businesses to stop, but as many as 90 percent of attacks can be prevented through basic security measures, Dunston said.

Many less sophisticated cyber attacks rely on “social engineering” in which people unwisely provide passwords or click on dubious links.

Vermont businesses are unlikely to be able to protect themselves from government-sponsored hacks, said Sean Newell, deputy chief in the DOJ’s National Security Division. That’s why, as a prosecutor, he’s focused on litigation to “raise the cost” on foreign governments for such attacks.

For years, the Chinese government has hacked American businesses, turning trade secrets over to state-run industry, undermining the ability of U.S. companies to compete in a global market, he said.

Newell’s team indicted officers from the People’s Liberation Army for hacking incidents. That action put pressure on the Chinese government to work with the U.S. on intellectual property protections, he said.

The FBI and the Department of Justice aren’t looking to penalize companies that fall victim to attacks, and while other federal regulators can impose penalties, they’re only going after the most egregious flouters of required security protocols, Newell said.

Given the scope and complexity of the threats, Heather Roszkowski, the chief information security officer for the University of Vermont Health Network, said organizations need to be prepared to weather a successful attack.

That’s because the odds are in the hacker’s favor. “As a defender you have to be right 100 percent of the time. As an attacker you can be right 1 percent of the time,” Newell said.

He urged companies to “protect the crown jewels” — information of the highest value — and taking greater steps to secure more than non-essential information.

Testing security controls and emergency response plans on an ongoing basis is critical, speakers emphasized.

“A plan is no good if it’s only on paper,” Roszkowski said. Testing can expose shortcomings and prepare workers to respond in a real crisis.

It’s important for plans to include procedures to recover information that can be lost in an attack, such as a ransomware hack — a phishing scam leads to software that encrypts an organization’s information. The attacker then ransoms back the information.

Speakers also said an organization’s emergency plan must include a communication strategy to ensure the breach is reported to the proper government authorities, but also the board of directors, general counsel, customers and in some cases, the media.

Kate Dodge, who runs Putney Mountain Winery with her husband, said it was impractical to have an information security officer for her company. She attended the event to see what resources were available.

Speakers suggested hiring a consultant, or turning to the cyber security programs at the local colleges and universities. Skilled students are often eager for security experience.

Small businesses can also improve security by thinking critically about vendors and whether they offer security tools and training.

Businesses should report problems to the Vermont Attorney General’s office immediately, said Ryan Krieger, an assistant attorney general in the public protection division.

The law requires that businesses report a breach within 14 days of discovering it. They must then take steps to inform the public within 45 days.

In guidance posted on the Attorney General’s website, a breach is defined as unauthorized access — or a reasonable belief that unauthorize access has occurred — to data collected by a business that compromises consumers’ personal information.

“The statute has some complexity to it, but once they contact us in that 14 day time, we can talk them through what they need to do to comply with the 45 days,” Krieger said.