Michigan's battalion of digital defenders raises bar for states' cybersecurity
Other states are now looking to replicate the Michigan Civilian Cyber Corps, something of a volunteer fire department and National Guard that bands together experts to fight cyberattacks.
ANN ARBOR, MICH. — Kevin Hayes had to act fast. A town was under attack, and it was his team’s job to defend it.
It was the first time he was called upon as a new member of the Michigan Civilian Cyber Corps.
Already, criminal hackers had tampered with traffic signals, causing accidents. They were going after bank networks and sensitive personal data from municipal computer files.
“It happened pretty fast. As we all sat down looking at computers, we said, ‘How are we going to contain this?’ We knew there were bad guys in the system,” said Mr. Hayes.
Locating the source of the breach and reinforcing firewalls were the first priorities. Still, the danger was ever-present and leading toward a crippling cyberattack that would shut down large parts of the city’s infrastructure. Fortunately, this town had a reset button.
Alphaville is a virtual reality training ground. It's also the site of a competition used by the state’s Cyber Civilian Corp (or MiC3), a pioneering new entity conceived to fight back in the event of a major cyberattack. Hayes is one of its elite fighters. His day job is as an information security officer at Wayne State University in Detroit. And when he's called on, like a volunteer firefighter or National Guard soldier, he will join a group of highly trained digital first-responders.
It’s a nationwide first, created in October 2013 by the Michigan governor’s office to be a rapid response force for computer viruses and hacks affecting state entities and industries across Michigan. After all, the governor’s office reasoned, state and local governments build plans to counter emergencies including floods, tornadoes, hurricanes, and wildfires, so why not a digital emergency of “state significance?”
Though the governor has not yet mobilized the team to respond to any incidents, MiC3 is beginning to make a name for itself outside Michigan. Other states are expressing interest in Michigan's model, says Joe Adams, former coach for the cadet cyber corps at the Military Academy at West Point, who assembled the group of highly skilled ethical hackers.
In Wisconsin, for example, Dr. Adams was recently teaching a seminar with state officials there when a massive distributed denial of service attack (DDoS) was launched against the state capitol offices to overwhelm its websites with traffic. It was a catalyzing moment for state officials, who saw “every police car taken off the net,” Adams says.
The attack was happening just as Adams was telling officials that a DDoS attack “is like taking a sledgehammer” to a system, he says.
It was a “wake up call,” Adams adds, that helped spur officials in Wisconsin to begin looking into creating their own civilian cyber corps.
Adams has been the driving force behind Michigan's civilian cyber corps, leveraging his experience working as the chief information officer at National Defense University in Washington. He's currently the vice president for research and cybersecurity at Merit Networks, a Michigan nonprofit known best for setting up computer networks between the state's public universities.
He set out to recruit team members with a wide mix of backgrounds, with experience at energy companies, the financial services sector, pharmaceuticals, and universities. There are currently four teams in the corps, with five members each, including two computer forensics specialists, two incident responders, and a team lead.
To qualify, Adams designed a highly tricky examination for candidates – the test has an 85 percent fail rate. Potential team members get just 30 seconds to answer a rapid-fire series of questions. There have been plenty of complaints, including from the governor’s office, that perhaps the test is just too tough, and that it keeps the civilian cyber corps from more quickly building up its ranks.
Adams disagrees. “We’re not going to pay them, so you want it to feel elite,” he says. “You have 20 people who have met a very demanding standard, and if you lower it, you’ve cheapened what they’ve done.”
Regular training is a key part of ensuring the team is ready when it's called on to defend the state, says Adams. That's why exercises such as the recent one outside Ann Arbor where MiC3 gathered in a Marriott resort to defend the virtual town Alphaville are so critical.
"Teams who have played together in an actual challenge will almost always beat every other team,” says Tonia Cronin, program manager for the Michigan Cyber Civilian Corps at Merit, which also operates the Michigan Cyber Range, a virtual cybersecurity classroom.
If MiC3 members aren't familiar with each other's respective skills and styles of operating, “You lose hours figuring out that stuff. You have to make split second decisions,” she adds. “If you think of a football team, you have a quarterback and have three or four wide receivers. They can all catch the ball, but you have to know who you’re throwing it to, who’s supposed to be catching, blocking.”
Cybersecurity front line
On the day of the Alphaville exercise, Wayne State University's Hayes – who placed first in the contest – was simultaneously working to contain a real-life, rapidly spreading virus that had broken out on campus computers. He and his security team at the university were able to quickly contain it on the majority of the university systems, but on day two they found that there were a couple of off-campus computers still infected.
The virus was coming from malicious servers in Serbia and Ukraine, and Hayes says the intent was to capture users' login names and passwords. Time was key when responding to the hack – it took Hayes and his team 20 minutes to contain it, he estimates.
“But this could’ve really run rampant – these things can unfortunately grow out of control really, really quickly,” he says. “It’ scary to think you have meetings that are 90 minutes long, and when you come out, the entire landscape of what’s happening at an organization could have changed. It only takes an hour for something terrible to take root.”
It helps, he adds, that MiC3 members are able to troubleshoot with each other. “We send a lot of emails to each other--how have you been? What are you working on? Have you seen anything weird at work,” says Christian Kopacsi, the lead forensics specialist on Hayes’ MiC3 team. “When you run into a problem, you can shoot an e-mail or give them a quick call,” Mr. Kopacsi says. “There’s a certain level of trust knowing that when we do ask for help, that it’s not going to be put on social media or anything.”
Indeed, sharing intelligence is another driving factor behind the corps. For instance, during other war games exercises, “We start telling our little IT war stories,” says Hayes. “It’s funny how the exact same things I see on a daily basis in my job, they’re seeing as well. It really hits home that these problems we face, we’re not alone in them--we’re not these tiny isolated islands where the problems I have no one else sees,” he adds. “That kind of intelligence is worth its weight in gold.”
The civilian cyber corps “are the guys who actually work with those systems, and they’ve been doing it for 20 years,” says Michael Yokie, chief warrant officer with the Michigan National Guard, which also teams up with MiC3 for exercises. “I can go to class, or even build a simulated environment that looks like it, but where else are you going to get that experience?”
Now, with the MiC3, “We have a volunteer system that can jump in with us and help us.” For this reason, the Michigan National Guard is actively courting the Michigan Civilian Cyber Corps to join their ranks as well. “I actively try to recruit people from the Civilian Cyber Corps,” Mr. Yokie says.
Adams hopes the success of the civilian cyber corps not only spawns similar initiatives in other states but also generally helps improve cybersecurity awareness across Michigan. “If you really take the volunteer fire department model, they not only responded to emergencies, but they taught preventative lessons," he says. It's a sort of "McGruff the Crime Dog" model for the Digital Age.