Recent cyberattacks on businesses and infrastructure around the country have lent new urgency to a series of cybersecurity projects Hawaii has in the works to help local businesses and nonprofit groups maintain federal contracts by complying with stricter guidelines.
The changes could mean major adjustments — and significant costs — for some organizations that have benefited from the large military presence in the islands.
“The reason the state is doing this effort is to help educate the local defense contractor community about the regulations and the impact they might face if they don’t pay attention to these regulations because the enforcement is increasing,” said Larry Lieberman, who is leading a new compliance initiative by the Hawaii-based cybersecurity firm Referentia Systems Inc.
“There’s literally a tsunami of impact coming to Hawaii contractors right now that they may or may not weather, and that they may or may not survive,” he added.
Referentia launched its Hawaii Defense Economy Cyber Compliance Education Program last week under a contract with Hawaii’s Department of Business, Economic Development and Tourism, which offers education on the requirements companies will need to abide by to maintain military contracts and win new ones.
It’s one of several educational initiatives being launched by DBEDT as federal agencies prepare to enforce stricter cybersecurity guidelines for contractors hoping to work on government projects, including requiring a third party certification.
CyberHawaii, a nonprofit aimed at educating Hawaii leaders and residents about cybersecurity, is also offering a state-funded program dubbed Cyber Ready Hawaii, which provides free training to Hawaii businesses and nonprofits in partnership with the Cyber Readiness Institute.
On Monday, DBEDT and a newly formed Hawaii Defense Alliance hosted a cybersecurity workshop at the Entrepreneurs Sandbox in Kakaako to get the word out.
“We’re really focusing on making sure our small- to medium-sized businesses are cyber-ready, and more importantly that they’re going to be ready and able to compete for those federal contracts that come out,” said Jill Tokuda, co-director of CyberHawaii. “That could be anything from defense to health care to education.”
Part of that will mean training or hiring new employees to handle technology and to be knowledgeable about new guidelines, which could be especially costly for smaller local companies already operating on slim margins. Some of the new policies are set to come into effect before the end of the year.
As businesses increasingly rely on the internet, cybercrime and network infiltrations are becoming more common.
“They’re happening very, very often. We’re talking about somewhere in the neighborhood of every 11 seconds,” said John F. Tobon, Special Agent in Charge at Homeland Security Investigations Honolulu. “That is a constant drain, on the resources and the security apparatus of our infrastructure.”
Earlier this year, Texas-based Colonial Pipeline paid a ransomware gang known as DarkSide, which was believed to be operating out of Russia, after it infiltrated the pipeline’s systems.
Tobon, who has 24 years of law enforcement experience and has spent the last decade working on cybercrime, said the culprits are often affiliated with transnational criminal groups that break into banks, hospitals and other institutions to steal credit card numbers, medical records and social security numbers that can be used for identity theft and extortion.
Sometimes these activities are tied to larger efforts. China, Russia, North Korea and Iran have military and intelligence organizations trained in cyberwarfare. Tobon said the line between common criminals and state-backed hackers can be a “gray area” because governments often work directly or indirectly with criminal groups.
“Hawaii is especially vulnerable, or is especially a significant target, because of its strategic importance,” said Tobon. “All of the military bases and all of the military installations within the state of Hawaii are targets for these state actors, and along with (that) the universities are also going to be targets.”
The Navy helps fund the University of Hawaii’s Applied Research Lab, which develops civilian and military technology, including secret projects. Government-backed hackers have aggressively sought to snoop on intellectual property and designs that the American military might use.
Military bases are also integrated into the state’s power grid. The military and the state have collaborated by investing in renewable energy projects across the islands to reduce their reliance on imported energy sources in the event that a disaster or conflict cut off supply lines. But cyberattacks could wreak havoc on the grid itself, although no major incidents have been reported.
“We have seen attacks to the power grid in several states,” said Tobon. “So I think that that is a significant concern for everybody involved.”
In May, the Army and the Hawaiian Electric Co. put the Schofield Generating Station, a $148-million facility built through a public-private partnership between the two, to the test.
They took Schofield Barracks, Wheeler Army Airfield, and Field Station Kunia off Oahu’s power grid, forcing them to rely on the station as a test to see how the bases would fare if some event cut their power.
The Pentagon established the U.S. Military’s Cyber Command in 2010. Analysts at the time criticized American military and intelligence organizations for being behind the digital curve while Russian and Chinese cyberwar initiatives already had deeply infiltrated American systems.
“The government back in 2016, put regulations into place that required contractors to tighten up the belt on cybersecurity, and those regulations were almost universally ignored,” said Lieberman.
Businesses, particularly subcontractors, often signed contracts that included references to federal regulations that many workers had never actually read. The Pentagon’s internal watchdog agency has over the years conducted multiple investigations that found that both service members and contractors routinely ignored cybersecurity guidance.
In 2018 investigators analyzed the cybersecurity practices of seven contractors working for the Missile Defense Agency and found that five of them “did not always or consistently use multi-factor authentication to access unclassified networks that contained technical information.”
“A lot of these start with the exploitation of a vulnerability that is created by human error,” said Tobon. Troops and contractors often did not update passwords or used easy-to-guess codes, left networks unlocked or clicked on suspicious links from their work computers.
“There’s a lot more awareness now on the streets about this, because now the government is saying that they will require companies to get third party certification to prove that they have done these requirements that they were supposed to have already been doing,” Lieberman explained.
Among the challenges facing Hawaii companies has been finding local cybersecurity talent. Both private companies and government agencies are competing for a small pool of workers qualified for the positions. The University of Hawaii has been receiving support from the military to boost its cybersecurity programs.
“It is coming down to securing the entire supply chain, because that’s where bad actors know that they can infiltrate and really get to the good stuff,” said Tokuda. “We’ve seen it in the latest rounds of attacks and intrusions, that it’s not coming into the big companies at the top that have all the layers of protection, it’s those subcontractors and those down the line.”
Civil Beat is a small nonprofit newsroom, and we’re committed to a paywall-free website and subscription-free content because we believe in journalism as a public service.
That’s why donations from readers like you are essential to our continued existence.
Help keep our journalism free for all readers by becoming a monthly member of Civil Beat today.