A screenshot shows how the Alaska Department of Health and Social Services’ website remains offline a month after hackers first targeted the agency’s networks.
For weeks this spring, hackers forced officials to shut down Alaska’s Courtview system, making state court records inaccessible to attorneys, people charged with crimes, and residents seeking to run background checks on their prospective dates or tenants.
Then, cyberattackers targeted the state health department, whose website has remained offline since the hackers were first discovered in mid-May.
State officials have revealed few specifics about the attacks — particularly about the one that targeted the health department. They’ve also declined to release many details about the cyberdefenses they use to protect Alaska’s computer systems, and how they plan to adapt them to ensure that future attacks are less disruptive.
While there are still many unanswered questions, here’s what we know — and what we don’t.
Who broke into the computer systems of Alaska’s court system and health department, and how did they do it?
These are the most obvious questions about the cyberattacks — and we don’t have answers to them. The health department, in a statement from spokesman Clinton Bennett, said it’s not releasing information “regarding the type of cyberattack, how the cyberattack occurred or other specific information.”
The court system’s top spokesman, Chief Justice Joel Bolger, has said a half-dozen computers were infected with malware that was trying to allow “outside actors” to move around the agency’s network. But in an interview Wednesday, he said those actors were never identified.
“We did not receive any direct communication from them,” he said.
Bolger said the unusual activity on the agency’s network was detected in late April by “cybersecurity notification software,” and that it was identified at an “early stage, before any of our computers had been taken over, locked up, encrypted — none of that stuff happened.” Two days after the discovery, the court system took its computer networks offline, to cut off the attackers’ access.
Bolger declined to say exactly how the hackers gained access to the court system’s network, stressing that he does not want to reveal information that could compromise his agency’s security in the future. He cited a recent ProPublica story that referred to one of the “cardinal rules of the cat-and-mouse game of cyber-warfare: Don’t let your opponents know what you’ve figured out.”
“I have had to be guarded on this issue to protect the integrity of the court system,” he said.
Did the hackers make any ransom or other demands of the state?
Bennett, from the health department, declined to answer the question.
In the court system’s case, officials say no ransom or other type of demand was made, and none was paid. Bolger also said that as far as his agency knows, no personal data or sensitive data was stolen from its computers.
One interesting thing we learned: Alaska does not have any kind of statewide cybersecurity insurance policy. That’s a tool that some public entities and businesses — including the city of Anchorage — use to lessen their losses from attacks, though prices have been rising recently. Up until now, each agency has “dealt with the issue themselves,” said Dave Donley, a spokesman for the Department of Administration, which includes the state’s Office of Information Technology.
“Division of Risk Management has raised the question, and Office of Information Technology is considering options,” Donley wrote in an email.
How are the attacks being investigated?
The health department has not released any details about its investigation, though it said in a statement earlier this month that it’s analyzing the attack with law enforcement and state and federal partners. We also learned through a public records request that the health department hired Mandiant, a leading cybersecurity firm, following the attack, with the cost estimated at $460,000.
The court system has said that federal and state law enforcement authorities were notified about the attack on that agency, and it’s also said it worked with a security consultant, though it hasn’t said which one, or how much it paid.
While neither the court system nor the health department specifically confirmed its involvement, the FBI is the law enforcement agency that handles most Alaska-based cybersecurity investigations. The agency, which declined to comment for this story, has a team of cyber-investigators at its Anchorage office that’s well-respected in Alaska’s IT community, and its agents have worked on a number of high-profile cases. Those include investigations targeting what are known as “botnets” — massive networks of computers or devices that have been hijacked by hackers.
What is the state doing to improve its cyberdefenses?
This is a key question, as cyberattacks against Alaska’s government aren’t expected to decrease any time soon.
The health department said in a statement earlier this month that it’s working to strengthen its people, processes and tools to make its computer systems more resilient to cyberattacks — but it added that the agency’s large size and complex computer infrastructure means that the process will take more time. It also has not released any details about its plans.
Officials from Gov. Mike Dunleavy’s office declined an interview request about the state’s plans for its cybersecurity. Spokesman Jeff Turner said the administration “takes cybersecurity very seriously” but referred questions to the administration department, which also refused an interview request. An administration department spokesman, Brent Wittmer, said in an email that the department’s Office of Information Technology is “actively assessing the state of Alaska cybersecurity infrastructure to ensure it is effective and secure against recent and similar incidents.”
The court system’s computer systems and cybersecurity infrastructure are separate from the executive branch’s, said Bolger, the chief justice. The recent attack has made the agency more sensitive to cybersecurity, and working with its technology contractors, “we will have further things that we will do to try to harden our defenses,” he said.
Bolger did not want to get into specifics, but he shared a few relevant details. He said one of the first things the court system did after the attack was reset all of its 750 employees’ passwords. The agency is also going to boost its use of what’s known as “multi-factor authentication” — that means requiring more than one identity verification, like a password, to access systems. And Bolger said the attack also underscores the importance of keeping all of the court system’s hardware and software up to date.
“It’s just kind of a wake-up call, that we have to pay attention to every little detail,” he said.
Do we know anything about holes in the state’s existing cybersecurity infrastructure?
One thing that several technology experts we spoke to pointed out is that Alaska has seen significant turnover in its top technology jobs in recent years. Alaska’s top cybersecurity official, Mark Breunig, also left his job just last month for a cybersecurity advisor position at the U.S. Department of Homeland Security, according to his LinkedIn profile.
The state also saw at least five people hold the job of chief information officer between 2018 and 2019, according to the tech news site StateScoop. That CIO position is also politically appointed by the commissioner of administration, rather than union-protected — which, those same technology experts said, could make it harder for the CIO to take some of the politically difficult or expensive steps needed to ensure the state’s cybersecurity.
We also know that the state has been trying to consolidate its technology functions since 2017, based on an administrative order issued by then-Gov. Bill Walker, an independent. Experts told us that centralization could boost the security of each state agency’s systems by making them more consistent and accountable. But the agencies, which were used to controlling their own computer and technology systems, sometimes resisted the effort, and the work of consolidation is unfinished, according to an undated informational page on the administration department’s website. Bill Smith, Alaska’s current CIO, told a government technology website last year that the effort was only one-third complete.
Kelly Tshibaka, who led the administration department and has touted its technology centralization, left that job in March to run for U.S. Senate. She didn’t respond to an emailed request for an interview.