Five months after the cyberattack that crippled Alaska’s health department, Gov. Mike Dunleavy’s administration has released few details about the breach.
And the health department, along with state technology officials, are now waging an intense fight to preserve the secrecy of records that would help Alaskans better understand what happened.
The administration now says that the hackers were sponsored by a foreign government, and gained unauthorized access to the department’s computer systems in May.
The attack’s effects hit individual Alaskans, who, in the middle of the COVID-19 pandemic, had to wait longer for relatives’ death certificates. Background checks for health care workers were delayed because they had to be processed on paper forms.
And earlier this month, the health department announced that the hackers may have had access to Alaskans’ personal and health information — their Social Security numbers, financial data and even records documenting individuals’ disease history, vaccinations and reports of child harm.
In the days after the attack, the health department hired a Silicon Valley cybersecurity firm, Mandiant, to help investigate and harden the state’s systems against future hacks. Mandiant, working under a $459,000 contract, then drafted a 37-page report that was distributed to high-ranking state officials and the FBI.
The document, a state official said in a sworn statement, delves into the identity of the hackers, the scope of the attack and the data exposed. It also covers steps the health department took to contain the breach — along with information to help the state avert similar attacks in the future.
But so far, the health department has rejected Alaska Public Media’s public records requests to release even a redacted version of documents prepared by Mandiant, along with other cybersecurity-related reports, saying that doing so would further jeopardize the security of the state’s computer systems.
In the sworn affidavit filed this week as part of Alaska Public Media’s appeal of the rejection, the state’s chief information officer, Bill Smith, offered multiple new arguments against releasing the document.
Among them: The FBI, according to Smith, is urging the state to keep it a secret. Smith also said that Mandiant’s report belongs not to the state agency that paid for it, but to the company.
Mandiant spokeswoman Melanie Lombardi, in an email, disputed that, saying the report is “client property” before adding in a follow-up message that the company is “providing no comment.” An Anchorage-based FBI spokeswoman, Chloe Martin, declined to comment on Smith’s statement.
Dunleavy administration officials have continued to decline interview requests about its response to the multiple cybersecurity breaches that have hit the state this year. But Smith did release a prepared statement this week saying that addressing the problem is a top administration priority.
“The state of Alaska takes cybersecurity threats extremely seriously, and our multi-agency security team is focused on continuously improving our defenses,” the statement quoted Smith as saying. “We’ve taken concrete steps to secure our network as well as anticipate, detect and react to evolving threats. Cybersecurity considerations are an ongoing priority and we will continue to routinely evaluate our risk and implement methods to protect our valuable assets.”
Alaska’s health department is not the only state agency to be hit by hackers recently, amid a surge in such attacks worldwide.
In December, Lt. Gov. Kevin Meyer announced that hackers targeting state elections systems had obtained access to more than 100,000 Alaskans’ personal information, though he said they did not affect any election results.
Then, in May, Alaska’s courts, which operate separate technology systems from the executive branch, shut down their system’s access to the internet after a separate cyberattack. They also cut off access to CourtView, an important public-facing database of court records and dates.
Like Dunleavy’s administration, the court system has fought to keep details of its response and hacking-prevention efforts a secret. Earlier this year, it denied Alaska Public Media’s request, along with a subsequent appeal, for the courts’ contracts with any cybersecurity or technology firms it hired to help respond to the attack.
“Disclosing even, for example, the names of the companies with whom we may have consulted or contracted, or the amount of funds that the court may have expended in its response efforts, would arm the attackers with information that could be used to undermine the new security measures that we took, and would inform them of the dollars that we may have been willing to pay to counter the attack and to minimize the potential for another attack,” Stacey Marz, the court system’s administrative director, wrote in a letter denying Alaska Public Media’s appeal in August.
The health department’s most complete accounting of the cyberattack came in a briefing and five-page Q&A released earlier this month, when it made a legally required announcement that Alaskans’ personal data had been exposed.
In the Q&A, the health department said that with help from Mandiant, it had identified the hackers as a “nation-state sponsored attacker” and a “highly sophisticated group known to conduct complex cyberattacks” against state governments and health care entities.
The attack’s first signs were discovered in early May by a security monitoring company, which notified state technology officials.
The state’s investigation revealed that the hackers had compromised a server supporting the health department’s website “and spread from there,” according to the Q&A. The website was ultimately taken offline “to prevent further disruption and harm to servers, systems and data,” the agency said.
Mandiant found no evidence that Alaskans’ personal or health data was stolen. But because of a lack of certainty and the hackers’ level of sophistication, the state said it was forced to announce that the information had been exposed.
While there’s no sign of continuing attacks, “there is real concern that this group will come back to try again,” the health department said. It’s now taking steps to build back its systems to be “as resilient as possible,” and planning more “post-incident hardening” and an after-action review.
In the meantime, the Dunleavy administration has refused to release documents that could shed more light on its response — and on how well it built up the state’s cyber-defenses before the attack.
In addition to withholding the Mandiant document, the administration is also fighting to keep secret a 2018 report drafted for the governor by top technology officials.
The report, according to the affidavit from Smith, the top technology officer, assessed the strength of the state’s cybersecurity systems and recommended investments to boost them.
But releasing the three-year old document, Smith said, could alert hackers to vulnerabilities in the state’s systems. It would also create a risk that “the public would wrongly second-guess preliminary and final opinions and recommendations of the governor’s advisers,” he said.
While the documents remain confidential for now, Alaska lawmakers say they’re likely to more deeply examine the circumstances of the attack against the health department, and the state’s efforts to protect itself from such hacks.
Anchorage Democratic Rep. Ivy Spohnholz said she plans to request an information technology security audit at the next meeting of the relevant legislative committee.
The audit’s results, she added, would be confidential. But they could help give policymakers “the tools and the information that we need to make sure that we’re getting the right resources to the right places to ensure that this doesn’t happen again.”
And Anchorage Democratic Rep. Liz Snyder, who co-chairs the House committee that oversees the health department, said she’s considering scheduling a hearing on the cyberattack and the state’s response. While she said she wants to be sensitive to the demands on the department during the COVID-19 pandemic, Snyder added that she has a “growing list of questions” for the agency.
She’s said she’s still uncertain about what kind of data, and how much, may have been stolen by the hackers. She said she wants to know if the credit monitoring tools offered to Alaskans by the department are sufficient to protect them.
And, Snyder added, she wants to better understand why a previous cyberattack on the agency, in 2019, didn’t lead to fixes that prevented the one this year.
“Do we not have the resources — either the technology, or the software or the manpower — to be ready for this?” Snyder said. “I think the administration’s going to have to answer those questions.”