It has the makings of a movie plot that’s so awful, Ben Affleck has to land on an asteroid to save humanity: America wakes up one morning to a massive denial-of-service attack. No internet access. Banks and credit cards are down. At the same time, entire regions are without power. Water treatment plants are compromised, leaving communities with no safe water to drink.
This worst-case scenario is more likely than many of us want to consider, top national security and law enforcement officials warn in repeated, blunt language. If China decides to invade Taiwan — something officials fear could happen by 2027 — cyberattacks could first target American critical infrastructure, says FBI Director Christopher Wray. China would hope the resulting chaos would keep U.S. officials focused internally while sapping Americans’ resolve to help defend Taiwan.
“There has been far too little public focus on the fact that PRC (People’s Republic of China) hackers are targeting our critical infrastructure — our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems — and the risk that poses to every American requires our attention now,” Wray told a U.S. House committee at a Jan. 31 hearing.
“Low blows against civilians are part of China’s plan,” he added, calling it “the defining threat of our generation.”
As the country’s third most-populated state, home to the U.S. Special Operations, Central and Southern commands, NASA’s Kennedy Space Center, seaports and so much more, Florida is a prime target for cyberattack.
The threat to the nation’s cyber infrastructure “is both real and urgent,” Jen Easterly, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), said at the same hearing.
“When they talk like that, we should pay attention to them,” says retired Marine Corps Gen. Kenneth F. “Frank” McKenzie Jr., who led the U.S. Central Command from 2019-22. He now runs Cyber Florida at the University of South Florida.
McKenzie’s organization is part of a growing infrastructure in the state aimed at training employees in those critical infrastructure sectors, helping them to shore up their cyber defenses and be ready to effectively respond to what many consider an inevitability.
Backed by $30 million in state funding, Cyber Florida, the University of West Florida and Florida International University offer free cybersecurity assessments, simulation exercises and training to staff at critical infrastructure centers throughout the state.
“It’s one thing to have someone tell you about it or give you resources about it,” says Corey Wrenn, who manages Cyber Florida’s Aligned Realistic Cyberattack Simulation (ARCS) Range, an initiative designed to support Florida public-sector cybersecurity professionals.
“But it’s an entirely different level of understanding and knowing something when you go through it. That’s why the cyber range is so important. We try to recreate these types of scenarios to be as close to accurate to what’s going on in the threat landscape right now.”
Constant Attack
Despite the warnings, too many Floridians still feel immune from cybercrimes, says John Wensveen, director of Nova Southeastern University’s Levan Center of Innovation, which has its own cyber range to assess system weaknesses and run exercises for staffers.
It’s “a real challenge” to teach businesses to be proactive, he says. Many executives don’t understand the technical issues and assume everything is good. “Part of our job is to make people, frankly, a little bit scared about what’s going on in the world of cybersecurity. Just because you are in compliance, it doesn’t mean that you’re safe and secure.”
A glimpse at the data makes that clear. Florida’s $874.7 million in cybercrime losses in 2023 ranked third nationally, the latest FBI Internet Crime Report shows. And a U.S. Department of Health and Human Services Office for Civil Rights database shows dozens of breaches in the past two years within state health care organizations and their associates.
Local elections offices and water treatment plants have been breached. A ransomware attack on May 8 hit Pensacola’s Ascension Sacred Heart Hospital and other facilities in the Catholic health system’s network, forcing disruption to clinical operations. Similarly, Tallahassee Memorial Healthcare postponed non-emergency procedures and diverted some EMS patients in February 2023 as it dealt with a cyberattack in which files containing patients’ personal identification information were accessed.
As more people work from home, a trend that accelerated dramatically during the COVID-19 pandemic, hostile countries have exploited new vulnerabilities. Older “small-office/ home-office routers” made by Cisco and NetGear were targeted by Chinese hackers around 2021 to create botnets targeting U.S. critical infrastructure, says a December FBI search warrant affidavit targeting a group known as Volt Typhoon.
The routers were considered at the end of their lifetimes and no longer received security updates. That left the door open for hackers. Once inside, they began “living off the land,” using the system’s existing programs to target U.S. infrastructure including communications, energy, transportation and water, the FBI says.
A simple restart can be enough to remove the intrusion, but the affidavit notes that “owners of infected routers typically do not know they are victims and therefore do not have a reason to restart their devices.” The court-approved warrants enabled law enforcement to “remove the malware from the infected routers and take limited, reversible steps to prevent re-infection.”
While a threat was removed, cybersecurity experts acknowledge it’s a short-term gain. “We’re constantly being probed. We’re constantly being attacked. None of this is really new,” says Bruce Caulkins, a retired Army colonel with 35 years’ experience in computer security who runs Cyber Florida’s ARCS Range. There are plenty of threat actors targeting U.S. critical infrastructure, and with wars ongoing in Ukraine and Gaza, governments like Iran and Russia are motivated, he notes. “People are probing our defenses right now to see, can I take down this power plant? Can I infiltrate this hospital? What about these banks — can I take money from them?”
Florida lawmakers in 2022 prohibited state, county and local agencies from paying ransoms to hackers, but such attacks continue to plague the private sector.
New vulnerabilities are being introduced unintentionally all the time, Caulkins says. The human factor means that older techniques like phishing emails remain the most effective paths to entry. And too often, simple precautions aren’t taken. In a March White House letter to the nation’s governors, EPA Administrator Michael Regan and National Security Advisor Jake Sullivan said attacks on U.S. facilities by Iran’s Islamic Revolutionary Guard Corps have succeeded in some cases because no one changed the manufacturer’s default password on some computer equipment.
Fortifying Florida
Cyber range exercises can change attitudes, Wensveen says, likening Nova Southeastern’s cybersecurity simulation exercises to a flight simulator. “Everything’s great as you’re flying the simulator, and then all of a sudden you’re thrown different scenarios that you have to be able to react to. It’s the same thing with cyber. If you’re doing it correctly, people leave that room sweating because it seems like the real thing. It is very, very real.”
But smaller, often more rural critical infrastructure providers may lack the staff and budget dollars to keep up to date on cybersecurity training. And others may lack a culture that demands constant vigilance, not accepting the notion that no one is immune or considered too small a target.
“It’s a mindset. Everyone believes that they are not a target,” says Steve Gary, a USF associate professor who teaches graduate cybersecurity and intelligence studies. “But everyone technically is a target, because with the automation today, they can send out a billion phishing emails.”
And most business threat models don’t include a remote employee’s home network, Wrenn says. The case of Volt Typhoon shows that individual employees can inadvertently open the door to critical infrastructure systems. In addition to taking advantage of old routers, hackers can identify employees, gather data on them on the dark web, and “target them on social media and send them target phishing campaigns to their personal cell phones,” Wrenn says. “Then they exploit that cell phone, they move laterally through that home network and they gain access to those corporate environments.”
Cyber Florida is finding two audiences in promoting its training, says Associate Director of Cyber Outreach Kate Whitaker. Many understand the threat and jump at the chance for free training and other assistance. “But then there’s a whole larger group who either doesn’t want to deal with it, (or) doesn’t really understand the threat. Believe it or not, there’s still a major reluctance — I think a lot of people just find the topic of cybersecurity overwhelming. And if it’s a small, rural municipality that maybe doesn’t have a large staff, they may be in a position where they feel like, ‘Well, I can’t do anything about it anyway, so I’m not going to even think about it.’”
It often takes a while to persuade people that “there is something they can do, it doesn’t cost a lot, and they have the resources for you,” she says.
A risk assessment that Cyber Florida completed last year found that the state’s critical infrastructure providers “are more prepared to respond and recover after a cyber incident but less prepared to detect and identify threats.” That is driven in part by “a shortage of qualified cyber- security managerial staff.” Nearly half the 200 respondents did not have a chief information security officer or a cybersecurity training program.
The Florida Legislature gave Cyber Florida $30 million to help fill some of those gaps. Training offered by the University of West Florida and Florida International also is covered by the state, says Guillermo Francia, research and innovation director at UWF’s Center for Cybersecurity. Interest in the classes already was strong but took off in the wake of the FBI’s Volt Typhoon disclosure and numerous federal warnings. “The courses fill up very, very quickly.”
While that’s welcome news, Francia also carries a pessimistic view that training will never be enough to fully protect American critical infrastructure against nation-states with armies of hackers. “It’s going to happen,” he says. “It’s just a matter of when.”
Attack Frequency
Florida health care providers and their associates have suffered 49 distinct breaches in the past two years, affecting more than 13 million people. Most gained entry via emails or network servers. Among those targeted:
Entity Date Reported
Orlando Health 11/18/22
University of Miami 12/22/22
Tallahassee Memorial Healthcare 3/31/23
Florida Health Sciences Center (Tampa General Hospital) 7/28/23
Catholic Charities of the Archdiocese of Miami 1/22/24
Moffitt Cancer Center and Research Institute 4/24/24
Source: U.S. Department of Health and Human Services Office for Civil Rights