With more than 28 million people and a robust economy, the nation’s second most populous state has become a rich and inviting target for cybervillains.
Billions of attempted cyberattacks, many of which are automated, hammer computers throughout Texas each month, threatening everyone from the average citizen sitting at a laptop to Fortune 500 companies and government networks loaded with confidential data.
Even though most of the computer attacks are batted aside, successful breaches have cost the state $277 million over the past five years, according to data compiled by the FBI’s Internet Crime Complaint Center, consistently placing Texas among the top three or four states in economic losses from cybercrime.
In 2017, Texas had 105 breaches that resulted in the theft of 2.5 million records, more than five times the 505,088 records stolen the previous year, according to newly released findings by the non-profit Identity Theft Resource Center. The breaches in Texas constituted 6.6 percent of the record number of 1,579 breaches reported nationwide, said spokeswoman Charity Lacey.
In North Texas, cyberattacks over the past two years have been reported by the Dallas-based Omni Hotels and Resorts chain, the Irving-based Cicis Pizza chain and the police department in Cockrell Hill, a one-square-mile “island city” inside Dallas..
GameStop Corp., a Grapevine-based video game, and electronics retailer, alerted customers last year that payment card data may have been jeopardized after the company was notified by a third-party that data from cards used on its website was being offered for sale.
A ransomware attack was attempted inside Tarrant County government in 2016 but the cyberresponse team foiled the assault with no lost or stolen information.
The hacking attempts are constant, like waves pounding a beach.
Kevin Gunn, director of information technology for Fort Worth, said that while the city has never sustained a major breach, a typical day in the office will see about 15,000 attempts to compromise the computer system.
Gunn said many of the attempted assaults on the Fort Worth system come from unsophisticated “script kiddies” who launch automated attacks by plugging in a block of IP addresses, often with tools that he said are freely available on the internet.
He said cybercriminals are often motivated by financial gain and attempt to invade the city’s system to get information on customers or employees. Additionally, he said, “there are some people who are politically motivated” and are seeking information “that would perhaps cast the city of Fort Worth in some sort of bad light.”
At Lockheed Martin Aeronautics in west Fort Worth, which manufactures the F-35 Joint Strike Fighter, spokesman Ken Ross says the defense plant is “routinely attacked by adversaries” but has “pretty in-depth defenses that range from what our IT professionals do to the training we provide for our employees.”
The attempts, he said, are aimed at getting technical information or finding out “just how we operate” or “what things we might have that could help them develop products that would be able to fight against the products we’re developing.”
Ross declined to identify the adversaries but said “it’s what we call a persistent threat and it’s something that we’re continuously defending against.”
Hacking horror stories
Texas is pushing back with new cyberlaws enacted by the 2017 Legislature but leaders in government and business acknowledge they are confronting an ever-widening threat that seems to grow worse by the day.
“I think that this is an issue that’s new, relatively new, but its going to be one of the greatest challenges of our time,” said State Sen. Jane Nelson, R-Flower Mound, who chairs a Senate select committee assessing cyberthreats in Texas. “I truly believe that, and the more I learn, the more concerned I become.”
State Rep. Giovanni Capriglione, R-Southlake, who authored the Texas Cybersecurity Act and the Texas Cybercrime Act, both of which took effect on Sept. 1, said he was motivated in part by constituents with horror stories about being hacked.
“Everybody has a story about how they were violated,” he said, describing door-to-visits with residents in his Tarrant County district.
Whether it is waged by financially-motivated criminal gangs, lone-wolf scammers, foreign spies or “hacktivists” at war with the government, the assault on computer systems has been widely described as one of the most pervasive — and pernicious — global threats of the high-tech age.
Virtually every barometer shows mounting costs and an escalating threat level, with estimates of losses from cybercrime and espionage reaching close to $450 billion world-wide.
Cyberinvasions exposed the identities of 429 million people internationally in 2015, a 23 percent increase over the previous year, according to Symantec’s 2016 Internet Threat Report.
Texans sustained $77.1 million in losses from internet crime in 2016, ranking fourth behind California, New York and Florida, according to the Internet Crime Complaint Center. Texas’ losses in the center’s latest report were more than double the the state’s $29.9 million in losses five years earlier. The center reported 21,441 victim complaints from Texas in 2016, compared to 18,392 complaints the previous year.
Hackers often use automated programs to roam IP addresses that identify computers, hoping to exploit potential weaknesses to stage a scam or steal data that can lead to identity theft. The attacks are usually repelled by security software or alert IT operators trained to detect likely fraud or suspicious computer addresses.
Among the most commonly used tactics by cyberassailants are phishing — typically a text or email falsely claiming to be from a legitimate source to induce the target to reveal personal information — and ransomware— a malicious software that blocks access to computer systems until a ransom is paid.
A report by the Texas Department of Information Resources, the state’s information technology agency, noted that billions of attempted intrusions — also described as “malicious traffic” — are blocked through the Network Security Operations Center (NSOC), which shields state agencies from computer assaults.
The report placed the average number of monthly attempts in 2016 at 3 billion.
State DIR officials, citing security precautions, do not provide estimates on successful breaches or discuss specific attacks, saying those details could arm hackers with intelligence and encourage further attacks. But cyber assaults are nevertheless coming to light with increasing frequency through news reports, cyber-monitoring organizations and public notifications from victimized companies and agencies.
For example, in October, the Texas Department of Agriculture, which oversees the federal school lunch program, reported that a ransomware attack on an employee’s state-issued laptop may have exposed personal information of more than 700 students.
‘Very real threat to business’
The Texas Attorney General’s Office, charged with enforcing statutes against identity theft, investigates data breaches involving businesses through its consumer protection division.
“There was a time when these kind of cases did not exist,” said Esther Chavez, senior assistant attorney general in the consumer protection division.
Texas companies are required to notify customers of data breaches. But, unlike a number of other states, Texas does not require businesses to inform the attorney general, although companies sometimes voluntarily notify the agency.
More than two dozen reports to the attorney general, reviewed by the Star-Telegram under an open records request, included the highly-publicized Equifax breach and notifications from several out-of-state companies reporting exposed credit card information potentially affecting more than 70,000 Texans.
The state’s prospering business landscape is obviously fertile territory for cybercriminals who prey on multi-national corporations, struggling mom-and-pop outlets and everything in between.
Omni Hotels and Resorts notified customers in mid-July of 2016 that some properties were struck by a point-of-sale malware attack designed to collect certain payment card information, including cardholder names and credit-debit numbers.
In the intrusion on the Cicis chain, reported about the same time, malware infected payment systems at restaurants in 17 states, including more than 50 in North Texas, possibly exposing payment card information, according to press reports.
“It’s a very real threat to business, a very serious issue,” says Chris Wallace, president of the Texas Association of Business , noting that the problem is particularly severe for small- to mid-size businesses that lack sophisticated IT staff.
The first hearing before Nelson’s committee in December underscored the extent of the threat to state agencies, which are laden with information that includes government contracts and confidential data on citizens.
“We have bad actors knocking on our door every day,” said Shirley Erp, chief information officer of the Department of Health and Human Services, which houses what Erp described as “a lot of critical data.”
The Department of Public Safety, in a 2017 report to the Legislature, described itself as “a target rich environment for hackers, organized crime and cyberespionage.”
The types of assaults in Texas mirror those taking place across the rest of the world.
As many as half the global breaches in 2016 involved organized criminal groups motivated by financial greed, according to at least one report. But other elements also operate within the so-called dark net, where anonymizing software such as TOR or I2P are used to hack.
The last several years have seen the rapid spread of “hacktivists” whose tactics include “denial of service” attacks to bring down computer systems in government offices and police departments, amounting to what is often described as radical forms of protest staged through computers.
Foreign operatives from a multitude of countries, notably Russia and China, also manipulate and scour U.S. computer systems, either looking for information or conducting mischief.
Russia’s alleged meddling to influence the 2016 elections is the most notorious example, but experts say even modest-sized towns in Texas are vulnerable to foreign computer spies, possibly looking for economic data or information on infrastructure such as factories or defense plants.
‘They only have to be right once’
Computer experts say the state laws that went into effect in September are a major step forward and put Texas in a leadership position toward cracking down on cybercrime.
“I was thrilled to see it pass,” said TCU associate professor Michael Bachmann, an expert on cybersecurity. “It was overdue that Texas realized the importance of the issue.”
Nancy Rainosek, chief information security officer with the Department of Information Resources said the new laws send a message that “the state is being proactive” in confronting cybercriminals.
“They only have to be right once,” said Rainosek. “We have to be right 100 percent of the time.”
The Texas Cybersecurity Act, also known as House Bill 8, among other things, imposes a strengthened planning regimen under the leadership of the DIR and puts a premium on training, which many experts describe as a top priority to optimize the “human element” in the state’s cyberdefenses.
Perhaps in a reflection of concern raised by reports of Russian election-tampering, HB8 mandates the Secretary of State, the chief election officer, to address potential weaknesses in the Texas election system by studying possible vulnerabilities of voting machines and voter lists.
The law also calls for biennial security plans from all state agencies and creates select committees in the House and Senate to conduct interim hearings on cybersecurity. Lt. Gov. Dan Patrick named Nelson to head the Senate committee, which also includes Sen. Konni Burton, R-Colleyville. The House committee hasn’t been formed.
House Bill 9, the Texas Cybercrime Act, adds three new offenses to the Texas Penal Code for denial of service attacks, ransomware and intentional deceptive data alteration, carrying punishment that could reach as high as life in prison.
While the new measures underscore the state’s expanding commitment to cybersecurity, Capriglione, Nelson and others acknowledge that Texas still has work to do, including replacing or modernizing outdated “legacy” computer systems judged to be outdated and insecure.
The DIR, in a 2016 report to the Legislature, cited 82 modernization projects from 29 agencies for an estimated funding request of $379 million, including nine projects rated as having higher cybersecurity and legacy risks. Lawmakers last year approved a total of $113.7 million for information technology and cybersecurity initiatives, including $27.4 million for cybersecurity upgrades.
“I’ll be blunt. That’s just a drop in the bucket for what our needs are,” Capriglione said.
Capriglione and Nelson also said they will push to strengthen protections for local entities in the next legislative session. House Bill 8 deals with state agencies and public universities but does not include cities, counties and school districts, many of which are also bombarded by cybersecurity threats.
‘Billions with a B’
While major cities and counties, including Fort Worth and Tarrant County, have equipped their IT departments with cybersecurity staff and infrastructure, many smaller communities either haven’t grasped the extent of the threat, lack the money for a cybersecurity program or don’t believe they are big enough to be threatened, according to legislative studies.
“I am very concerned about local governments and their vulnerability,” Nelson said.
Of the 1,100 cities in Texas, only about 200 had a person designated to handle cybersecurity, the Texas House Committee on Urban Affairs reported in an interim study submitted to the Legislature in January 2017.
“Some cities are so small that they depend on volunteers to handle IT matters,” said the report.
One exception is Granbury, a city of nearly 9,000 people about 40 miles from Fort Worth.
“Granbury is a little unique for the size of our town because we have actually implemented a lot of policies and controls over the last six years,” said Tony Tull, the city’s IT director. The city has dedicated about 20 percent of its IT budget for cybersecurity.
In Hurst, City Councilman Larry Kitchens said the Tarrant County suburb recognizes the threat and hosts an annual cybersecurity summit to inform its citizens on how to protect themselves from hackers.
Although Hurst has a “very strong defense” and has never sustained a cyberbreach, Kitchens said, the threat of a potential break-in is a constant fear. “It’s a big worry,” he said. “Just because we haven’t been breached, that doesn’t mean the next time that they can’t get in.”
No government entity appears to be immune, regardless of size or mission.
In September, a group calling itself “The Dark Overlord” broke into school districts in several states, including the 4,000-student Splendora district in southeast Texas, in an attempt to instill “fear and chaos” among parents and students, according to Splendora officials.
The Texas district notified parents, removed the servers and ordered a forensic audit that concluded that nothing was taken. “We were fortunate,” Deitra Inkster, an administrative assistant to the superintendent, told the Star-Telegram.
The Cockrell Hill Police Department, composed of 15 officers and six civilian employees, was invaded by a ransomware virus that corrupted files on its server in late December of 2016.
The anonymous intruders demanded a ransom of about $4,000 in Bitcoins and transfer fees in exchange for an encryption key. The department consulted with the FBI and refused to make the Bitcoin transfer, instead choosing to isolate and wipe the virus from the servers. Police Chief Stephen Berlag said no information was seized from the department.
State Sen. Nelson said it’s encouraging that Texas is being proactive in protecting itself.
But the enormity of the problem, underscored by billions of attempted attacks — “billions with a B” — is “mind-boggling,” Nelson said.
How vulnerable is Texas?
“Very,” she said.
Cybercrime tools and techniques
Ransomware: A type of malicious software designed to block access to a computer system until a ransom is paid.
Phishing: Email, text or phone call from a puportedly legal source requesting personal, financial or log-in credentials. AKA phishing, vishing, smishing or pharming.
Denial of service: Maliciously blocking access to a network or computer system.
Hacktivism: Hacking into a computer system for a politically or socially motivated purpose.
Malware or scareware: Software to damage or disable computers or carry out malicious functions such as stealing, hijacking or deleting data.
Identity theft: Stealing and using personal information, such as Social Security numbers, to carry out fraud or other crimes.
Virus: Code that copies itself and corrupts or destroy data
Trojan Horse: A program to breach the security of a computer system while ostensibly performing an innocuous function.
Tech Support: Attempts to gain access to a victim’s electronic device by falsely claiming to offer tech support, usually for a well-known company.
How to file a complaint
Tips on warding off hackers
Sources: Internet Crime Complaint Center, Texas Department of Information Resources.