Wisconsin on front lines of a cyber-security battle

Wisconsin is on the front lines of an online battle between creative hackers and business owners trying to protect valuable data.

So says Byron Franz, a special agent with the FBI’s Milwaukee Division who specializes in industrial espionage. He spoke at a Tuesday meeting of The Wisconsin Technology Council’s Innovation Network in Madison.

“There are cyber-missiles landing in the Badger state every single day,” said Franz, who is originally from Milwaukee. He pointed to large-scale manufacturers and health technology companies based in Wisconsin as particularly attractive targets.

“We make the things that run the juggernaut that is the United States and the world,” he said.

He says cyber-attacks in Wisconsin are far more prevalent than many business owners might realize, and deliberate action is needed to protect from these online threats, which can often come from groups within China or Russia.

“There are probably several [attacks] that have erupted around here, but we can’t see it because it’s in cyberspace,” he said. “But they’re there–I can guarantee you they’re there.”

Cyber-attacks can take many different forms, targeting the software, hardware, and even the people that make a company run, in order to obtain valuable data and trade secrets.

Trade secrets, as the FBI defines them, are any data that “derive independent value” for the business simply by not being known to the public, Franz says. This includes customer lists, supply chain information, specialized manufacturing procedures, details on internal facility layouts and much more.

“These are the things that are being stolen,” Franz said. “Up to the level of, according to some estimates, a net outflow of between $300 and $400 billion of trade secrets, intellectual property going from our shores as a direct subsidy to countries we are competing with–often because people did not employ what the federal government calls ‘reasonable measures.’”

That can include things like yearly-renewed confidentiality agreements, firewalls, and tightly controlled access to company information systems. Other helpful measures include using passwords that are long and nearly impossible to guess, and changing them often.

“We’re talking not about perfect measures, but reasonable measures,” Franz said.

Steve Lyons, a government affairs and communication advisor for Husch Blackwell, says when it comes to businesses being targeted by cyber-attacks, “it’s not a matter of if, it’s a matter of when.”

He says businesses serve their own best interests when they spend big on security measures such as cyber insurance–something he says can save money in the long-run.

“Spend the money,” Lyons cautioned at the meeting. “The few thousand dollars that you are going to spend proactively–and I know it’s hard with budgets–but it can be 10, 20 or 50 times that if you don’t do it right.”

Lyons also said he is “amazed” companies don’t have cyber insurance at a time when the methods for obtaining secure company data are becoming more and more clever.

One such method is ‘spear-phishing,’ in which hackers will send out emails with untrustworthy material to hundreds or thousands of people in the hopes of having just one careless employee click the link. While most won’t, it only takes one person to compromise security.

“These things usually come in by virtue of an email, with attachments or links,” Franz said. “Think of those attachments as an unexploded grenade where you have the right to pull the pin on yourself, or not.”

Franz says this was the method used in the DNC hack, where 20 of the 108 targeted individuals clicked on fraudulent links.

One option businesses can pursue to improve security is penetration testing, or pen-testing, where a ‘white hat,’ or ethical hacker, is hired to break into a company’s online systems and give a report on weaknesses.

Jim Blair, managing partner of Aberdean Consulting, has used pen-testing to successfully expose weak spots in companies. In one example, an employee clicked a link that would have granted immediate, complete access to an outside attacker.

“It was interesting to see that,” Blair said, adding that social engineering, not hardware or software infiltration, was successful in nine out of the 16 individuals targeted.

To emphasize the extreme high stakes of the ongoing cyber battle, Franz pointed to the case in 2016 of malignant Microsoft Excel and Word documents being sent to Ukrainian power operators, resulting in an entire city going dark.

“We’ve grown accustomed to these [lights], but what happens when they go out for a week?” Franz asked. “People will kill each other for a carton of milk.”

–By Alex Moe