Wisconsin has a lot of areas to improve on when it comes to cybersecurity, including gaps in statutory definitions, AI use and collaboration between groups, experts say.
A panel of experts during an Assembly Science, Technology, and AI Committee informational hearing yesterday provided several hours of insight into the current state of cybersecurity in Wisconsin. While the state does a good job with responding to and investigating cyberattacks, there is room for improvement when it comes to proactively preventing cyberattacks, experts said.
Mike Wyatt, Deloitte’s cybersecurity leader for state, local and higher education, noted the FBI identified cyber crime cost Wisconsin about $160 million of the roughly $16.6 billion in losses across the country.
But the state could work to improve its outlook by working toward a whole of state model where municipal, county and state governments collaborate and share data.
“From a policy perspective, whole-of-state is absolutely critical and needs to be top of mind,” Wyatt said. “Legislators in New York, Oregon, Iowa, Texas and a number of other states have established cross-government cyber policies with common standards, shared funding and statewide training. A robust, scalable approach that Wisconsin may wish to consider.”
Deficiencies in state law also make it harder for investigators to track down cyber criminals, Department of Justice Special Agent Drew Schoeneck said.
“A lot of those crimes are considered misdemeanors, and if you have a really bad hacker that just attempts to do something and actually doesn’t get all the way in, it might not even be considered a crime,” he said.
Schoeneck also said Wisconsin has a loose definition of cryptocurrency, which makes it difficult to seize criminal assets sometimes, and current law makes it difficult to quickly and easily obtain information on IP addresses of suspected criminals.
Wisconsin, like everywhere else nowadays, is also vulnerable to cyberattackers using AI to glean as much information as possible from public reports and meetings, Trevor Johnson, head of Google’s midwest division for state and local government, said.
“There were references [earlier in the hearing] to using AI in order to read some of the Legislative Audit Bureau reports,” he said. “Unfortunately, malicious actors will also use AI to read those reports and understand, ‘Where might I be able to find a nugget that will help me get into this particular system.’ They’re using it for research. They can even use AI on top of videos or recordings of sessions such as this one; understand what things might be said that might give me a vector to get at some information.”
And while companies such as Google, Microsoft and others have created safeguards to block malicious actors from prompting AI to create a piece of code to penetrate a system, those malicious actors are also always working on ways to circumvent the safeguards, Johnson added.
Unifying all the different IT systems used across the state and using AI to help summarize potential threats and abnormalities was one of Johnson’s three recommendations to reduce cybersecurity risks. His second was to periodically check within IT systems to make sure nobody is logged into the system who isn’t supposed to be.
“I know the state is on a journey such as this already, but really being able to understand, how do we not just worry about the moat and the outside of our castle, but how do we continually have checks within our castle to make sure the people that are here, the people that are in our systems, are the people who are supposed to be in the systems, he said.
His third recommendation was “focusing on getting proactive training and ensuring that everybody has the right information in their hands and the actions for how to use it in order to truly bolster the state of Wisconsin from a cyber security posture.”
Watch the hearing here.