HARRISBURG — A pair of recent cyberattacks on Pennsylvania’s digital infrastructure — including one on the Municipal Water Authority of Aliquippa — set off alarm bells in the state Legislature and were cited repeatedly in a hearing at the Capitol on Wednesday.
The Nov. 25 attack at Aliquippa “vividly highlights the importance of cybersecurity and the existence of hidden risks in both our public and private facilities,” said University of Pittsburgh assistant professor Mai Abdelhakim in testimony to two legislative committees.
The attack was carried out by a terrorist group tied to the Iranian government, according to the FBI. Ms. Abdelhakim said a federal review indicated hackers gained access by exploiting weak or default passwords and an internet connection. The second attack — whose damaging effects were still being cleared up this week — crippled part of the 9-1-1 system in Bucks County.
The general message to lawmakers from two panels of witnesses was that cyber threats are numerous, require constant vigilance and need more attention from state government.
The city of Reading’s digital infrastructure includes 15 different locations, 550 users, and firewalls, Information Technology Division Manager Ken Cochran said. The firewalls, he said, get “at least a thousand pokes a day from the outside.”
Mr. Cochran, who testified on behalf of the Pennsylvania Municipal League, said Reading has added an intrusion detection system, a system to record all Windows event logs, multi-factor authentication, email filtering and other measures.
But, he said, there is little information exchanged between municipalities and authorities about cyber threats or attacks they have endured. Without an understanding of what happened in Aliquippa and Bucks County, he said, it is “hard for us to learn and adjust.”
Brian Rengert, deputy director of government relations for the Pennsylvania Association of Township Supervisors, said 88% of all cybersecurity breaches involve human error, and the state should be preparing for an attack.
“One click is all it takes,” Mr. Rengert said.
Several lawmakers on the Senate Local Government and Communications & Technology committees laid out their general feelings. Sen. Kristin Phillips-Hill, R-York, said she wants to see the creation of a cybersecurity committee to “get everyone on the same page.”
Federal sources, she said, have indicated that for every FBI staffer who is working on cybersecurity, the Chinese government has 50 people “trying to hack into everything we are doing.”
Sen. Tracy Pennycuick, R-Montgomery, said it was “kind of embarrassing” that the state distributes only an average of $37,000 per county for cybersecurity. “I have a big concern with that number. I think it should be a lot higher,” Ms. Pennycuick said.
Sen. Jarrett Coleman, R-Lehigh, felt otherwise. He questioned the concept of having taxpayers in one part of the state finance cybersecurity in another part of the state.
Other ways should be found to solve the problem, Mr. Coleman said, than “look at the general fund as a piggybank.”
Ford Turner: fturner@post-gazette.com
First Published: January 31, 2024, 11:05 p.m.
Updated: February 1, 2024, 6:19 p.m.