HAGÅTÑA (The Guam Daily Post) — Cybersecurity concerns on Guam are perhaps no more visible to the average resident than today, as a number of attacks on local entities made headlines just this year, and published reports have indicated that state-sponsored threat actors have locked their sights on the island, particularly as tensions remain between the U.S. and the People’s Republic of China over Taiwan.
With cyberthreats being an ongoing concern for federal and local authorities in the region, a new measure, Bill 190-37, proposes to create a “Marianas Cyber Security Working Group” to discuss such issues and possibly recommend laws and policies to protect systems and eliminate vulnerabilities.
“In Guam’s case, whether the end goal is data smuggling or interrupting critical communications for the island, our neighbors or allies – the mere fact that as much as 75% or more of information relayed over the internet transitions through one of the island’s undersea cables should be enough reason for our local and federal governments to make and fund drastic improvements of our efforts to combat these bad actors,” Bill 190 stated within its findings and intent.
Vice Speaker Tina Muña Barnes is the legislation’s main sponsor. Barnes serves as the head of the legislative committee overseeing federal and foreign affairs, as well as the Office of Technology.
After the Microsoft Threat Analysis Center published a report in early September, stating in part that multiple China-based groups continue to target the U.S. defense industrial base, with Guam being one of the most frequent targets, Barnes said she would pursue measures to help the government of Guam refocus on capacity building, strategic planning and protection protocols.
Sens. Dwayne San Nicolas, Chris Barnett, Frank Blas Jr., Chris Duenas, Jesse Lujan and William Parkinson serve as co-sponsors to Bill 190.
The cybersecurity working group will consist of representatives from the government and industries, including the governor, the speaker, the chief justice, and leadership at the utilities and other key autonomous agencies, as well as individual representatives for telecommunication companies, bankers and the general business community, who will be appointed by the governor.
The group is to meet monthly and will receive briefings from the Mariana Regional Fusion Center on best practices for cybersecurity measures and the protection of management information systems, according to Bill 190.
“To the extent practicable, the briefing information shall also be disseminated to the general public as a means to assist them in their individual needs to safeguard their own access to various sites on the internet,” the measure stated.
Bill 190 was introduced on Tuesday and, while the measure remains within the legislative process, local and federal officials are proceeding with other cybersecurity-related initiatives.
Conference
On Thursday, the Guam Power Authority and the U.S. Department of Energy began their cybersecurity conference, a two-day event that will include a cyberstrike training exercise from the energy department on Friday, although that event is limited to cybersecurity professionals.
Melvyn Kwek, the chief information technology officer for GPA, said this is the first event in what will perhaps become an annual conference.
“This is great because it helps us focus on (information technology)/(operational technology) security, especially on Guam and for Guam Power (Authority),” Kwek said.
“This might be a yearly event, which would be great for our community because cyber is really critical for us, and we need to get everybody involved, especially in the last year with all the incidents that’s happened on Guam,” Kwek added.
The conference was initiated because the island’s cyber community needs to be more collaborative, according to Kwek.
“It’s not just one person trying to defend everybody else, it’s a community trying to defend against bad actors, and also criminals,” Kwek said.
Cyberattacks
Michael Toecker, a senior technical expert with the energy department, spoke briefly during his presentation Thursday about the annual threat assessment published by the director of national intelligence. The assessment describes the military and cyber capabilities of various U.S. adversaries, including China and North Korea, as well as other worldwide threats to national security.
Toecker also went through the evolution of cyberattack capabilities from over the last decade, beginning with the 2015 Ukraine power grid attack.
“This was manual manipulation of (Supervisory Control and Data Acquisition) systems. In other words, they had people with keyboards who went in, right click, open breaker. … If you’re an operator, that’s a really terrifying thing to see. Very low-tech, though,” Toecker said.
He went on to describe increasingly sophisticated cyberattack capabilities over the years, up to the “living off the land” technique that a state-sponsored actor based in China used to target critical U.S. infrastructure, according to a Microsoft report published in May.
“These particular attacks and these particular tactics were specifically built to evade our current commercial IT platforms and commercial cybersecurity platforms. They’re working in a different way, at a different time, in ways that are very difficult to detect. And this is going to require some (research and development), and it’s going to require a lot of collaboration with our industry partners. Because we don’t always have the data necessary by ourselves, and you don’t always have the data by yourselves in order to respond effectively. But together we can,” Toecker said.
Specific examples of cyberattacks or intrusions on Guam include the March attack on Docomo Pacific and the unauthorized access detected by the Guam Memorial Hospital Authority earlier that month.
Guam Economic Development Authority Administrator and CEO Melanie Mendiola said the agency discovered an issue late last year, around Thanksgiving. GEDA was presented with invoices and changed vendor instructions by a vendor, Matrix Design Group.
“We thought it looked in good order but turns out there was a breach either on theirs or our side,” Mendiola said.
The issue was reported to the Federal Bureau of Investigation and is under active investigation, according to Mendiola, who said the event also shined a light on shortcomings in GEDA’s vendor verification process.
She described the event as “a cyberattack that we were vulnerable to” because internal processes were outdated.
Michael Toecker, with the U.S. Department of Energy, gives a presentation at a cybersecurity conference Thursday, Oct. 19, 2023, at the Hyatt Regency Guam in Tumon.
