‘User education’ key to prevent ransomware, says state cyber commander

"There’s always that one user who gets the email and wants to click on it," said Maj. Alan Dunn of the Louisiana National Guard. "That’s 85 to 90 percent of your battle."
Members of the Louisiana National Guard cybersecurity team
Members of the Louisiana National Guard cybersecurity team (U.S. Army Cyber Command / Flickr)

The commander of the Louisiana National Guard’s cyber protection unit said Tuesday that the greatest threat to the state-government networks his team is tasked with protecting is that users still unknowingly clicking malicious links that activate attacks like ransomware.

“There’s always that one user who gets the email and wants to click on it,” Maj. Alan Dunn told StateScoop. “I’ve got in-laws who do it.”

Louisiana has been hit hard by ransomware attacks in recent months, including an incident Monday that prompted the state’s Office of Technology Services to temporarily take offline many of the servers powering several agencies. While the National Guard was part of the response to Monday’s incident, Dunn said he was not involved in the OTS-led recovery. But he did recount deploying to one of a handful of school districts that were compromised by a Ryuk attack in late July that prompted Edward to declare a statewide emergency just weeks before the start of the new academic year.

Though Dunn did not specify to which of the 12 affected districts he was dispatched, he said it wasn’t surprising to find that the local administrators he was sent to assist were overwhelmed.


“It was a lot of unknown,” he said. “You get in these networks and these systems administrators, it might be a second duty for them and they might not have a full understanding. There’s a fear of the unknown, not having true network maps or understanding what assets you have. We had to figure it out on the fly.”

Dunn said his team — which consisted of about a dozen Army and Air National Guard members — reconstituted that school district’s network and got vital services back online within 10 days. He said it helped that that district had a cybersecurity insurance policy, which brought in a team from the private-security firm Kroll to conduct a forensic investigation and recover any student data that could’ve been compromised.

National Guard units around the country find themselves playing a growing role in helping state and local governments respond to digital threats, particularly as more states add cyberattacks to the list of potential incidents that can trigger an emergency declaration.

When they first developed cyber, people thought there was no domestic mission for a governor to use a cyber force in a state capacity,” Air Force Joseph Lengyel, the chief of the National Guard Bureau, said at a recent Pentagon briefing. “And now we’re seeing how wrong that could be.”

But much of Dunn’s work protecting Louisiana’s government networks, he said, occurs in a training environment at a cyber range on the campus of Louisiana State University. At the range — which is run by Stephenson Technologies Corporation, a nonprofit spun off from LSU that conducts research-and-development projects for the Defense Department — Dunn’s team is able to simulate attacks against emulated state networks.


In a drill two years ago, Dunn said, representatives of a parish government conducting a hurricane-response exercise were brought into the range and shown how easy it would be for a malicious actor to deface local-government websites with false information.

“It was pretty neat because it opened their eyes to how easy it was,” Dunn said, adding that the parish, which he did not identify, later implemented more security protocols around its web domain.

The Stephenson cyber range uses security-testing hardware called PerfectStorm and an application called BreakingPoint, both manufactured by the network-security firm Ixia, to run its simulations. But the biggest factor in protecting government networks, Dunn said, isn’t technology, but making sure people know not to touch suspicious links or email attachments.

“My thing would be user education, user education, user education,” he said. “It’s users not having the proper education, clicking on the phishing link. That’s 85 to 90 percent of your battle. If people do what they’re supposed to do, you’re going to be secure.”

Latest Podcasts