By Adam Berry

The U.S. military is used to fighting battles on the land and sea and in the air.

But now, there’s a new battleground – in space. Cyberspace.

So when the Indiana National Guard prepares for natural and man-made disasters, you can bet they call in an ample supply of cybersecurity firepower. This summer, officials from the Indiana National Guard and state of Indiana conducted two drills to prepare for disasters and layered into the plan a new, higher level of cybersecurity.

That’s because an emerging – and troubling – trend is creating the need to change the emergency preparedness playbook.

Cyber criminals are copying the way traditional scammers follow storms and get vulnerable people to pay cash for cleanup, only to abscond with the money and doing no real work.

Cyber criminals have begun to follow natural disasters too, but their targets are often water and power supply operations, hospitals and other critical operations – hitting them with cyber ransom attacks when they are most vulnerable.

Unlike the hackers of old, these bad guys aren’t necessarily after a data heist. Hackers today want to highjack an online system and hold it hostage until a hefty – often six- or seven-figure – ransom is paid. Ransom attacks have increased 400% this year over last year, and a whopping 800% since the onset of the pandemic, according to the FBI.

And the price to get untangled from these attacks is escalating as fast. A ransomware attack on Baltimore in 2019, for example, cost the city $18.2 million.

The ransomware threat is so concerning, the Indiana National Guard has tapped Indianapolis-based cyber security firm Pondurance to help conduct disaster drills that layer on cyber threats.

“We’re seeing more initiative by these bad actors to exploit these opportunities,” says Ron Pelletier, founder and chief customer officer at Pondurance.

“They come in while people and entities are already under duress and distracted,” adds Pelletier, an appointed member of the Indiana Executive Council on Cybersecurity (IECC). “It happened recently during the freezing conditions in Texas and created some real havoc. It’s becoming more and more prevalent as bad actors become more enterprising. We have to take steps to be prepared.”

The IECC was created in 2016 by then Governor Mike Pence to do just that. Governor Eric Holcomb moved to continue the IECC in 2018.

Many of the efforts to bolster Indiana’s cybersecurity started in early 2015, says Chetrice Mosley-Romero, cybersecurity program director at the Indiana Office of Technology and Indiana Department of Homeland Security. “It dawned on state officials that in a real, true cybersecurity emergency we will need a collaborative approach across agencies and organizations.”

Since the IECC’s creation, Indiana’s position in the world of cybersecurity has changed dramatically. It’s essentially gone from one of the worst U.S. states in terms of cybersecurity preparedness to one of the best.

While pleased with this turn of events, Mosley-Romero remains humble. She knows that blowing the trumpet too loudly on the state’s fortification could make it a target for hackers looking to prove their chops.

Mosley-Romero can keep her trumpet put away. The National Governors Association is taking care of that. The organization recently rated Indiana as one of the top five U.S. states in terms of cybersecurity preparedness. That’s quite a change from where the state was just a few years ago.

That ranking, Mosley-Romero explains, is “due to our collaboration, and the fact that we rely on our partnerships for implementation. We were at the bottom before we had the IECC. The things we’ve done at a policy level and with some of our private sector partners is what’s led to our success going from the bottom tier to the top.”

The IECC not only brought on Pondurance, which is doing its part for free, it’s also enlisted the likes of Citizens Energy Group and IU Health among others. The IECC is also reaching out to work with as many local municipalities around the state as possible. “We’re trying to demystify cybersecurity,” Mosley-Romero says. “We have to make this comprehendible to local communities. We have to connect this to something they care about. By doing that, we can get to baselines across counties.”

This comprehensive approach means “we’re not just hitting the breadth of cybersecurity; we’re hitting the depth too. We have the most comprehensive approach of any other state, and we didn’t have that before the formation of the IECC.”

Part of that comprehensive approach is training drills.

Officials for the state and the Indiana National Guard hosted two cyber exercises last month in partnership with several federal agencies, health care providers, technology companies, water utility service providers, local government officials, and state and federal emergency and law enforcement agencies.

Pelletier hopes disaster drills, such as these two will raise awareness among policy makers to help fund security programs and protocols.

“National, state and community security is truly at risk here, and we need to take action now to preserve it,” he states. “Waiting for the dam to burst before you repair it is a terrible maintenance strategy, and that’s exactly the situation we have here across power grids, water supplies, healthcare, you name it.”

The first drill was a “tabletop” or virtual exercise that simulated a cyberattack on water system during the July 4 weekend. Holidays are a common time for cybercriminals to hit.

Following the tabletop exercise, a full-scale functional exercise was hosted by the Indiana National Guard for first responders and several military branches as well as search and rescue teams at the Muscatatuck Urban Training Center in southern Indiana.

More than 500 soldiers, airmen and civilian emergency responders from across the state for three days exercised Indiana’s response to a catastrophic earthquake and the ensuing chaos, including cyberattacks.

“When natural disasters hit all parts of the world, we are seeing more and more targeted cyberattacks in those affected areas,” Pelletier says. “Investing now in preventative measures is the best way to avoid situations like that from becoming worse.”

The drills, while perhaps the most visible of what the IECC is involved in, are just the tip of the iceberg. The organization has 121 objectives and 69 deliverables, and has completed 80% of those, Mosley-Romero says.

The state’s overall cybersecurity approach is so unique, Mosley-Romero says she fields a constant stream of calls from other states wanting to hear what Indiana is doing for cybersecurity preparedness. “I’ve talked to dozens of states,” she says.

Mosley-Romero stresses that the state isn’t holding anything back.

“Our approach to working with other states is like our approach to working with cities and towns across Indiana,” she says. “We’re all connected, and you’re only as strong as your weakest link. The more we collaborate, the better for everyone.”

Adam H. Berry is vice president of economic development and technology at the Indiana Chamber of Commerce. He joined the organization in 2019.