COVID-19 Exploited by Malicious Cyber Actors (Massachusetts State Police)

Dear Emma Best,

The Department of State Police (“Department”) has received your request for the following:

* Records mentioning, describing or generated in response to CISA Alert AA20-099A, FBI/IC3 Alert I-032020-PSA, or the CDC alert titled "COVID-19-Related Phone Scams and Phishing Attacks"
* Records mentioning, describing or generated in response to COVID-19 related phishing attempts, such as those described in the CDC alert, FBI/IC3 Alert I-032020-PSA and CISA Alert AA20-099A
* Records mentioning, describing or generated in response to fake CDC emails, such as those described in FBI/IC3 Alert I-032020-PSA
* Records mentioning, describing or generated in response to APT groups using the COVID-19 pandemic as part of their cyber operations, such as those described in CISA Alert AA20-099A
* Records mentioning, describing, or generated as part of or in response to the assessment that the above activities' "goals and targets are consistent with long-standing priorities such as espionage and “hack-and-leak” operations", as described in CISA Alert AA20-099A

Based upon the information you have provided and your request, the Department conducted a search of its emails and attachments from March 1, 2020, to April 23, 2020, involving Department members. The Department located the following items responsive to your request:

(1) Email #1 dated Thursday, March 26, 2020, from Scott Range to Jeanne Benincasa. The email includes the following attachments: CFC MCP Coronavirus Cyber Attacks, CFC MCP COVID 19 Online Crimes and Scams, CFC MCP Ransomware Overview, CFC MCP Cyber Bulletin Phishing Attacks, and CFC Massachusetts Cybersecurity Program Overview.

The Department has provided you with an unredacted copy of the email.

The Department is denying your request to all five (5) attachments in their entirety pursuant to G.L. c. 4, §7, cl. 26 (n), and G.L. c. 4, §7, cl. 26 (f). Pursuant to G.L. c. 4, §7, cl. 26 (n), the Department can withhold “records, including, but not limited to, blueprints, plans, policies, procedures and schematic drawings, which relate to internal layout and structural elements, security measures, emergency preparedness, threat or vulnerability assessments, or any other records relating to the security or safety of persons or buildings, structures, facilities, utilities, transportation, cyber security or other infrastructure located within the commonwealth, the disclosure of which, in the reasonable judgment of the record custodian, subject to review by the supervisor of public records under subsection (c) of section 10 of chapter 66<https://1.next.westlaw.com/Link/Document/FullText?findType=L&pubNum=1000042&cite=MAST66S10&originatingDoc=NB10C30B0BAD411E9B4CEA5FF4FFE9C0C&refType=SP&originationContext=document&transitionType=DocumentItem&contextData=(sc.Category)#co_pp_4b24000003ba5>, is likely to jeopardize public safety or cyber security.”

With respect to all five (5) attachments, the Department denies your request because the records relate to security measures, emergency preparedness, threat and vulnerability assessments, and to the security or safety of persons or buildings, structures, facilities, utilities, transportation, cyber security, or other infrastructure located within the Commonwealth. Specifically, the five (5) attachments involve measures taken by the Commonwealth’s cybersecurity program. The information contained in the email attachments identifies threat assessments to cyber security, vulnerabilities to cyber security, and discusses protective measures to combat such threats and vulnerabilities. The threat assessments identify critical infrastructure that could be affected by a breach of cyber security. This information is shared throughout the Commonwealth to various law enforcement agencies, to other state agencies, to specific private actors, and to federal law enforcement agencies throughout the nation. The information is shared with the above entities to identify and combat threats and vulnerabilities related to cyber security, emergency preparedness, and security measures. Members of the public are not provided with the information.

In the reasonable judgement of the Department's record custodian, releasing such records would likely jeopardize public safety or cyber security of the Commonwealth and the nation. Releasing the email attachments to the public would give terrorists and other bad actors the ability to identify threats and vulnerabilities to cyber security and be apprised of the Commonwealth’s response to combat such threats and vulnerabilities. Such information could lead to a Cyberattack by a terrorist. A Cyberattack can maliciously disable computers, steal data of a state agency, or use a breached computer to launch future attacks. The data that could potentially be stolen includes financial data, personal privacy and medical data, security plans of buildings throughout the Commonwealth, and information pertaining to on-going criminal investigations. Such information in the hands of a terrorist is extremely dangerous to cyber security and the security of all state agencies, buildings, and members of the public. Therefore, for the above stated reasons, the Department denies your request to the five (5) attachments in its entirety pursuant to G.L. c. 4, §7, cl. 26 (n).

Furthermore, the Department denies your request to all five (5) attachments pursuant to G.L. c. 4, §7, cl. 26 (f). Under the exemption, the Department can withhold records pertaining to “investigatory materials necessarily compiled out of public view by law enforcement or other investigatory officials that disclosure of which materials would probably so prejudice the possibility of effective law enforcement that such disclosure would not be in the public interest.” The policy considerations underlying the exemption are well settled. Among them “avoidance of premature disclosure of the Commonwealth’s case prior to trial, the prevention of the disclosure of confidential investigative techniques, procedures, or sources of information, the encouragement of individual citizens to come forward and speak freely with police concerning matters under investigation, and the creation of initiative that police officers might be completely candid in recording their observations, hypotheses and interim conclusions”. See, Bougas v. Chief of Police, 371 Mass. 59, 62 (1976).

The Department asserts that the five (5) attachments are all investigatory materials utilized to identify threat and vulnerabilities assessments to cyber security throughout the Commonwealth and the nation. Withholding the materials prevents the disclosure of confidential investigative techniques, procedures, or sources of information. It would not be in the best interest of the public to release records identifying threats to cyber security and methods to combat such threats throughout the Commonwealth. If released, terrorists would be able to get a hold of this information and plan an attack to our cybersecurity system in the Commonwealth. Disclosing such confidential techniques, procedures and the sources of information relied upon to identify and develop methods to combat cyber security throughout the Commonwealth would not be in the public interest. The public interest has an interest in protecting their private information, in preventing cybersecurity attacks, and to protect the infrastructure throughout the Commonwealth. Therefore, for the above stated reasons, the Department also denies your request pursuant to G.L. c. 4, §7, cl. 26 (f).

(2) Email #2 dated March 27, 2020 from Anthony Stevens to Carol Fitzgerald. The email includes the following attachments that are responsive to your request: COVID-19 Cyber Threat and Disinformation.
a. The Department has provided you with an unredacted copy of the email.
b. The Department has withheld the email attachment in its entirety pursuant to G.L. c. 4, §7, cl. 26 (n), and G.L. c. 4, §7, cl. 26 (f) for the same reasons as described above in item #1. Furthermore, this document was created by the Boston Regional Intelligence Center. You may submit a request to that agency for this record. Please see https://bpdnews.com/public-records-request

(3) Email #3 dated 3-26-20, from Brian Gavioli to Daniel Coleman. The Department has redacted the personal cell phone numbers of an identifiable person pursuant to G.L. c. 4, §7, cl. 26 (c), the privacy exemption. The Department redacted the entire content in the forwarded email which includes the withholding of pages 2-9 in its entirety. The Department also redacted the personal email address of the private actor who sent the email which may lead to identifying the content of the email and redacted a portion of the subject line which may lead to identifying the source of the information. This information was redacted pursuant to G.L. c. 4, §7, cl. 26 (n), and G.L. c. 4, §7, cl. 26 (f) for the reasons as set forth below:

The statutory language for exemptions (n) and (f) are set forth above in item 1. The redacted information relates to security measures, emergency preparedness, threat and vulnerability assessments, and to the security or safety of persons or buildings, structures, facilities, utilities, transportation, cyber security, or other infrastructure located within the Commonwealth. Specifically, the redactions involve information provided to the Commonwealth’s cybersecurity program to develop measures to combat threats and vulnerabilities in cyber security related issues. The threat assessments identify critical infrastructure that could be affected by a breach of cyber security. This information is shared throughout the Commonwealth to various law enforcement agencies, to other state agencies, to specific private actors, and to federal law enforcement agencies throughout the nation. The information withheld is used to develop strategies to combat threat assessments, vulnerabilities, emergency preparedness, and security measures.

In the reasonable judgement of the Department's record custodian, releasing such records would likely jeopardize public safety or cyber security of the Commonwealth and the nation. Releasing the information to the public would give terrorists the ability to identify the threats and vulnerability information the Commonwealth relies upon to develop a response to combat cyber security issues. Such information could lead terrorists to develop strategies and new methods to engage in cyberattacks. A Cyberattack can maliciously disable computers, steal data of a state agency, or use a breached computer to launch future attacks. The data that could potentially be stolen includes financial data, personal privacy and medical data, security plans of buildings throughout the Commonwealth, and information pertaining to on-going criminal investigations. Such information in the hands of a terrorist is extremely dangerous to cyber security and the security of all state agencies, buildings, and members of the public. Therefore, for the above stated reasons, the Department denies your request to the redaction information in its entirety pursuant to G.L. c. 4, §7, cl. 26 (n).

(4) Email #4 dated March 13, 2020, from John Warren has been provided to you. The Department redacted the cell phone number of an identifiable person pursuant to G.L. c. 4, §7, cl. 26 (c), the privacy exemption. The information contained in this email is also located publicly at https://www.us-cert.gov/ncas/alerts/aa20-073a

(5) Email #5 dated March 19, 2020 from Amy Thibault to Eleanor Smith. The email includes the following attachments that are responsive to your request: CFC MCP Election Awareness and MCP Monthly Open Source Review February 2020.
a. The Department has provided you with an unredacted copy of the email and a copy of the MCP Monthly Open Source Review February 2020 attachment.
b. The Department has withheld the CFC MCP Election Awareness attachment in its entirety pursuant to G.L. c. 4, §7, cl. 26 (n), and G.L. c. 4, §7, cl. 26 (f) for the same reasons as described above in item #1.

(6) Emails #6 dated March 19, 2020 from Eleanor Smith to Kristin Wilczynski, email #7 dated March 19, 2020 from Amy Thibault to Scott Range. The email includes the same attachments as described above in item #5 that is responsive to your request. The Department has provided you with an unredacted copy of the emails and the same attachment as described above in item #5, MCP Monthly Open Source Review February 2020 attachment. The Department has withheld the same attachment as described above in item #5, CFC MCP Election Awareness attachment, in its entirety pursuant to G.L. c. 4, §7, cl. 26 (n), and G.L. c. 4, §7, cl. 26 (f) for the same reasons as described above in item #5.

(7) Email #8 dated March 18, 2020 from John Merto to Scott Range. The Department redacted the sender’s name, title, organization name, phone number, and organizational links in the email. The Department located the Educate Your Workforce on COVID-19 and Phishing attachment that is responsive to your request which has been withheld in its entirety. The redaction information in the email and the attachment, in its entirety, have been withheld pursuant to G.L. c. 4, §7, cl. 26 (n), and G.L. c. 4, §7, cl. 26 (f) for the same reasons as described above in item #3.

(8) Email #9 dated March 25, 2020, from Jason Macomber, to Jason Macomber. An unredacted copy of the email has been provided to you.

(9) Email #10 dated March 27, 2020, from Scott Range, to Jeanne Benincasa. The email includes the following attachments that are responsive to your request: CFC MSP Coronavirus Cyber Attacks and CFC MCP COVID 19 Online Crimes and Scams.
a. The Department has provided you with an unredacted copy of the email.
b. The Department has withheld both email attachments in its entirety pursuant to G.L. c. 4, §7, cl. 26 (n), and G.L. c. 4, §7, cl. 26 (f) for the same reasons as described above in item #1.

(10)Email #11 dated March 13, 2020, from Commonwealth CISO, to Keith Paquette. The Department has provided you with a copy of the email. The Department has redacted an identifiable persons mobile phone number pursuant to G.L. c. 4, §7, cl. 26 (c), the privacy exemption.

(11)Email #12dated March 25, 2020, from Scott Range, to Brian Gavioli, email #13 dated March 26, 2020, from Daniel Coleman, to Brian Gavioli, email #14 dated March 26, 2020, from Brian Gavioli, to Daniel Coleman. Email list includes attachment CFC MSP Best Practices Bulletin. The email contains a conversation between department members discussing how to create the attached bulletin to combat threats and vulnerabilities to cyber security in the Commonwealth. The members are referencing and referring to various sources of information relied upon to access threat and vulnerabilities in cyber security in drafting the attached bulletin. The emails and bulletin contain the same information as discussed in items 1 and 2 above. The Department is denying your request to all the emails in its entirety and the attachment pursuant to G.L. c. 4, §7, cl. 26 (n), and G.L. c. 4, §7, cl. 26 (f) for the same reasons as discussed in items #1 and #2 above. The Department asserts that any non-exempt portions of the requested records are inextricably intertwined with exempt portions and, given the amount of exempt information contained in the records they “…will be so heavily redacted…that the records would be rendered functionally useless to [any requestor].” See Mead Data Cent., Inc. v. United States Dep't of the Air Force, 566 F.2d 242, 260 (D.C. Cir. 1977); see also SPR13/144.

If you wish to challenge any aspect of this response, you may appeal to the Supervisor of Public Records following the procedure set forth in 950 C.M.R. 32.08, a copy of which is available at http://www.mass.gov/courts/case-legal-res/law-lib/laws-by-source/cmr/<https://urldefense.proofpoint.com/v2/url?u=https-3A__urldefense.com_v3_-5F-5Fhttp-3A__www.mass.gov_courts_case-2Dlegal-2Dres_law-2Dlib_laws-2Dby-2Dsource_cmr_-5F-5F-3B-21-21BspMT6SJLSDJ-21b28oAAiP8C8bkEEPZBIUkJlhvkOcPH9oWev3y5Ye2UZBZ7t-5FX7e3lWH9hyDHVHqYCIugzg-24&d=DwMFaQ&c=lDF7oMaPKXpkYvev9V-fVahWL0QWnGCCAfCDz1Bns_w&r=XlXSPBRMCq5_GChbS8RXbl-HDOjo3kdruI4ZtCn8AO8&m=-P7OgZ4QtIs4vc1MNxso-t-c8dKVlPATQ92e-3krpgc&s=mh6cIvZpI3HbON8d3HumCnix6ShgUj7t6M3k3mIVPT4&e=>. You may also file a civil action in accordance with M.G.L. c. 66, § 10A.

Sincerely,

Keith A. Paquette
Legal Counsel
Massachusetts State Police
470 Worcester Road
Framingham, MA 01702
Tel:(508)-820-2348