Around the world, the public sector is a particularly attractive target for cyber attacks, and the risks are numerous. How prepared are government entities to address the volume, velocity, and sophistication of today's threats?
While most military and national intelligence organizations are better prepared to ward off a majority of attacks, many governmental entities are massively unstaffed, underfunded, and unprepared to stave off the standard attacks that target them. Their systems and data are often subjected to resource-constrained security and technology programs that lag in their time to patch/prevent, monitor, detect, and respond to attacks.
The Cisco 2017 Security Capabilities Benchmark Study finds that only 30% percent of the public sector security professionals surveyed say their organizations use penetration testing and endpoint or network forensics tools. In addition, nearly 40% percent of respondents report that of the thousands of alerts they see daily only 65% are investigated. Of those threats investigated, 32% are identified as legitimate threats, but only 47% of those legitimate threats are eventually remediated.
In an attempt to optimize resources and improve cybersecurity, many governments are moving toward a centralized strategy with a single organization that is responsible for monitoring, assisting with, and sometimes implementing security across civilian public sector agencies. The Department of Homeland Security's (DHS) United States Computer Emergency Readiness Team (US-CERT) and National Cybersecurity and Communications Integration Center (NCCIC) provide this function for the US government. CERT-UK, CERT-EU, and other government CERTs provide similar services and are working toward centralizing security operations and infrastructure. However, implementing and managing a centralized approach in typically decentralized government structures is difficult due to the level of visibility and coordination required. For example:
- Visibility: Identifying and then gaining control of Internet access points across each agency can be scattershot as there will always be some number of "rogue" access points that aren't known or identified.
- Coordination: Most centralized cybersecurity programs are really just an overlay on existing security programs that each agency already operates. There is quite a bit of coordination that needs to occur — for example between DHS and the Department of State in the US — to make sure that the security gaps are filled, that standards are published and enforced, and that communication is open and frequent to address any incidents that are identified for remediation and prevention in the future.
Despite these challenges, governmental organizations are making progress in protecting their digital assets. But given that they are publicly funded entities that exist to support the constituency versus commercial entities that answer to shareholders, the same incentives don't exist to quickly and effectively implement security programs. Governmental entities are measured by "mission success" often tracked over years, whereas in the private sector the highly visible metrics of growth and profit, tracked on a quarterly basis, are at stake. With the potential for a next generation of attacks aimed at government pension funds, treasuries, and social program agencies, public sector bodies must do more, faster to achieve adequate cybersecurity. They need more robust security programs with greater ability to prevent, monitor, detect, and respond to threats that target them.
Establishing security programs that at least implement the basics of the CIS Critical Security Controls will remove most of the risk and deflect the large majority of attacks. For example, the latest ransomware attacks (WannaCry and Petya) could have been avoided if organizations had just followed the fourth critical control of vulnerability assessment and remediation: patching. So many groups overlook these basics, yet they require little, if any, additional funding to implement.
A lack of skilled security personnel can also hamper security programs. If that's the case, automation (which any security option can provide) and outsourcing can help. Turning on auto-update capabilities for applications and systems can reduce the burden on security teams and make patching more timely. Public sector organizations should also continue to adopt outsourcing strategies to help close the talent gap. The previously cited Cisco report finds that over 40% of public sector organizations fully or partially outsource services such as monitoring and audits. Of those organizations that outsource security services, roughly half cite unbiased insight, cost efficiency, and timely incident response as the top reasons to do so.
Given the digital information and infrastructure at stake, governments should always strive to keep up with the commercial market and how it approaches its security programs. Even baseline measures that require only minimal funding and retooling can go a long way toward answering the question "Is your cybersecurity adequate?" with a resounding "Yes!"
- NotPetya: How to Prep and Respond if You're Hit
- Cybersecurity: The Responsibility of Everyone
- Zones of Trust: A New Way of Thinking about IoT Security