Summary: More pertinently, why are these agencies are not doing enough to protect sensitive data? Two experts offer their views.

In network security we talk about ‘attack surfaces’—the term for the total number of points or vectors through which an attacker could try to enter a computing environment.

When government organizations at the federal, state, county, and municipal levels become increasingly digital, their attack surfaces are vastly-increased and consequently they become far more vulnerable to all kinds of cyberattacks.

The main reasons for this high level of vulnerability are inadequate IT security expenditure on new equipment and staff training, combined with overly-bureaucratic processes that together make it very difficult for these organizations to keep up with the pace of digital evolution.

This, in turn, puts mission-critical public services and operational technologies such as court systems, municipal utilities, bill payment services, traffic control, power grids, and voting registration at serious risk of disruption.

Given the reams of personally-identifiable information (PII) stored and processed by public agencies, not to mention top-secret national security details, even ‘small’ governments can be huge, slow-moving bureaucracies with a mix of emerging technologies and a massive, highly-vulnerable entrenched legacy infrastructure. All these factors present a perfect storm for the modern hacker.

Furthermore, with the pandemic now affecting just about every aspect of life, many government employees are working from home, which significantly increases the risks of hacking. Consequently, data breaches and data exfiltration, malware incursions, phishing attacks, and ransomware attempts are on the rise.

Government are soft targets

Hackers love hacking the online services of government agencies because they are often ‘soft’ targets that are weakly-defended, inadequately monitored, and poorly-maintained.

But the biggest reason to attack government agencies is that the financial rewards for successful attempts can be huge or, in the case of hostile state actors, invaluable in political cyber warfare.
Given how easy and valuable these targets are it is no surprise that we are seeing the frequency of attacks escalating.

For example, all sectors of the economy are susceptible to phishing. These phishing attacks may also involve malware sent as attachments in email, which can lead to data exfiltration and ransomware attacks. The biggest problem with phishing attacks is that the technique works surprisingly well. Verizon’s 2020 Data Breach Investigations Report revealed that an astounding 32% of confirmed data breaches involved phishing.

Ransoming a government

Of all hacking techniques seen “in the wild,” the use of ransomware—malware that encrypts data and demands payment usually in a cryptocurrency such as Bitcoin—has grown incredibly fast particularly in government agencies.

One study by an anti-malware vendor had found that more than 100 cities across the United States suffered ransomware attacks in 2019 and a key issue in preventing ransomware attacks is staff training. However, a recent IBM-Harris survey found that only 38% of state and local government employees had ransomware prevention training. Three recent examples of successful ransomware attacks are:

  1. In early May 2019, hacking systems succeeded in executing a ransomware attack on the City of Baltimore talking down the city’s voicemail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations, delaying 1,500 pending home sales. The demand: 13 Bitcoins or US$102,000. As of August 2019, it was estimated that the attack had cost the city over US$18,200,000.
  2. In August 2019, 22 towns in Texas fell victim to ransomware attacks that were believed to be the work of a single actor. The attacker essentially shut down all information technology services in the towns and demanded a US$2.5 million ransom.
  3. Following a ransomware attack on December 13, 2019, the City of New Orleans declared a state of emergency. The cost to the city was reported to be US$4,200,000 although other sources have claimed that the cost was at least US$7,000,000.

Government data breaches

All government agencies have huge amounts of data. This includes vast stores of PII on citizens, as well as comprehensive and often highly-sensitive commercial company data. Verizon’s 2019/2020 Data Breach Investigations Report found that 16% of breaches were in the public sector, excluding healthcare, and the average cost of a data breach in 2018 was US$2.3 million with an average cost of US$75 per record.

Verizon had found that espionage was a key driver for government data breaches, with public sector cyber-attacks making up 66% of all incidents in 2019. In addition, ‘state affiliated actors’ have been the leading cause of external public sector data breaches and data exfiltration each year since 2017. In 2019, they accounted for 79% of incidents.

The list of government data breaches over the last couple of decades is long but here are a few examples to give a little perspective on the scale of recent breaches involving data exfiltration executed by hacking or exposed due to poor data security:

  • U.S. Postal Service (DC): 60,000,000 records in 2018
  • Office of Personnel Management (DC): 21,500,000 records in 2015
  • California Secretary of State (CA): 19,200,000 records in 2017
  • Government Payment Service, Inc. (IN): 14,000,000 records in 2018
  • Georgia Secretary of State (GA): 6,000,000 records in 2015
  • Office of Child Support Enforcement (WA): 5,000,000 records in 2016
  • Office of Personnel Management (DC): 4,200,000 records in 2015
  • U.S. Postal Service (DC): 3,650,000 records in 2014
  • Los Angeles County 211 (CA): 3,200,000 records in 2018
  • Washington Department of Fishing and Wildlife (WA): 2,435,452 in 2016

Defending the territory

The US Federal Government’s Office of Management and Budget (OMB) Federal Cybersecurity Risk Determination Report and Action Plan concluded that 71% of 96 agencies studied were either “at risk” or at “high risk.” The plan outlined four key findings:

  • Limited situational awareness
  • Lack of standardized IT capabilities
  • Limited network visibility
  • Lack of accountability for managing risks

While training, up-to-date patching, and other basic security measures can bolster government agency defenses, removing network communications visibility is arguably the most easily and quickly addressed.

Two strategic technologies that vastly improve network visibility are: SSL encryption/TLS encryption—to secure all communications and the use of SSL inspection/TLS inspection to detect data exfiltration, as well as phishing, ransomware, and malware payloads.