Cyberthreats Change and Challenge Governments
Attackers grow more sophisticated in complex public sector environments.
- by Mike Chapple
- Assistant professor of computer applications at the University of Notre Dame | April 26, 2018
Recent investments in cybersecurity by government agencies have been driven by the rapidly changing threat environment. Attackers are increasing their focus on government targets; technology environments are becoming more complex and prone to vulnerabilities; and attack tools are becoming more sophisticated and difficult to detect.
Governments and agencies manage most modern threats with a holistic, enterprise approach to cybersecurity, but legacy technology and slow adoption of modern IT solutions — some because of funding and acquisition considerations — complicate the effort to secure data and systems. Malware, advanced persistent threats, the Internet of Things and legacy technology are just some of the dangers agencies must protect against.
New Spin on an Old Threat
Malicious software, or malware, is perhaps the oldest cybersecurity threat, with viruses and worms tracing their roots back to the 1980s. The authors of malware keep pace with improvements in security technologies, and in an ongoing cat-and-mouse game, go to great lengths to keep a foothold in upgraded operating systems and applications by developing stealthier and more effective malware.
Some malware authors focus on compromising numerous systems, regardless of their owner or purpose. For example, CoinMiner malware infects systems via malicious code embedded in online advertising and then uses the purloined computing capacity to mine bitcoin or other cryptocurrencies. Similarly, the Kovter Trojan infects systems via malicious email attachments and then generates advertising revenue via click fraud schemes. These unfocused malware attacks are a nuisance to agency IT staff who must rebuild infected systems.
Other malware, however, has more focused purposes and can be dangerous on government computer systems. NanoCore, for example, is a remote access Trojan that allows hackers to gain complete control of infected systems, where they can then either steal sensitive information or use the system as a jumping-off point for attacks on the rest of the network.
Ransomware is a specific type of malware that poses a significant threat. After ransomware infects a target system, it uses strong cryptography to encrypt the contents with a secret key. If the victim wishes to decrypt the information and regain access, he or she must pay a ransom to the attacker. Recent ransomware outbreaks, such as WannaCry and Petya, found victims at all levels of government, ranging from Britain’s National Health Service to local law enforcement agencies across the United States.
Government agencies are often the targets of extremely talented attackers and well-funded attacks known as advanced persistent threats. These attackers, typically sponsored by nation-states, are quite patient and focus on very specific targets. Once they gain access, they operate with stealthy techniques, placing a high priority on avoiding detection. During the 2015 Office of Personnel Management breach, attackers believed to be associated with the Chinese government operated within the agency’s network undetected for more than a year, stealing massive quantities of sensitive personnel information. In 2018, the U.S. government accused Iran’s Mabna Institute of conducting a four-year-long attack in at least 20 countries against hundreds of universities and dozens of government agencies, including the U.S. Labor Department, the Federal Energy Regulatory Commission and the states of Hawaii and Indiana.
The intelligence community believes that during the 2016 U.S. election cycle, APT attackers associated with the Russian government gained access to computer servers belonging to the Democratic National Committee and used the information gained to discredit the Hillary Clinton presidential campaign. Researchers also believe that Russian operatives successfully targeted and scanned voting systems used by many states.
Guarding at the Edge
State and local governments are embracing Internet of Things sensors and devices to enable smart city initiatives, improve their agencies’ environmental efficiency and increase public safety. Similar initiatives in the federal government also promise to dramatically improve the quality of service provided to residents, but all these projects come fraught with new cybersecurity risks.
In 2013, hackers linked to the Iranian government compromised command-and-control systems supporting a small dam in Rye, N.Y. They were unable to take physical control of the dam only because an important control cable had been disconnected for troubleshooting purposes. This attack, however, points out critical deficiencies in IoT security measures — including an increased reliance on cellular networks, which are more visible to would-be attackers and often less protected — and a focus on targeting IoT systems by state-sponsored attackers.
Keep Up with the Times
One often-overlooked threat to cybersecurity comes in the form of legacy systems, which were designed to operate in a completely different threat and technical environment. Their lack of modern cybersecurity controls provides hackers with an easy path into government networks. Agency technology staff should search all systems for outdated hardware and software that may require upgrading or replacement.
As agencies seek to replace legacy technology, they also often undertake digital transformation initiatives that upgrade and enhance technologies. Recent examples of these initiatives include the Next Generation 911 and FirstNet programs, which are designed to enhance public safety communications efforts nationwide.
Insider Threats Also Pose a Problem
While cybersecurity teams often focus on the ominous threats posed by external and foreign attackers, risk often comes from within. Employees with legitimate access to agency systems may misuse that access for financial gain, to satisfy their own curiosity or to engage in industrial or foreign espionage.
In 2017, three employees from the inspector general’s office at the Department of Homeland Security were accused of stealing an agency computer system containing personal information on more than 246,000 DHS employees. Their motivation was not identity theft; instead, they were searching for test data they could use to develop their own version of an agency case management system, which they could market to other government agencies.
Not all insider breaches are malicious, however. The state of Kansas revealed the last four digits of Social Security numbers for thousands of state employees and candidates for office on the secretary of state’s website. It also gave Social Security numbers for about a thousand voters to the state of Florida as part of an effort to cut down on voter fraud; those numbers also became public.
To learn how federal, state and local governments can address the growing threats they face, read the CDW white paper, “Managing Cyber Risks in a Public Sector Environment.”