Cybersecurity for Government Agencies: Threats, Risks, and Best Practices
Table of Contents
Government agencies and the public sector have a unique position in the cyber threat landscape: An attack on a government agency can have far-reaching impacts on society, causing critical information services and citizen-facing digital government to fail. The geopolitical landscape, internal tensions, hacktivists, and financially motivated cybercriminals are all potential malicious threat actors targeting the government. Hence, the government is one of the top three most attacked sectors.
Solarwinds: How to Inject Government Agencies with Malicious Code
The SolarWinds attack of 2020 affected multiple US government agencies, along with other sectors. The attack focused on a SolarWinds solution called Orion, which the federal government uses to monitor network activity and manage network devices. Hackers infiltrated SolarWinds using an authentication bypass vulnerability in the platform. This allowed the attackers to inject malicious code into the Orion platform. When a government agency updated the Orion platform, the malicious code came with it, infecting government networks with spyware.
The malicious software could spy on sensitive information across government agencies, including Homeland Security. The breach is believed to have been the work of Russian state-sponsored hackers.
Top Cybersecurity Threats to Government Agencies
Attackers use various cyberattack techniques to infiltrate government agencies, causing data breaches, shutting down critical infrastructure, and extorting money. However, it isn't just cybercriminals creating security holes in the fabric of government. The Data Breach Investigations Report (DBIR) found human error to be one of the top threats to the security of government and the public sector:
Human error
Top Error Varieties in Public Sector Breaches
Source: DBIR
A simple misdelivery of an email containing sensitive information can lead to significant data exposure. Misconfiguration is another error that can lead to sensitive data leaks. An authorized developer's modification error within the payroll system at the Interior Department is believed to have exposed the sensitive data of 147,000 citizens.
External and internal threats to the security of government infrastructure result in a variety of cyberattack types, including the following:
Data Breaches
Government agencies hold vast troves of sensitive and government-verified data, such as identity document details. Cybercriminals can use these data to create verified identities and commit fraud. The Verizon Data Breach Investigation Report (DBIR) says: "This industry continues to be plagued by sophisticated attackers looking to gain access to the trove of data collected by governments about their constituents. Though the majority of breaches were from External actors, a significant number were from Internal actors making simple mistakes".
DDoS Attacks
The role of government covers many aspects of life, including citizen-facing websites that allow individuals to interact and transact with government agencies. Dozens of state government websites were disabled in a DDoS attack believed to have been carried out by the Russian hacking gang Killnet. Elections are another essential area of democracy that external, often state-sponsored, sources have threatened. Distributed Denial of Service (DDoS) is used to disrupt and shut down web services. The FBI and CISA issued warnings about increasing DDoS attacks on election infrastructure.
Ransomware
Government agencies are custodians of critical data infrastructure needed to maintain citizen services. Ransomware is an ideal way to disrupt that infrastructure and hold a government agency to ransom. According to Comparitech, in a five-year period, 525 ransomware attacks were carried out against US government agencies, costing an estimated $1.09 billion in downtime. The average ransom over those years has reached $2.3 million.
Supply Chain Attacks
The SolarWinds attack mentioned earlier is an example of a supply chain attack; cybercriminals exploit some weakness in the chain to attack government agencies. Supply chain attacks targeting government suppliers are commonplace. US Treasury supply chain identity vendor BeyondTrust was a recent target; Chinese state-sponsored attackers exploited a zero-day vulnerability in an API key used by BeyondTrust, potentially allowing unauthorized access. In this case, BeyondTrust was able to identify unusual activity and mitigate the attack.
Citizen-Identity, Vulnerabilities, and AI-Powered Synthetic Identity
Government agencies manage a rich source of personally identifiable information (PII) and identity documents that can be legitimately used to create verified identities. However, these data can also be used to create fake identities for fraud purposes. They can be found on dark marketplaces and used to create forged ID documents, often using deepfake apps.
Also, governments worldwide are developing digital ID wallets for citizens. These wallets, unless properly secured, are likely to open up new opportunities for cybercriminals to exploit. Identity trojans, like bank trojans, are likely consequences of poorly secured digital identity wallets. Once compromised, the citizen's ID wallet will come under the control of the cybercriminal, who can use it to commit fraud.
Cybersecurity Challenges in Government Agencies
Government agencies have many unique challenges that make them vulnerable to attack. Government agencies must uphold a secure, privacy-enhanced, and reliable front as custodians of citizen data and services. However, they are at risk from the following:
- Geopolitical tensions and state-sponsored hackers: State and local governments are at risk because they are seen as easy targets. Often, the public sector has tight budgets, leading to a lack of skilled security staff. Legacy applications can also cause issues with poor interoperability and outdated architecture, causing security gaps.
- Vast store of citizen and business PII and other data: Managing voluminous data is always challenging. However, this data is often highly valuable as it is government-verified and issued, i.e., identity documents like passports and business registration details. If these legitimized documents are exposed, they could be used in identity theft and fraud.
- Deception at scale: Government agencies have a broad reach across the entire demographic of a country. This allows cybercriminals to deceive at scale by using trusted government websites. Attackers will infect government domains with malware to cause widespread infections. Alternatively, government trust will become a basis for phishing attacks on citizens, and departments like the IRS are spoofed to trick individuals into paying fake tax demands to fraudsters.
Regulations Affecting Government Agencies
Government agencies must implement multiple layers of security measures to ensure a defense-in-depth approach to securing their infrastructure and citizen data. Agencies must follow a security and privacy by design ethos and consider both the positive and negative aspects of emerging technologies like AI:
- Privacy Act of 1974: This long-standing privacy act affects federal agencies. The act covers the "collection, maintenance, use, and dissemination of information about individuals maintained in systems of records by federal agencies."
- The Federal Information Security Modernization Act of 2014 (FISMA): This act requires that each federal agency must "develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency…" The act reaches out to cover contractors and other sources.
- The E-Government Act of 2002: The privacy aspect of the act requires that all federal agencies carry-out privacy impact assessments (PIA) for new or changed technology that utilizes data sharing.
- Cybersecurity Framework | NIST (NIST CSF): The CSF is a framework that provides guidelines for managing security risk.
- Federal Risk and Authorization Management Program (FedRAMP): Applies to all cloud services used by US federal agencies. Suppliers must meet security requirements to mitigate the risk of data breaches and cyber threats.
Mitigating Cybersecurity Risks: Best Practices
Government agencies must implement multiple layers of security measures to ensure that they have a defense-in-depth approach to securing their infrastructure and citizen data. Agencies must follow a security and privacy by design ethos and take emerging technologies, like AI into account.
Robust Citizen Identity Management
Citizen ID schemes (including digital wallets) are at risk from various cyberattacks, including phishing, social engineering, identity theft tactics, and system vulnerabilities. Citizen ID systems must be built using the principles of security and privacy by design: Measures must include web security, phishing-resistant MFA, and other anti-phishing measures like risk-based authentication. Account monitoring should be implemented to identify any unusual account activity that could signal a cyberattack.
Staff IAM
Enterprise identity management must be used for internal employees and non-employees, like contractors.
The deployment of Privileged Access Management (PAM) solutions and identity governance will ensure that robust identity measures, like the principle of least privilege (PoLP) and risk-based authentication are enforced.
Automated provisioning and de-provisioning are essential to prevent the misuse of privileged access. Identity vendor, SailPoint, offers tools for government agencies to prevent identity security-related breaches.
Enforce Encryption Use
Encryption of data during storage and transfer is an essential feature of a secure data management system.
Anti-Phishing Tools
Phishing is a common technique used to initiate a cyberattack. AI-enabled anti-phishing tools use machine learning, natural language processing (NLP), and behavioral analytics to identify potential phishing threats.
Backup and Restore
Use a ransomware-resistant backup and restore solutions to reduce the impact of a ransomware attack.
Security Awareness Training
Government employees must go through security awareness training and ideally phishing simulations to learn how to identify potential phishing and social engineering attacks. They must also be educated on the importance of vigilance to prevent accidental data exposure.
Dark Web Monitoring
Cybercriminals often turn to the dark web for intelligence on government vulnerabilities. They also use dark web marketplaces to buy and sell citizen and other government data. Tools like Sentinex offer deep insights into the dark web to allow government agencies to detect potential exploits against their infrastructure or the sale of government data.
DDoS Prevention
Government agencies must use DDoS prevention and attacks against web apps using tools like Cloudflare WAF (Web Application Firewall) to detect and stop attacks targeting government online services.
Website Update and Vulnerability Assessment
Regularly assess websites and CRM systems to ensure that they are up to date and that patches have been applied.
Continuous Monitoring of Government Infrastructure
Monitoring tools can detect threats in real-time. The tools provide visibility across the entire cloud infrastructure and many advanced systems use machine learning to identify emerging and zero-day threats.
Regular Risk Assessments and Vulnerability Scans
A government agency's IT ecosystem and supply chain should be regularly assessed. All cloud services should follow the FedRAMP framework.