Cybersecurity Weaknesses and Government IT Systems
As government operations become increasingly digital, cybersecurity threats are a more important issue than ever before. Local government and federal agencies are appealing targets for cybercriminals, and their size and complexity lead to many challenges when it comes to keeping their IT systems secure. To properly secure their systems, agencies should first understand the types of threats local and federal government agencies commonly face.
Common Cybersecurity Weaknesses
According to the GAO, the most common cybersecurity incidents encountered in the United States in 2021 were:
• Compromised business email
• Data breaches
• Denial of service attacks
The attack vectors used to achieve these breaches varied from exploiting vulnerabilities or misconfigured systems to targeting the human element through phishing or social engineering. Between 2016 and 2021, the number of email breaches increased from 12,005 to 19,954. Ransomware attacks increased from 2,673 to 3,729. The destructive nature of ransomware attacks, which can lock organizations out of accessing critical files and systems, makes the increasing prevalence particularly concerning. Regular backups can mitigate the damage of ransomware attacks, but even with such precautions, cyber attacks can be quite disruptive.
While unpatched systems and zero-day vulnerabilities are still common attack vectors, low-tech attacks that target the human element to bypass security are also commonplace.
Similar Weaknesses Between the Private Sector and Public Sector
Public sector organizations can learn a lot from the private sector. Private sector companies have some advantages when it comes to being more agile and able to experiment with new technologies. This agility gives them more freedom to test new technologies but also means they’re a proving ground for those technologies, as well as the first to encounter any cyberattacks targeting them.
Some common security issues private sector companies are dealing with today include:
• Insecure networks and communications channels
• Internet of Things endpoints
• A lack of training for staff
• Outdated software
• Unknown bugs and untested software
The sensitive nature of data handled by government agencies makes them less likely to be running new, relatively unproven software. However, IoT technologies, such as web-connected printers or tracking devices used in supply chains, are becoming more widespread, and health care organizations or other agencies using these technologies should secure them.
Insecure communication channels can also be an area of concern for public sector IT managers. While official policy may be to use only approved solutions, individual departments may be tempted to deviate from policies and implement their own solutions for convenience. While well-intentioned, these solutions create dark endpoints that are unknown to IT leaders and introduce new weaknesses that could impact the wider network.
Combating Cyber Security Weaknesses
Since 2010, the GAO has made 712 recommendations to government agencies. As of 2022, around 21% of those recommendations were yet to be implemented. Until federal agencies address all of these reported issues, their infrastructure will remain vulnerable and their ability to defend themselves against cyber incidents will be limited.
The GAO report listed the Cybersecurity and Infrastructure Security Agency’s responsibilities as covering five key areas:
• Securing federal agencies’ information and information systems
• Coordinating national efforts to protect against critical infrastructure risks
• Coordinating with federal and non-federal partners (including international ones)
• Responding to requests from owners of critical infrastructure and offering assistance where needed
• Carrying out emergency communications responsibilities under existing laws
The CISA’s responsibility is to work with those who own or maintain critical infrastructure to ensure that infrastructure is robust and secure. By lending expertise to government organizations, CISA can help those organizations improve their defenses to cyberattacks and their incident response plans. The CISA recommends security improvements covering several key areas with the goal of moving toward a zero trust security architecture:
• Identity management
• Device management
• Network security
• Data security
Cybersecurity policies are only as strong as their weakest links. In smaller organizations, the weak link in mitigating cyber threats
may be network or application security. In organizations with a more robust approach to IT management, the weak link is more likely to be human error, employees who take a lax approach to security, use weak passwords, disable multi-factor authentication / two-factor authentication (2FA) or bring external devices onto the network.
While we’ve focused on securing data and systems so far, it’s also important to consider what data is being gathered. It’s impossible to guarantee that breaches will not happen. Even the most robust security policies can fail due to a zero-day vulnerability in well-known and trusted software. Before deploying facial recognition tools or gathering additional data on users, you should think carefully about whether the data is necessary and, if it is necessary, how long it should be stored.
This is particularly relevant with the growth of AI technologies. These new systems show a lot of promise, but the data sets they’re trained on may have inherent biases. Taking a privacy-first approach to data collection could reduce the damage caused by any data breaches.
FAQ Pages: Hybrid Cloud for Government Agencies: What You Need to Know | Cyber Risk Management: Definitions & Strategies