All organizations must be on high alert in order to defend against cyberattacks but, recently, one particular sector has seen a spike in cyber threats: local government agencies.
These operations are often small with limited resources, and are therefore less prepared to defend the valuable data they collect, store and manage for services such as critical infrastructure, healthcare, taxation and more – making them a prime target for cyber criminals. The personally identifiable information (PII) of citizens, including Social Security numbers, payment card information, full names, addresses and beyond is essentially waiting to be pilfered, and government agencies must consider the citizen impact if the integrity of this data is unreliable. However, there are certain steps local government agencies can take to better protect themselves – practical, cost-effective approaches they can take to increase their security posture.
Many government agencies are tasked with providing new technology and services to citizens as quickly and efficiently as possible for a plethora of functions such as paying for parking tickets online, paying taxes or even managing motorist services and licenses. However, most government entities are faced with limited IT resources, and internal personnel may not have the expertise to operate new technology efficiently, let alone ensure its security. Therefore, most of the workload gets exported to third parties. That said, not all third-party contractors are created equal when it comes to security. For a government agency, the strength of cybersecurity is only as good as the security of the contractors they select, and many don’t leverage advanced (and therefore more expensive) tools available, thereby introducing additional risk. Nation-state-backed hackers, as well as other malicious actors, will therefore target these limited government entities either directly or through their third-party partners to steal citizens’ PII, plant ransomware on the network or even install credit-card-skimming malware.
Another key factor contributing to the rise of attacks on local government agencies is the commoditization of attack techniques. Ransomware is far from new, but the way it is being packaged up and shared in the hacker community for quick, easy and highly successful deployment is a growing trend. Hackers are using more sophisticated attack methods and are sharing their knowledge readily with others, leading to more and less-sophisticated cyber criminals who have the tools and know-how to successfully steal data and wreak havoc. Ransomware is also growing in popularity because attackers know government agencies are highly likely to pay, their cyber-attack recovery readiness is often low, and because the alternative – denial of government services – is unacceptable.
Let’s look at a few specific examples of local government agencies suffering attacks:
Recently, the National Capital Region Threat Intelligence Consortium Cyber Center assessed that a new ransomware campaign is actively targeting government networks within the United States. The latest victim of the malware is the city of Baltimore; the attack affected services such as employees’ emails and online utility bill payment services.
This was also not the first time that Baltimore suffered a cyberattack. In 2018, the metropolis experienced a cyberattack that knocked its 911 and 311 systems offline, forcing dispatchers to take manual notes on emergency calls for multiple days. The inability to defend critical public services from cyber attacks can quickly turn into disaster for any city and lead to several terrible scenarios including civil unrest and riots.
Near the end of last year, hackers compromised a vulnerability in Click2Gov, a web payment portal used to pay for utilities, permits, parking tickets and more, with payment-card-skimming malware. Cities hit with this specific attack (including Midwest City, Okla., Bozeman, Mont., Bakersfield, Calif., Medford, Ore., and Topeka, Kan.) saw their citizens’ credit card numbers, expiration dates, verification numbers, names and home addresses exposed. In this example, it’s clear how a third party can help government agencies deliver more services for citizens, but at the same time add additional risk that makes the impact even greater when a breach occurs. Unfortunately, this also demonstrates how third parties with low cybersecurity readiness can increase the risk of government agencies’ systems being breached in the first place.
At the end of the day, these incidents reflect how government agencies, and some third-party government contractors, have either poor contractual security oversight, weak monitoring, poor systems and vulnerability management, or weak security architectures – all of which result in the denial of critical citizen services and identity exposure risks to taxpayers. These events also raise the question of whether Click2Gov or the city of Baltimore had controls in place to prevent its systems from being compromised in the first place, if the entities ever tested those controls, or if the organizations relied on users who obtained access to internal systems not to engage in ill-natured activity.
To combat these growing threats and correct current weaknesses, local government agencies should take the following steps to strengthen their security posture:
- Invest in the right people. Even managing third-party tech vendors requires a decent amount of technical know-how. A local agency may not have the budget to hire a full team of tech/security experts, but they must maintain some level of internal expertise. The investment in security must be both appropriate and well-managed as the government business model is migrating to technologically derived services.
- Adopt adequate asset management. Organizations must have an accurate inventory of all of their assets, including all data. Simply put, you can’t protect what you don’t know you have.
- Organizations must get their core controls right. They also must not get distracted with higher order security investments until they are confident that the basics of core preventative and detective controls such as asset patch vulnerability, identity and access, as well as network security, are as solid as possible.
- Adopt basic security best practices. Over and over again we see data breaches occur due to simple mistakes. Government agencies should first focus on frameworks like the top 20 Critical Security Controls, and perform thorough testing to make sure their implementation is working as it should.
- Test defenses. By implementing continuous validation of security controls, government agencies can find and fix vulnerabilities in real time, before adversaries have the chance to exploit weaknesses and cause a potential exposure of data.
The complexity of security is an outcome of the complexity of technology used today. Without a continuous testing approach, organizations run the risk of falling short of their own security expectations. Server misconfigurations or efficacy failure, outsourced provider mishandling or unrealized environmental changes can all affect security posture.
Insecure software development by third parties and insufficient use of security best practices from government entities creates a significant shared risk for all parties involved, including citizens. Government agencies must invest intelligently in their own cybersecurity controls based upon real and emerging threats as the exposure and misuse of citizens’ PII can harm all parties in the long run. These agencies should also ensure that the third parties they engage with are up to date with their solutions as well. From there, all parties involved must comprehensively validate the cyber readiness of their security controls to make sure all applications and systems can withstand a cyberattack. A government organization must hold itself accountable for securing its citizens’ data and finding and correcting holes in its defenses – before an adversary can find and exploit them. Only a continuous testing program can validate that an entity’s cybersecurity investments are performing as expected.