Government information systems are of considerable concern to the welfare of the country. With significant breaches including the U.S. Voter Database, National Archives and Records Administration, and Office of Personnel Management (OPM) over the past decade – not to mention many breaches at the state and local level – I think it’s safe to say that the public has moved beyond surprise when a new attack hits the news.
I, along with so many people I know, were intimately affected by the OPM breach, and it goes without saying how a compromise to voting records and technology could affect the nation. Because of these concerns, I tend to view cybersecurity research with keen interest in how the government stacks up against other industries. While our 2018 Nuix Black Report research carried several reasons for concern, I think it also shows that there’s cause for cautious optimism, but we still have a long way to go.
Gone in 15 Hours
According to our respondents – hackers, penetration testers, and incident responders – who all answered our questions anonymously, they are more often than not capable of breaching their target, locating critical value data, and exfiltrating it in under 15 hours.
You read that correctly, but I’ll reiterate. If a determined attacker decides they want your critical value data – whatever that term means to your organization – at 7 a.m., they’ll most likely get it by 10 p.m. the same day. As many industry-standard reports tell us, breached organizations normally don’t detect a breach for anywhere between 200-300 days. That’s an awful long time to go without acting, especially when the nation’s security is potentially at stake.
Bad, But Not All Bad
In a word, this situation is unacceptable, yet it persists. The reasons for this are manifold and require a complete shift in the way we defend our critical systems and data. As I read through the results, however, I began to wonder how our respondents felt about attacking the government compared with, for example, retail organizations. This was one of the differences between our 2018 research and what we produced in our inaugural report – a breakdown of responses by industry.
What we found was encouraging. Consider the responses to the following questions:
- How long does it take to breach the perimeter, identify critical value data, and exfiltrate that data?
- Percent who said they could do so to specified targets in under 15 hours:
- Federal government: 53 percent
- State/municipal government: 54 percent
- Retail: 63 percent
- Food and beverage: 66 percent
- How long on average does it take you to breach the perimeter of your target?
- Percent who said they could breach the specified targets in under 10 hours:
- Federal government: 62 percent
- State/municipal government: 70 percent
- Retail: 85 percent
- Hospitals/healthcare: 78 percent
- Percent who said they could breach the specified targets in under 10 hours:
- Percent who said they could do so to specified targets in under 15 hours:
The second question is really a subset of the first, but in both cases, government targets fare well compared to other industries. The report has a full breakdown of the results across 16 different target categories, which yield further insights.
These numbers bear scrutiny. Why are government targets more difficult to breach and steal information from? Are they “doing security” better than the other industries? That might be the case, and there’s evidence in the form of the 2017 Personal Data Notification and Protection Act proposal that the federal government, at least, is starting to take a more serious view of cybersecurity.
Hoping for a Brighter Day
Until we start seeing a continued, positive trend where breaches get harder for criminals to pull off, and a shrinking gap between successful attacks and detection, I’d hesitate to say that we’re completely on the right path. There’s too much evidence to the contrary still, but at least we see a faint glimmer of hope in the numbers.
Unfortunately, there is no silver bullet to make that change a reality. It will take work, dedication, technology, and money combined to realize the necessary changes and break through the storm clouds that cover the cybersecurity horizon. I believe listening to the people on the front lines – the hackers and incident responders – who work on both sides of the fence is an important step forward. Their influence, when combined with traditional industry research, gives us a better chance of focusing our attention on the right areas.
Hopefully someday we’re writing another article and talking about how attackers need days and weeks to break into our systems, and detection is happening before they make off with our critical data. It won’t happen overnight, but it could become reality if we truly listen and dedicate ourselves to making it happen.