Access denied: how governments can boost public servants’ cybersecurity skills

Growing geopolitical tensions and increasingly sophisticated organised crime groups have contributed to a rise in cyber threats and breaches. At a Global Government Forum webinar, experts from the UK, Italy, Slovak Republic and the US discussed how to ensure officials have the training and skills they need to recognise and head off risks
As more and more public services move online, the need for cybersecurity skills becomes ever more pressing for governments, which must work both to recruit people with the capabilities needed to keep crucial national systems secure and ensure that all staff have the skills and understanding required to keep citizens’ data safe.
During a Global Government Forum webinar held last month, public sector experts from four countries shared the current context around cybersecurity, and discussed why eliminating threats is a whole-of-business effort, the switch from a reactive to a proactive approach, and the importance of international cooperation.
In his opening comments, Ian McCormack, deputy director for government cyber resilience at the UK National Cyber Security Centre (NCSC), offered his reflections on and context around the current cyber threat.
When people think about the cyber threat, they typically delineate between state and non-state threats, “the former principally being Russia, China, Iran and North Korea and the latter typically being cybercrime, which is usually motivated by profit”. This, he said, is “a bit of a crude characterisation, and there’s clearly a blurry boundary between them”.
It’s easy to fixate on the threat from nation states but, in his judgement, often the greatest harm caused to organisations is cybercrime, and in particular ransomware.
In the past year, the NCSC has handled a number of “really high impact” ransomware incidents across a number of sectors and “the true number of incidents will be much higher than the ones that we’ve handled… so it’s a really, really significant threat”.
Ransomware ramps up
The ecosystem around ransomware has continued to evolve and become “incredibly sophisticated”, he said, and criminal groups are ramping up pressure to attain payment through techniques such as double extortion – where the adversary not only denies access to data but threatens to leak that data, which is now becoming routine – and leak-only extortion.

As for state threats, McCormack said the increasingly unstable geopolitical situation is changing how we need to consider cyber resilience. “We need to ensure that the nation’s critical infrastructure, the services we rely on, are resilient to those emergent threats” but also that “we’re resilient to the spillover of some of the cyber instances”.
Giving an example, he said it’s “entirely possible” that Russian deployed malware against Ukrainian targets could potentially spill over and “that’s something that I think we all need to be concerned about”.
There is also potential for the “proliferation of advanced cyber tools to a broader variety of organisations whether that be states or crime groups”.
Something else that is becoming more common is attacks on supply chains and as McCormack points out, “cyber attacks against third party organisations can have a massive impact on you and your organisation, and that can be really difficult to manage because a lot of the levers may be outside of your control”.
The final trend he highlighted is the targeting of individuals and their personal online service use, including examples of spearfishing techniques used by Russia and Iran.
Upping cyber literacy among board members, and protecting the supply chain
What all this means for training, McCormack said, is that “long gone” are the days when organisations had a cyber team solely responsible for cybersecurity – now, it is a “whole of business effort” involving operations, the communications team, the legal team and board members.
“All of these people absolutely need to be cyber literate, they need to understand how cyber will affect their responsibilities in that kind of a scenario [an attack on the supply chain], and be prepared for it. Because the very last thing you want to be having to do is trying to upskill your board members with cybersecurity in the middle of a fast paced incident.”
As for pre-emptive and defensive cybersecurity, ideally that’d be embedded in the supply chain and here procurement professionals can be critical. McCormack said contract clauses for security can be difficult to manage but when it comes to the consumption of commodity technologies “we need to evaluate a standard offer and understand the security dimension to it” and to ensure, when procuring design capabilities, that these are secure by design, which requires a certain degree of knowledge from engineers and product leads.
Equipping executives with the skills and understanding to identify personal attacks when using consumer-based service offerings is another dimension.
“What I’m doing here is painting a picture that cyber skills isn’t just about cyber people, it needs a whole ecosystem approach that spans right across your organisation from the executives to the specialists in all sorts of domains,” he said.
Focus on effective communication
Next, Matej Šalmík, director of the training, awareness, cooperation and support centre at the Slovak Republic’s National Cyber Security Centre (SK-CERT) explained that education of public sector professionals is highlighted as a key component in the country’s national cybersecurity strategy.

“Public servants have a great responsibility and accountability in providing critical services to citizens and that means they have to be aware of cybersecurity threats and new information on the topic.”
He explained that the Slovak Republic has adopted the European Cybersecurity Skills Framework, which will be an obligation for the operators of certain essential services by law by January 2024.
While he described this as a “great shift” in this area, he said “we don’t have practice in implementation” and that obligation by law can be seen as a “compliance evil” rather than being viewed by public servants of management level down as something to be interested in or passionate about.
To increase interest and awareness, both among public servants and the public, Šalmík said there was a need to convey information in a more easily-digestible “human” like way by providing programmes that incorporate humour, for example.
Foresee an attack, rather than resolve it

Bernardo Palazzi, adviser, skill and competence development at the National Cyber Security Agency of Italy, explained that his agency, having begun work in September 2021, is new. Acknowledging that Italy “started late” in setting up a dedicated cybersecurity unit, certainly in the context of Europe, he said it is learning from other agencies to improve its approach.
The agency’s main task is to help organisations resolve an attack, make the system that’s been infiltrated work again and maintain resiliency. But another of its core goals is to try to prevent cybersecurity breaches rather than to have a reactive approach to attacks, by raising awareness of and knowledge around cybersecurity.
In Italy’s national cybersecurity strategy, there are 14 objectives dedicated to raising cybersecurity education and awareness. As such, the agency’s education and training team is very important, Palazzi said. It works to speed up the dissemination of cybersecurity knowledge among the public and private sectors, civil society and academia, including through coordination with universities and other higher education organisations.
Reaching across boundaries
Completing the panel, Lauren Bose Hayes, senior adviser for technology and innovation at the Cybersecurity and Infrastructure Security Agency (CISA) in the US, gave a look to the future.
“Everyone here today can agree, the stakes in the decade ahead could not be any higher, for not only those of us in the technology and cybersecurity fields but for those of us in government, and across industry, academia and critical infrastructure,” she said, adding that events in the past few years have “bought this reality into sharp relief”.
The balance of power in global governance and the future of global economic competitiveness would be “significantly shaped by what we do today… Today’s decisions on investment and prioritisation of cybersecurity will lay the foundation for the future of our organisations, our communities our nations’ and our global ecosystem”.

Picking up on McCormack’s earlier point about the complex and evolving threat environment and targeting of critical infrastructure, she said “we need to reach across traditional boundaries by deepening the ties across sectors, across borders. And we’re going to be able to unify our collective defence and foster a cyber ecosystem that gives the advantage back to the network defenders only through these types of partnerships”.
CISA, she said, is working to grow its ongoing collaboration with the global community.
“While over the past few years, I’m sure everyone can agree that it’s felt like we’ve just been sort of putting out fire after fire after fire, we also know that we need to address the long term risks. And if we’re always just putting out today’s fires, then we’re never going to be able to get ahead of them.”
CISA is dealing with the pressing incidents of today while working towards a more cyber resilient technology ecosystem. Among the pillars of its strategic focus on resiliency are ensuring technology is secure and trusted by design, accountability by CEOs and board directors “as cybersecurity moves into a new era of corporate cyber responsibility”, and greater investment in raising public awareness of threats and online security choices.
“Finally, we know that we need a cultural shift that promotes deep and unfettered collaboration between companies and government to ensure we collectively move faster than our adversaries. We know that public-private partnerships have been a term in use for decades at this point. And what we really are seeking to understand is how do we make that practical, real and accessible, such that we really feel like we’re operating from one team,” she said.
After the panellists’ gave their opening comments, they took questions from the audience. Watch the webinar to find out more about:
- How countries are sharing best practice in cybersecurity skills and training and learning from one another
- How governments can gauge cybersecurity capabilities among their workforces and start to build a strategy for filling the gaps
- The approaches to educating executives and board members that panellists have found most effective
- The challenges of recruiting people with the cybersecurity skills governments need
- Raising awareness about cybersecurity in schools so people have basic skills when they enter the workforce
The webinar ‘Safety in numbers: making sure all public servants have the cybersecurity skills they need’ was hosted by Global Government Forum and took place on 19 October 2023. You can watch the webinar in full here.