Governments urged to get back to basics to stay ahead of cybersecurity threats 

Image: Gerd Altmann from Pixabay

Global cybercrime costs are expected to reach US$10.5 trillion annually by 2025, up from US$3 trillion in 2015. Government institutions are a common target for cybercriminals and state-sponsored actors, presenting an ever-growing risk to their systems and assets.  

On a recent Global Government Forum webinar, expert panellists from the US federal government, the United Nations and the private sector discussed how they are working to improve cybersecurity as well as services for users. 

Paul Selby, deputy chief information officer and chief information security officer in the US Department of Energy’s Office of the Chief Information Officer, gave a frank appraisal of the situation today. Despite industry and governments talking about cybersecurity for many years, he said: “Honestly, if we were to do an objective assessment, I think we’d have to give ourselves very poor marks for where we actually are in cybersecurity.”  

“We have more work to do, those of us who are responsible for the cybersecurity of our collective organisations,” he added. 

While technologies such as artificial intelligence present new risks and mitigation opportunities, Selby stressed the need for organisations to focus on the fundamentals. “It’s really the basic cyber hygiene that I think we need to do a better job on,” he said, pointing out that too many applications still don’t include multi-factor authentication, data encryption or data at rest, for example. 

A foundational approach is essential in an organisation as complex as the Department of Energy, which has over 125,000 employees, 17 national laboratories, 37 field and site offices, four manufacturing sites, and delivers electricity to 37 of the 50 states. 

“It has a huge mission range,” said Selby, and this also translates to managing cybersecurity which must cover everything from highly confidential information on nuclear programmes through to open science initiatives focused on sharing.  

Earlier this year, the department launched its cybersecurity strategy, based on the five-pillar national strategy released by the Biden administration in March 2023. These pillars are: defend critical infrastructure – such as the national grid in the energy department’s case; disrupt and dismantle threat actors; shape market forces to drive security and resilience; invest in a resilient future; and forge international partnerships to pursue shared goals. 

Selby highlighted the importance of security by design at a time when the public often is not aware of the topic in detail or the appropriate steps to take. Many people still use the same password for many accounts and services, for instance.  

“One of the principles of the administration’s National Security Strategy is to take the responsibility for cybersecurity out of the end users’ hands and put it into [those of] organisations that are much more capable of dealing with this,” he commented. 

He added that like-minded countries need to work together on cybersecurity “because the threat really is global”. 

A global developmental challenge 

Yu Ping Chan, head of digital partnerships and engagement at the United Nations Development Programme (UNDP), echoed this call for collaboration and highlighted the needs of less developed countries who may not be as well equipped to tackle cybersecurity issues.  

“We see cybersecurity as a developmental challenge, not just a cybersecurity or technical challenge in and of itself,” Chan said. “Cybersecurity is also important on the global stage, not just for individual countries.” 

UNDP believes that a focus on people and individuals is key to supporting developing countries. Chan noted that 85% of data breaches involve human error, for instance, and that cyber breaches have an inherently human impact. Many countries UNDP works with are also working on ‘cyber hygiene’ but often they face major cybersecurity skills challenges among both policymakers and citizens. There are obstacles too with disseminating information to rural areas and overcoming language barriers and lack of internet access in some places.  

The UNDP is working with the International Telecommunications Union (ITU) on helping countries develop cyber capacity and capabilities. 

“We’ve actually been in discussions with parts of the US government about funding this programme, where we’re looking to intervene in countries to really identify what is needed in terms of addressing the cybersecurity capacity gaps, as well as standing up basic protection,” Chan said. 

Read more: ‘Team captains’: National digital leaders on the role of governments in cybersecurity

Zero trust 

Ryan Zacha, principal solutions architect at Booz Allen, emphasised that cybersecurity, system performance and mission enablement are not inherently conflicting goals. He highlighted that modern solutions can enhance security while simultaneously improving functionality and integrating zero trust capabilities. 

A zero trust approach assumes that no user, device or system, whether inside or outside an organisation’s network, is trustworthy by default, and access is granted based on verification.  

In July, a White House memo directed federal agencies to review and align budget requests with the national cyber strategy and implementation plan and ordered them to submit updated zero trust implementation plans.  

“That’s a big part of building by design and by default,” said Zacha. “It’s more important than ever to onboard and optimise capabilities and solutions that embody the secure by design and by default principles.” 

Booz Allen supports over 80% of the civilian federal government through direct and indirect contracts and Zacha noted successes such as helping to implement new capabilities and sunsetting antiquated architectures, policies and processes.  

The organisation is also upgrading its own systems to better support customers. This includes the adoption of Secure Access Service Edge (SASE) solutions as they evolve towards Trusted Internet Connections 3.0 architectures. 

“Those greatly benefit service delivery to the federal workforce through lower latency prioritised traffic routing,” said Zacha. 

In implementation programmes Booz Allen has applied DevSecOps (development, security and operations) to support “mission critical” applications and systems such as healthcare.gov and Department of Defense data platforms. 

“These are really good examples of building cyber by design – as [early] as possible in that design process to really bring those things forward.” 

Keeping an eye on AI 

Jason Ralph, director of the Security Operations Center in the US Department of Labor’s Office of the Chief Information Officer (OCIO), said the department’s mission is “to foster, promote and develop the welfare of wage earners, job seekers and retirees of the United States”.  

The OCIO has “a huge IT infrastructure powering that mission” including application services, client engagement activities and infrastructure services. The team provides IT solutions for 27 agencies and around 15,000 staff. 

OCIO’s Cybersecurity Directorate is split into divisions: Cybersecurity Governance, Cybersecurity Authorization and Security Operations Center that focus on these key areas. 

In terms of new tools and techniques, Ralph pointed to examples such as artificial intelligence and zero trust. He cited AI use cases such as transcription, automated data population and customer chatbots but flagged risks too. 

“I need to have some defending mechanisms across my cyber footprint to make sure that these AIs are doing what they’re supposed to be doing”, he said.  

The department is adopting a zero trust framework in line with the administration’s executive orders on security. It has also deployed a Security Service Edge. 

It’s about “getting away from that traditional network security and extending that protection across the enterprise,” Ralph said. 

Other cyber initiatives include authentication enhancements, data encryption and log ingest improvements, and ongoing work to combat phishing. 

Read more: Taming the tiger: national digital chiefs on the powers and perils of AI

An evolving threat 

The speakers emphasised that while cyber threats have remained constant, technologies and techniques are evolving, benefiting both defenders and attackers.  

AI can offer automated cybersecurity responses while keeping humans in the loop for critical decisions, for example. 

Meanwhile, tools like generative AI are being used to make phishing attacks more sophisticated. Attackers are also adopting new strategies like ‘living off the land’ by passively residing within networks. Additionally, quantum computing represents a looming threat as adversaries may collect data now to decrypt it in the future.  

Chan noted that many of these threats could be exacerbated due to weak infrastructure in developing countries, reiterating the global responsibility for national security efforts to look beyond borders. 

As Zacha put it: “The ‘water rises lift all boats’ approach is probably a great way to look at [this]. As we increase cybersecurity spending focus across the global environment, that helps security around the globe in all ways so everybody sees second, third, fourth order effects.” 

Replay the full webinar: Building cybersecurity by design and default.  

Sign up: The Global Government Forum newsletter provides the latest news, interviews and features on AI, data, workforce, and sustainability in government.