On the front line: how can governments safeguard against cyberattacks

Cybersecurity breaches risk impacting vital public services, particularly as governments adopt hybrid work models which can leave their networks more fragmented and less secure. During a Rubrik webinar, experts discussed what can be done to maximise protection
In 2021, a ransomware attack on the Colonial Pipeline, the largest oil pipeline system in the US, forced the main network to cease operations for five days. Shortly after the incident, a senior US official took aim at the “laissez-faire attitude towards cybersecurity” they said had allowed for the attack.
The threat of cyberattacks that aim to bring down critical infrastructure and public services, and which have the potential to cause serious disruption to and panic among governments and citizens alike is on the rise, as are attempts by cyber criminals to steal large swathes of personal data.
Against this backdrop, Rubrik, the Zero Trust Data Security™ Company, brought together three panellists – Glen Hymers, head of the data privacy and compliance team, CDIO directorate, Cabinet Office, UK; Phil Huggins, national CISO for health and social care at NHS England; and Michael Mestrovich, Rubrik’s chief information security officer – to explore how governments can safeguard against future attacks.
Risky business
Demonstrating the scale of the problem, Mestrovich highlighted that cybercrime is on track to be a US$10.5 trillion business by 2025, which would make it the third largest economy on the planet behind the US and China.
The threat of attack is real and serious, and it isn’t just an economic worry either. Mestrovich pointed to research by Rubrik Zero Labs which found that in the UK, 94% of cybersecurity leaders reported “a significant emotional or psychological impact based on cyberattacks”. The main takeaway for governments, he said, is that such attacks affect people, professionally as well as personally, and sometimes deeply, and that in this sense cybersecurity is a humanitarian issue. He implored governments to “step up and defend organisations” as a primary duty of care.
In his opening comments, Hymers attested to the “bleak picture” that Mestrovich had painted.
He said that achieving 100% security is simply impossible, as is striving for 100% security compliance, especially at a time when organisations don’t have the required resources and given that attackers will always seek to stay one step ahead.

He said the organisations that have the best cybersecurity talent will be the most likely to head off attacks but that this is sore point for governments, which are struggling to recruit people with the necessary skills.
This ‘cyber gap’ has widened as private firms deploy ample resources to lure and retain the best IT and digital talent. To help close the gap, Hymers said work is going on to “transfer individuals who might be on the ‘wrong side of the fence’” – i.e. ‘black hat’ hackers who aim to break into computer networks with malicious intent – to work instead for government. But he added that the likelihood of doing so successfully was small.
With these challenges in mind, he stressed that what is key for governments is to make it “more difficult [for a cybercriminal or state actor] to attack us than to attack someone else. Let’s not make us an easy target”.
Defending data
During the webinar, Huggins focused on how to protect government data. He reminded the audience that ‘government data’ is in fact citizen data or – in the case of NHS England – patient data, and pointed out that the UK government and others seek and store citizen data to enable them to provide the public services that people need.
“Fundamentally, we need to ensure that we’re not only protecting our systems and protecting our data, but that we are prepared to minimise the impact of anything that occurs. The sooner we can minimise that impact, the sooner we can get back to providing services to patients and to citizens,” he said.
The NHS had “a significant wakeup call” in 2017, when what Huggins described as a “shock to the system” – the WannaCry ransomware attacks that swept the globe that year – highlighted the NHS’s dependence on technology to provide health care services.
“We have seen attacks since then. Through capabilities that we’ve built, we’ve managed to interrupt them before they’ve managed to cause that disruption to us.”
Strengthening NHS England’s defences has required significant investment, initially into central services. Huggins said that by investing centrally “[the organisation] was able to staff up, we were able to skill up, and we were able to provide services to multiple organisations, raising the bar everywhere at the same time”.

As a result, since WannaCry, there has been a tenfold reduction in cyberattacks reported by NHS England. Key measures to have been implemented include ‘high severity alerts’, where experts investigate major vulnerabilities in software or equipment that they believe to be widely deployed across a system. If they find active exploitation, an alert goes out to everybody in the system with a deadline by which to fix it.
NHS England has also invested in the Cyber Security Operations Centre, with around 2.1m devices under management. This has helped it to be able to spot an attack and disable it nationally within 45 minutes.
Huggins ended his presentation by drawing a crucial distinction between prioritising ‘product and service assurance’ over ‘organisational assurance’. Security assurance people would understand the difference, he said, but to the layperson, it is about knowing that what is being sold to an organisation can be trusted, not just the firm selling it.
In light of this, Huggins said his teams’ next task is to work to assess and protect NHS England’s supply chain. However, he said it would be five years or more before the results of that effort emerged.
Securing talent to secure systems
The conversation turned back the question of how public sector bodies can attract and retain top cybersecurity talent.
“If you want to retain people, it’s about making [government] a place they want to stay,” Hymers said. “It’s not always about the money. If you’ve got interesting work, and you’re working on interesting projects, and we make it as seamless as possible, then people will stay.”
He added that though pay remains a big pull factor for new recruits in the private sector, once money has been made, the itch to make social and organisational impact starts to take over.

Mestrovich, who worked as a federal employee in the US before moving to the private sector, shared his experience of the best hiring and retention practices. He said the “esprit de corps” of government entities should not be dismissed as mere sloganeering, but as a sincere pledge or vow, backed by a strong culture.
“Any government entity that can capitalise on [their mission imperative] can create an environment where people enjoy working, because they enjoy the mission, they enjoy the people that they’re around. That certainly is something that helps to keep people.”
Huggins said he believes the public sector’s main hiring hurdle is its incapacity to grow talent internally.
“We don’t do enough to bring in new people who may not have skills and experience but do have aptitude. And we don’t train them, we don’t give them experience,” he said.
“There are a number of groups in our society who are not equitably able to access the cybersecurity profession. I think we spend too much time writing job specs and assuming they’ll come to us. We need to go to where they are… we need to be prepared to invest in their skills, give them experience and take the hit.”
Cyber hygiene
Upping governments’ cybersecurity capabilities is going to be a headache for recruitment and HR professionals for years to come.
What departments can focus on in the meantime, panellists agreed, is to work on protecting themselves from threats. Doing so means getting right what Huggins called “the basics of cyber hygiene”, though he admitted these ‘basics’ are “really quite tough”.
They involve governments getting rid of elements of their technology estate before they become unsupported, which requires a very well-managed technology function. Without this, a government will find itself forever laying sticking plasters over widening cracks in its system.
Mestrovich agreed and added that best practices fall short in even more obvious areas, such as password protection requirements, explaining that many organisations do not yet use multi-factor or biometric authentication for this purpose.
A self-described “eternal optimist”, Mestrovich ended by providing a vison of what cybersecurity in government might look like in future – a future in which the private sector is a closer ally.
“Maybe the model shifts over the years where there’s a cybersecurity centre that provides cybersecurity services for large swathes of government entities,” he said.
Watch the full Last line of defence: how to protect government data from cyber attacks webinar on our dedicated event page. The webinar was hosted by Rubrik – with support from Global Government Forum – and took place on 23 November 2022.