Responding to rising threats: heading off cyberattacks in the era of the perma-crisis
At a Global Government Forum webinar, Mia Hunt heard public sector experts explore the trend for more frequent and serious cyberattacks – exacerbated by the COVID-19 pandemic and the invasion of Ukraine – touching on ransomware, civil service skills gaps, government intervention, and the need for public-private partnership
The COVID-19 pandemic prompted an explosion in cyberattacks as web criminals preyed on people’s fears to scam them out of money and hostile states seized the opportunity to destabilise enemy nations and steal intellectual property that would lead to economic gain.
From conning people into buying non-existent personal protective equipment or fake COVID passports to attempts to hack vaccine supply chains, the threats were numerous and serious. In a GGF webinar held last month, public sector cybersecurity experts from the US, UK, Estonia, and Canada covered cyber trends, growing government intervention, civil service skills gaps, and what the future holds for web security.
As Eleanor Fairford, deputy director, incident management at the UK’s National Cyber Security Centre explained, the pandemic produced new data that was a “honeypot” for cyber criminals, creating a hotbed for online scams, phishing campaigns and fraud – much of it achieved through imitation of government and health authorities.
Demonstrating the magnitude of the problem, since March 2020, the Canadian Centre for Cyber Security (CSC) has contributed to removing over 10,000 websites impersonating the Government of Canada.
In addition, hostile states began looking for information that would give them the advantage in what Fairford called “the arms race to vaccine development”. And though the worst of the pandemic is over, the threat continues. According to Eric Belzile, CSC’s director general, incident management and threat mitigation, state actors have set a priority on COVID-19 related intelligence collection and will continue to do so for the foreseeable future.
Read more: Biden signs executive order to beef up cybersecurity in the US
Such opportunities for cybercriminal and malicious actors “are being exploited to the maximum degree,” Fairford said, and were made easier by the widespread move to remote working. The speed at which this had to be done in many cases “overtook the requirements to do so securely”, leaving gaps for criminals to exploit.
As a result of telework, organisations’ IT infrastructure is more decentralised than ever, creating additional weak points while public internet access introduces security risks that cannot be easily managed. To mitigate these risks, Belzile recommended introducing new IT policies and user training, bolstering security controls on virtual private networks (VPNs), and using multi-factor authentication (MFA). “Organisations should revisit their implementation with multi-layered security in mind,” he said.
A ’people problem’
In most cases, the panellists agreed, that is easier said than done, in part because of a lack of cybersecurity expertise in government and beyond.
Thomas Millar is senior advisor, cybersecurity vulnerability management at the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency and member of the task force established to head off COVID-related cyber issues.
Its priorities were to protect teleworking staff and citizens, remote learning at all levels of the education system, and the vaccine supply chain. On the latter, Millar and his team’s work involved “working with every company in every part of the supply chain from the companies that produce the cardboard to package the vaccines to massive blue chip pharmaceutical companies and 7,000 healthcare delivery organisations”.
His experience of working through the pandemic – “easily the most stressful situation I’ve been in” he said – highlighted the skills gaps issue. What he found was that federal government doesn’t have the required in-house expertise to deal effectively with increasing cyber threats.
The CARES Act, a US$2.2 trillion stimulus package signed into law in March 2020, included a provision that temporary civil servants could be hired from the private sector. “We got some really amazing experts that probably wouldn’t have come to work for us otherwise,” Millar said.
What he found, too, was that there weren’t “enough qualified, technically-savvy people” working in government agencies to act on the recommendations that his team provide.
Some federal agencies have 30-day backlogs of Microsoft patches, “which is completely unsustainable,” Millar said, and down to “simply not having the right resources in place, not having the right talent pool – emphasis on talent – to take care of what needs to be done”.
He added: “It’s not even like we’re asking for super sophisticated cyber Rangers. We’re asking for people to test and deploy patches in a timely fashion, and if it’s a challenge for the federal government, I don’t even want to think about what it’s like for a hospital in North Texas.”
Martin Indrek Miller of the Estonian Information System Authority is lead cyber security advisor for the EU Cyber Resilience 4 Development Project – a multi-country collaboration which focuses on helping developing countries build cyber resilience and companies hit by ransomware to find decryption keys. Lack of cybersecurity capability, he pointed out, is not just limited to governments and the public sector.
It comes down, he believes, to education. “All those curriculums in schools and universities need to change – bring in more computer science and these types of topics because cybersecurity is lacking professionals globally. I think there are 20,000+ open positions within the EU for cybersecurity professionals,” he said.
Read more: The age of permanent crisis is here – governments must rapidly adapt
Ukraine, ransomware, and government intervention
In addition to the cyber risks associated with COVID, the situation in Ukraine has presented new and significant concerns for governments. As Fairford explained, the world’s cyber defence authorities are on high alert. “Cyber is an established precursor to military activity now,” she said. “[It’s] part of an effort to sow chaos, to destabilise, to create uncertainty, and to make any military action easier to conduct.”
She pointed out that, similarly to what we saw before Russia invaded Georgia in 2008 and prior to the annexation of Crimea in 2014, in January this year, Ukrainian websites were taken down and subject to distributed denial of service (DDoS) attacks.
And then there is ransomware to consider. Fairford said it has rapidly risen up the political agenda over the past 12 months and is fast becoming a national security issue, particularly in the wake of events such as the shutting down of the US Colonial Pipeline last year, targeting of food producers, and other attacks that have “managed to really cripple national infrastructure”.
The boom in cybercrime has prompted some Western governments to take more interventionalist approaches than they might usually be comfortable with. In the opinion of David Carroll, managing director of the not-for-profit Nominet Cyber – the webinar’s knowledge partner – this is largely because the cybersecurity market “hasn’t been functioning as it should”.
In some cases, for example, losses resulting from cyberattacks became uninsurable. “As we were going into the pandemic, the penny was really dropping in people’s minds that ransomware was looked as though it could get out of control.” Carroll said. “Attackers appeared to be getting better at attacking, driven by the profit motive, quicker than defenders were getting better at defending.
“Governments have responded by taking up the slack. They’ve broadened their interventions under whole-of-society approaches that increasingly include active cyber defence programmes. So, they’re no longer limiting themselves to policy and guidance – they’re actually willing to get stuck in and get involved in the fight.”
Liberal democratic nations don’t like to interfere in or cannibalise markets, Carroll pointed out, but in his opinion “there was a clear and present danger and action had to be taken”.
Public-private partnership – the future of effective cybersecurity
He gave the example of free services “designed to help those most in need and least able to defend themselves”, citing the UK’s ADC programme which offers more than 20 free protective tools that detect and disrupt threats. Prior to the coronavirus outbreak, such services were controversial “because they weren’t limited to policy, they were protective in nature”.
During the pandemic, the ADC Protective Domain Name Service (PDNS) – which protects people from accessing domains or IPs that are known to be malicious and targets malware already on networks – moved from supporting around 1,000 public sector organisations to also protecting home-working civil servants and the vaccine supply chain. This involved onboarding the UK’s NHS – made up of some 1,000 additional organisations – as well as private sector businesses, almost overnight, something Carroll describes as “ground-breaking”.
“It goes to the heart of this collaboration that we now see between government and industry,” Carroll said, and not just in the UK but in the US, Australia, and others too.
In addition to the ADC PDNS, Millar referred to two resources he felt everyone should be aware of: DHS’s stopransomware.gov and No More Ransom. The latter – a collection of decryption keys that individuals can post and make available to the global community – is run by Europol in partnership with the private sector. “Everything on those sites is free and available to all,” Millar said.
Read more: The UK’s Online Safety Bill: more revisions needed to ensure legislation tackles harms on the web
His and other panellists’ eagerness to promote free and open cybersecurity resources is a result of what they see as the often very difficult task of raising awareness both with organisations and citizens of what the threats are and how they can be tackled.
Indeed, Fairford and Belzile agreed that obvious steps often aren’t being taken, leaving cyber criminals to exploit vulnerabilities that could easily have been solved. “Minimum things like patching, basic cybersecurity hygiene, passwords, MFA – they’re not necessarily very costly but they can reduce significantly the threat and the risk of cyber incidents,” Belzile said. In addition, many organisations have “no response plan” and “don’t know where their ‘crown jewels’ are”.
For Carroll, “it does feel a bit like Groundhog Day. Ten years on we’re still talking about passwords and MFA and patching, architecture, all this basic stuff. You hear industry luminaries, folks who’ve founded big cybersecurity companies themselves who say, ‘if people could just do the basics, you wouldn’t need my stuff’. […] The maddening thing is those real basic things are often very difficult”.
The reason for this, he said, is that small businesses and organisations are ignorant to what needs to be done to protect themselves from cyber threats and large ones find it difficult to affect change.
Looking forward, Fairford said the No More Ransom initiative cited by Millar “is a really nice example of the kind of collective endeavour that we can put together”.
She hopes governments will reach out to the private sector and potentially even the hacker community to “make the most of the expertise that sits out there, which is necessarily way beyond what government itself can corral.
“There are some really nice big, crunchy existential questions for us about how we tap into that and make it a force for good.”
Carroll agreed. “Whatever happens as a result of the war in Ukraine and whether or not that conflict results in an escalating situation in cyberspace, the prospect of a de-globalising world of competing internets, is sadly coming ever closer. And the implications for cybersecurity are quite profound.” He too believes that such prospects will drive government and businesses closer together in the fight against cybercrime.
In the age of the perma-crisis, the barrage of cyber threats is unlikely to dissipate any time soon. But what’s clear is that a big shift is happening that might just see governments become more able to outwit criminals and hostile states.
The Global Government Forum webinar ‘The digital pandemic: cyber-security in the era of COVID-19’ was held on 29 March, with the support of knowledge partner Nominet Cyber. You can watch the 75-minute webinar via our dedicated event page.
Like this story? Sign up to Global Government Forum’s email news notifications to receive the latest updates in your inbox.
About Mia Hunt
Mia is a journalist and editor with a background in covering commercial property, having been market reports and supplements editor at trade title Property Week and deputy editor of Shopping Centre magazine, now known as Retail Destination. She has also undertaken freelance work for several publications including the preview magazine of international trade show, MAPIC, and TES Global (formerly the Times Educational Supplement) and has produced a white paper on energy efficiency in business for E.ON. Between 2014 and 2016, she was a member of the Revo Customer Experience Committee and an ACE Awards judge. Mia graduated from Kingston University with a first-class degree in journalism and was part of the team that produced The River newspaper, which won Publication of the Year at the Guardian Student Media Awards in 2010.
Related Posts
