Risks and resilience: defending the public sector against increasing cyber threats
Cyberattacks cost governments billions every year, and the COVID-19 pandemic and the invasion of Ukraine have further highlighted the need for the public sector to boost its cybersecurity resilience. At a recent Rubrik webinar, experts from the US and the UK discussed how civil servants can best protect themselves and their organisations
Worldwide, cases of cybercrime have surged since the beginning of the pandemic. The UK’s National Cyber Security Centre (NCSC) tackled 15 times more online scams in 2020 than 2019. Pandemic-related services and stimulus package payments created new opportunities for criminals who began to roll out phishing campaigns and ransomware attacks. Organised crime groups shifted from targeting individuals to critical health infrastructure and governments.
Meanwhile, Russia’s invasion of Ukraine has put the world’s cyber defence authorities on high alert. Based on intelligence that the Russian government was exploring options for potential cyberattacks, cybersecurity authorities from the United States, Australia, Canada, New Zealand and the UK released a joint warning of increased Russia-sponsored threats to critical infrastructure in April. And on June 22, US president Joe Biden signed two cybersecurity bills into law, including one designed to strengthen coordination between state and local governments and the Cybersecurity and Infrastructure Security Agency (CISA), which operates under the Department of Homeland Security.
As Aastha Verma, CISA branch chief for vulnerability management, explained during the webinar, CISA is tasked with assisting both other government agencies and private sector organisations in addressing cybersecurity issues. Its mission “is enormous and getting more complicated by the day,” she said, but since it was founded in 2018, it has already been able “to cover a lot of ground”.
CISA uses two primary mechanisms to encourage cyber best practice. On the one hand, the agency issues directives to the Federal Civilian Executive Branch (FCEB). “When we find an omnipresent risk affecting multiple agencies, we issue a binding operational directive which typically tells agencies what to do in order to protect themselves from the possibility of an attack,” Verma explained, though she was open about this mechanism’s dependence on agencies’ participation.
The other mechanism is CISA’s ‘cyber hygiene’ programme, which is a free service offered to anyone in the public or private sector. “It allows us to scan their networks with their permission, which requires a lot of legalese to be settled between us and them,” she said. “But the benefits to the firms that sign up for cyber hygiene is that they get a sort of report card that says in what regards they are doing well and in what others not so much.” It acts as a “guiding light”.
CISA operations range from scanning networks to field forces going out to do vulnerability assessments of critical infrastructure. “Think of oil and gas pipelines and every kind of port: airport, shipping port and even space ports,” said Verma. “We cover both the physical and the network side through automated remote assessments as well as on-site with what we call more intrusive ‘red’, ‘blue’ and ‘purple’ team type assessments.” During cybersecurity testing exercises, red teams simulate attacks against blue teams to test the effectiveness of a network’s security. Purple teams are a combination of both red and blue team members working closely together to maximise cyber capabilities.
More similarities than differences
Martin Bowyer is a co-author of the UK Government Cyber Security Strategy and leads a team of digital security and technology experts at the Cabinet Office. As he explained, their mission is to protect citizens, public servants and digital government services from cyberattacks and data breaches.
Bowyer said that he intended to offer a comparative view of cyber and data-sharing challenges in the US and the UK, and that “it turns out we have more similarities than differences”. For instance, the threats and threat actors both countries are facing are “pretty much the same: nation states, organised crime, activists, disgruntled insiders”, he said.
A further similarity highlighted by Bowyer is the spectrum of technologies used by governments on both sides of the Atlantic. “We both have cutting-edge cloud-based service architectures, we both have software as a service, and we both have legacy services that haven’t been continually improved and defended against modern cyber threats.” Since the technology is similar, the US and the UK are dealing with the same vulnerabilities. This has led to CISA and the NCSC taking what Bowyer described as the “logical step” of issuing joint vulnerability warnings.
However, while there are similarities between the US and the UK, there are differences too. “I will admit that we do look at the executive orders in the US with a certain degree of jealousy because having a direct order mechanism that overrides most other considerations would be a really powerful tool in our arsenal,” Bowyer said. “If I can’t order someone to do something, I have to use evidence, persuasion and diplomacy to achieve my aims – and you need to find the right person to talk to.” While the complexity of the issues both countries are facing is comparable, he also said the UK had fewer resources at its disposal and finds itself in a position of constantly having to “brutally prioritise”.
Identifying fragmentation as “one of our adversary’s best friends”, Bowyer talked of the UK’s ‘defend as one’ policy – one of the pillars of its cybersecurity strategy. A central part of this is the establishment of a new Government Cyber Coordination Centre (GCCC) to better co-ordinate cybersecurity efforts across government. Expert secondees from across the public sector will be rotated into the centre and out again, Bowyer said. “They’re going to build skills and relationships that we can lean on as a wider virtual team in our responses and they’ll cascade that out across the public sector.”
One of the challenges they will face is the inconsistent application of security to services, Bowyer said. “It’s pretty obvious that you need a common approach to ‘secure by design’, which is a framework that ensures that all technology and digital services are planned, procured, designed, built, operated, modified and decommissioned securely.” And this principle shouldn’t be followed only by government but by suppliers to the public sector too, he said. “Secure by design tackles fragmentation, it makes sharing data securely easier and it helps us dynamically manage risks across the whole lifecycle of a service.”
Specifically addressing technical leaders in the webinar’s audience, Bowyer emphasised the importance of educating and not punishing the public sector workforce. “We need to make security easy and as frictionless as possible, but we also need to stop punishing our people for making honest mistakes,” he said. “If the survival of entire organisations depends on the hope that every single user will spot and avoid every malicious link in every phishing email, and that clicking such a link would cause the whole digital environment to collapse, then we probably engineered it wrong.”
More personal responsibility
The discussion turned to the topic of hybrid working and the security concerns arising from staff increasingly working from home since the beginning of the pandemic. “It’s a controversial statement, but I’ll put it out there: hybrid working should not result in a dramatic increase in cyber risks,” Bowyer said. “We’ve become a lot more permissive about what we can do from home and that’s helpful, because it makes people take a bit more personal responsibility for managing their own cyber risk.”
While some had to make large investments in things like virtual private network (VPN) infrastructure, overall organisations had “really kept up with technology” – particularly those where staff worked from home occasionally before the pandemic hit, he said.
Nevertheless, every organisation should make clear what it expects of its staff when they work from different locations, Bowyer said. “It’s reasonable to expect people to follow a proper patching regime. And we need to be really clear on acceptable use policies.”
Looking back to the US, Verma agreed on the importance of personal responsibility when ensuring security. “It is on some level on us as IT staff or even on us at home to make sure that we’re patching our systems and looking out for phishing emails.” Simply not clicking on links in certain emails could stop at least 50% of attacks, she said.
Verma added that organisations needed to be cautious about where they buy and source software and mentioned the so-called ‘software bill of materials’ or SBOM, which is an inventory of all components used to build a software application. “When you assemble software, you might be using pieces of other people’s code and there could be bugs in that code,” she warned.
Preventing software that has been built with flaws from entering the ecosystem of an organisation has been difficult, Verma continued. “You need the industry to participate and self-evaluate in that effort. Here in the United States we struggle with not having the ability to enforce anything along those lines,” she said, adding that her agency often sees the need to incentivise engagement from the private sector in order for them “to open up to us”.
On the question of how governments can prepare against constantly changing cyber threats and agile criminal actors, Verma emphasised the importance of “simple tools” such as backups. Disaster recovery backups could help organisations after a critical incident such as a ransomware attack, she explained. “You’re not stuck in the water for days trying to sort your network out, but instead simply flush your current arrangement and pop back to your disaster recovery backups,” said Verma. “Then you’re back in business and you essentially thwart the entire chain of risk that comes with ransomware.”
Standards and principles
The panellists were asked about the level of compliance across departments and agencies given often limited resources and changing priorities. Bowyer explained that the UK is currently using ‘minimum cyber security standards’, which means departments are required to answer compliance related questions once a year. He described this procedure as “fundamentally flawed” due to its binary nature: “You either do it or you don’t.”
Against this backdrop, the UK introduced the Cyber Assessment Framework (CAF), which is a tool for assessing cyber resilience and consists of 14 security principles all operators of essential services must implement. Bowyer explained that mandatory independent audits were being introduced to ensure departments are “investing in the right place”.
In the US, CISA’s role as a risk advisor has recently been upgraded by Biden’s cyber security bill. “Now we have actually been given greater authority by congress and the president for a reason: they want us to be more than advisors, they want us to be actual risk reducers,” Verma said.
While the process of trying to redefine itself is ongoing, the agency mostly tries to get assurances by “getting people to self-adopt, self-regulate and self-motivate”, she explained. “That’s the hard part, but what we want to do is not be punitive in the way we come down on people.”
Getting the basics right
Wrapping up the discussion, both panellists were asked what they would recommend civil servants thinking about their cyber security should do or consider. “If you do nothing else, ask yourself what you are actually responsible for,” said Bowyer, who added that it is important to ask anyone providing protection questions. “If someone talks about multi-factor authentication, ask yourself: why don’t I have multi-factor authentication on these critical accounts that have to deal with public information or payments?”
Bowyer also advised regularly testing an organisation’s business continuity plan. “Everyone will groan, but I can guarantee the benefit will be huge.” Such a plan, which details processes that will help keep operations running in the event of a disaster, will always fail the first time it is run, he said. “But it’s much better to have it fail in a planned way than when you really have to rely on it.”
Verma suggested following the basics, which consist of patching systems, awareness of phishing campaigns, and backups to protect against ransomware attacks. “But the easiest thing you can do is sign up for cyber hygiene – whether you’re in government or the private sector. You will have to go through a little bit of documentation with us to see where you stand, but we will work with you with whatever situation you’re in.”
Despite the multitude of constantly changing cyber threats facing the public sector, what was clear from the panellists is that civil servants have numerous resources at their disposal in order to sufficiently mitigate the threat.
The Rubrik webinar ‘Adapting to increased risks: cyber and data security in the age of uncertainty’ took place on 22 June, with the support of Global Government Forum. Watch the 75-minute webinar via our dedicated event page.
About Partner Content
This content is brought to you by a Global Government Forum, Knowledge Partner.
Related Posts
