Just last month, the Prime Minister of Australia, Scott Morrison, announced that his country was facing a massive cyberattack that was impacting, “Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure.”
And while the Prime Minister didn’t directly name who was responsible for this attack (although some have speculated), it does appear that the perpetrators are state-sponsored.
What is currently happening in Australia is neither new nor novel. Cyberattacks are being perpetrated against all levels of government – from state and local government agencies, to education and healthcare institutions, to federal government agencies – right here in the United States, as well. Just in the past few months, we’ve seen successful ransomware attacks against hospitals in the middle of a global pandemic and cyberattacks against local libraries. Just last week, we saw private police records compromised and distributed via the Internet.
To get a better picture of the cyber threat landscape facing government organizations, and to learn more about simple steps government organizations and agencies can take to better protect themselves, we sat down with Chris Wilkinson of the newly-elevated President of DLT Solutions. Chris has more than 15 years of experience in the public sector, where he has helped connect government organizations to the cybersecurity solutions and private sector innovations necessary to help them build a stout cyber defense.
During our discussion, Chris shared how technical vigilance against attacks – paired with training – can reduce threats like ransomware, data theft, and denial of service attacks. And how, while the most adept technologies are important, a trained staff will make adept moves toward analyzing threats and taking appropriate actions.
GovCyberHub (GCH): During your time at immixGroup and with DLT, you were integral in helping technology companies, channel partners, and government agencies work together to meet their needs and requirements for cybersecurity solutions. What would you say is the threat landscape like right now for government agencies?
Chris Wilkinson: I would start noting that some things haven’t changed. Defending our networks against attacks is always harder than attacking or penetrating networks. Defense is always harder than offense. Malicious actors must only be right once to infiltrate our networks and achieve their desired outcomes. Our cyber warriors need to be right every single time to defend our networks.
And the cyber threat is growing. Our attack surface is growing. It continues to expand and diversify with more and more connected devices and as we increase our reliance on technology in most assets of our everyday lives. Technology continues to advance with innovation-driven largely by things like convenience, performance, and capability, and security is still too often an afterthought.
Those constants continue today as we see attacks increasing in sophistication. Cyberwarfare is different from kinetic warfare. When we deploy a sophisticated warhead, the technology is not easily reverse engineered after its desired effect. In the cyber domain, we’re seeing advancements made in many increasingly sophisticated attacks today, used for a specific desired outcome, against a specific target. Once the exploit is discovered, it’s now out there, in the wild for adversaries to reverse engineer, redeploy themselves, or to continue to build upon for other malicious intent.
GCH: What has changed? Why are these threats getting worse and more sophisticated?
Chris Wilkinson: These increasingly sophisticated attacks are becoming automated and easier to deploy. The barrier to entry into executing an attack continues to be lowered. The threat of the real scary, sophisticated Cyber-attacks used to be present in a relatively limited number of very sophisticated attackers, often well-funded and enabled attackers like nation-states – attackers with some known or perceived motivations for their attacks.
Automation and ease of use are enabling a whole new set of less sophisticated attackers armed with no less sophisticated attacks to be used for an increasingly diverse set of intents like hacktivism and run of the mill cybercrime. Some documented ransomware attacks have been successfully deployed in instances where the attacker isn’t even sophisticated enough to decrypt the data after being paid the ransom to provide the victim access to their compromised data as a result of the attack.
As the novel coronavirus pandemic has forced most of the world to adapt to working remotely, we’ve become a far more connected world. Our government agencies are being exposed to increased risk with workforces accessing sensitive systems in an increasingly remote capacity, and from endpoints that the agency doesn’t always own. Remote access security systems are being tested and some agencies are less prepared than others leading to VPN bandwidth issues and security misconfigurations in VPNs exposing sensitive information and exposing devices to Denial of Service attacks. Adversaries are also using COVID-19 as bait to impersonate brands or authoritative data resulting in more clicks and more infected personal devices.
A Mimecast security report noted that 72 percent of respondents of 1,025 IT decision-makers surveyed globally saw an increase in phishing and impersonation to steal from unsuspecting users. And their threat center researchers saw a 30 percent jump in impersonation from January to April 2020, from onset through early stages of the pandemic impact.
Misinformation and propaganda have also proliferated social media. According to the CyberWire – just this month Twitter identified a large number of state-run accounts pushing disinformation. The largest network was Chinese-controlled: 23,750 “core accounts” that were highly active in distributing Beijing’s line to a Chinese-speaking audience, with special attention to Hong Kong. Then, about 150,000 “amplifier accounts” repeated the core accounts’ traffic. Twitter also identified 1,152 Russian accounts associated with the state-run media site Current Policy; these were engaged in distributing messages favoring the Russia United Party in an influence campaign directed at domestic audiences.
And finally, I would note the proliferation of compromises in critical infrastructure. Wouldn’t say that this attack vector is new, but we’re increasingly finding attacks targeting things like the energy grid as nation-states position potential compromises to be leveraged associated with potential geopolitical conflict.
“As the novel coronavirus pandemic has forced most of the world to adapt to working remotely, we’ve become a far more connected world. Our government agencies are being exposed to increased risk with workforces accessing sensitive systems in an increasingly remote capacity, and from endpoints that the agency doesn’t always own.”
GCH: Is cybersecurity strictly a federal government problem? Or are state and local governments and agencies also targets of cyberthreats? What kinds of threats are state and local organizations facing?
Chris Wilkinson: No, cybersecurity is not only a federal government issue. Many of our state and local government agencies are not adequately prepared to defend their networks against cyber-attacks from foreign adversaries or cybercriminals.
In 2019, we saw at least 160 ransomware attacks across cities in the United States, most notably crippling state and local agencies in Louisiana, the City of Baltimore, over 20 towns in Texas, and a school district in Syracuse. These ransomware attacks cost these state and local agencies almost $20M in 2019 alone.
This trend has continued in 2020 and prompted several members of Congress to propose legislation to improve the ability of our state and local governments to detect and defend against cyber-attacks. The proposed State and Local Cybersecurity Improvement Act would authorize a new Department of Homeland Security grant program to address cybersecurity vulnerabilities on State and Local government networks. The bill is working its way through Congress having been passed by the Senate this past November and would offer $400M for state and local government cybersecurity.
“Many of our state and local government agencies are not adequately prepared to defend their networks against cyber-attacks from foreign adversaries or cybercriminals. In 2019, we saw at least 160 ransomware attacks across cities in the United States, most notably crippling state and local agencies in Louisiana, the City of Baltimore, over 20 towns in Texas, and a school district in Syracuse.”
GCH: In your opinion, why are government agencies and state and local governments so susceptible to attacks today? Is it a result of the increasing sophistication of the threats, or factors within their own organizations?
Chris Wilkinson: First, government agencies are naturally target-rich environments for malicious actors and our adversaries. Our governments house the data sought after by threat actors from military secrets and weapon systems information, to financial and health records, to critical infrastructure protections.
If you think about the primary threat actors – nation-states with geopolitical motivations, cybercriminals with financial and profit motivations, hacktivists with ideological motivations, terrorist groups motivated by ideological violence – our governments are prime targets because they house massive amounts of data and their missions are relevant to each and every one of those threat actors’ motivations.
Additionally, you have thrill seekers motivated by attacking the government just to see if they can… and just to see what they can find. Then you have the insider threat which exists in any environment, motivated either by discontent or an unknowing insider introducing vulnerability into an environment.
Then consider what I said before – threat actors only need to be right once, where defenders need to be right all of the time. Good cyber hygiene and cyber training helps to mitigate some of the risk – but with the sheer volume and increasingly sophisticated nature of targeted attacks, it’s not realistic to believe, that in today’s IT environments, our defenders will be right all of the time, and our workforce will be skilled enough, and robust enough to defend against every attack.
GCH: What are a few basic things that government agencies could and should do immediately to improve their cyber stature?
Chris Wilkinson: The Department of Homeland Security’s Continuous Diagnostics and Mitigation program (DHS’s CDM), the National Institute for Standards and Technology’s cybersecurity framework and risk management frameworks, and the General Data Protection Regulation out of Europe have done well to provide valuable reference architectures, security controls, and best practices agencies should understand to evaluate their own technology environments against – to progress their own cyber defenses and increase cybersecurity postures.
Agencies should understand these best practices and establish and enforce dynamic cybersecurity risk management policies to improve their cybersecurity postures. Policies need to be understood and adopted by all stakeholders, both internal and external – by those accessing your data, your network, and your resources – to include 3rd party providers. It should be understood these policies are living documents; they must adapt to evolving threats to network assets. These policies should enable risk-based decision making, aligned to mission and business objectives, and protecting an agency’s highest priority assets most stringently.
Agencies should balance technology with training. The human element will always be the weakest link in an agency’s cyber defense. Agencies should ensure their workforces regularly participate in continuous cybersecurity education, training, and cybersecurity exercises to help them understand the risk they pose as users of the network, and to strengthen their cyber hygiene to mitigate as much cyber risk as can be expected.
And finally, agencies should be prepared to respond to a breach. Agencies should be working to develop response policies that limit the dwell time of an attacker on their networks and ensure mission and business objectives can be achieved working through remediation of the compromise – agencies have to be capable of fighting through the attack.
We need to see continued advancement in the areas of artificial intelligence and machine learning, combined with increased cyber hygiene in our workforces, to enable our cyber warriors to better defend our networks, fighting at machine speed, and mitigating risks in near real-time.