What happens when attackers breach local government, police departments or public health services? What would happen if attackers compromised the U.S. Treasury’s network? These types of incidents happen every month and lead to service interruptions at the very least. More serious problems could occur, such as leakage of classified data or damage to critical infrastructure.

What about the cost of a data breach for government agencies? According to the most recent IBM Cost of a Data Breach report, each public sector incident costs $2.07 million on average. In 2018, the U.S. government faced a total of $13.7 billion in costs due to cyberattacks. Governments at all levels and in every country are at risk. The stakes are high, and preparedness is essential. 

Scope of Government Cyberattack Risk

While threat actors still prefer to target health care, financial and technology firms, there are over 90,000 government entities in the United States alone. Also, research shows that there is a knowledge and awareness gap in the public sector when it comes to security measures. This makes government offices attractive targets for cyber gangs. 

With increased tensions, it’s likely that state-sponsored cyberattacks will also continue to increase. Given the rising threat to government agencies, the FBI released a special notification about the risk. It states: “Ransomware attacks against local government entities and the subsequent impacts are especially significant due to the public’s dependency on critical utilities, emergency services, educational facilities and other services overseen by local governments, making them attractive targets for cyber criminals.” 

Still, if even specialist cybersecurity providers themselves aren’t immune to attack, how is a small government office expected to protect itself?

Types of Threats to Government Agencies

According to the FBI notice, the most common infection vectors against government entities are phishing emails, remote desktop protocol exploitation and software vulnerability exploitation. Threat diversification has also become a major concern. For example, the FBI states that actors have been: 

  • Using service-for-hire business models
  • Sharing victim information among actor groups
  • Using diverse extortion strategies and attacking access and data sources such as cloud infrastructure, managed service providers and software supply chains.
Read the CODB Report

Government Action

Earlier this year, the U.S. Congress passed new legislation that impacts federal agencies and critical infrastructure owners and operators. The mandate states that agencies must report attacks within 72 hours. They must also report ransomware payments within 24 hours. 

The new provision includes assistance for the departments of Defense, State, Justice, Treasury, Commerce and others. They will receive technological and continuity-of-government aid, which includes IT infrastructure and cybersecurity services. The legislation also gives the Cybersecurity and Infrastructure Security Agency (CISA) the authority to subpoena entities that fail to report cyberattacks or the payment of ransomware. Meanwhile, CISA will also sponsor a program to alert agencies of exploitable vulnerabilities connected with ransomware.

So, while increased assistance is part of the package, so is increased pressure and scrutiny. 

Lack of Funding

Major barriers to defending against attacks include that it’s becoming harder to pay competitive salaries, the number of staff and lack of funds. All these involve tight budgets.

Despite the urgency, funding continues to be an issue for local and federal agencies. In 2021, $118.7 billion in technology spending was projected for state and local governments. Only a fraction of this was earmarked for security. It’s unlikely to cover all needs when the government faces $13.7 billion in security costs each year.

Lack of Insight

Many government offices also lack the strategies, experience and insight to prevent cyber crime. For example, in a 2019 attack on the Baltimore government, a well-known Microsoft patch could have easily prevented an $18 million Robinhood ransomware incident.

In 2019, attackers hijacked nearly all of Baltimore’s IT infrastructure and demanded a ransom of 13 bitcoin (about $76,000 at the time). The city refused to pay. Recovery efforts lasted months before systems came back online. During that time, services for water billing, property taxes, property sales, parking tickets, email and voicemail were all disrupted. The total cost of the Baltimore attack (plus remediation efforts) was around $18.2 million.

How to Respond to the Threat

The FBI and many other agencies recommend against paying ransoms. There is no guarantee that payment will result in restored systems and files. Paying ransoms also encourages attackers. Even worse, the Department of the Treasury may even impose sanctions on entities that pay malware ransoms. 

Preparedness is critical. Some suggestions for government agencies from the FBI include:

  • Keep all operating systems and software up to date
  • Implement a user training program and phishing exercises
  • Require strong, unique passwords for all accounts with password logins 
  • Require multi-factor authentication (MFA) for as many services as possible
  • Maintain offline (i.e., physically separate) backups of data, and test backup and restoration often
  • Ensure all backup data is encrypted and immutable
  • Protect cloud storage by backing up to multiple locations, requiring MFA for access and encrypting data in the cloud
  • If using Linux, use a Linux security module (such as SELinux, AppArmor or SecComp) for defense in depth
  • Segment networks to help prevent the spread of ransomware
  • Enforce the principle of least privilege through authorization policies
  • Implement time-based access for privileged accounts
  • Disable unneeded command-line utilities; constrain scripting activities and permissions and monitor their usage.

Improve Security Now

The ways to improve security may seem daunting at first. However, it doesn’t have to get all done at once. The idea is to begin improving security postures now. Then, continue to improve your preparedness along the way. 

more from Data Protection