What happens when attackers breach local government, police departments or public health services? What would happen if attackers compromised the U.S. Treasury’s network? These types of incidents happen every month and lead to service interruptions at the very least. More serious problems could occur, such as leakage of classified data or damage to critical infrastructure.

What about the cost of a data breach for government agencies? According to the most recent IBM Cost of a Data Breach report, each public sector incident costs $2.07 million on average. In 2018, the U.S. government faced a total of $13.7 billion in costs due to cyberattacks. Governments at all levels and in every country are at risk. The stakes are high, and preparedness is essential.

Scope of Government Cyberattack Risk

While threat actors still prefer to target health care, financial and technology firms, there are over 90,000 government entities in the United States alone. Also, research shows that there is a knowledge and awareness gap in the public sector when it comes to security measures. This makes government offices attractive targets for cyber gangs.

With increased tensions, it’s likely that state-sponsored cyberattacks will also continue to increase. Given the rising threat to government agencies, the FBI released a special notification about the risk. It states: “Ransomware attacks against local government entities and the subsequent impacts are especially significant due to the public’s dependency on critical utilities, emergency services, educational facilities and other services overseen by local governments, making them attractive targets for cyber criminals.”

Still, if even specialist cybersecurity providers themselves aren’t immune to attack, how is a small government office expected to protect itself?

Types of Threats to Government Agencies

According to the FBI notice, the most common infection vectors against government entities are phishing emails, remote desktop protocol exploitation and software vulnerability exploitation. Threat diversification has also become a major concern. For example, the FBI states that actors have been:

  • Using service-for-hire business models
  • Sharing victim information among actor groups
  • Using diverse extortion strategies and attacking access and data sources such as cloud infrastructure, managed service providers and software supply chains.
Explore the Report

Government Action

Earlier this year, the U.S. Congress passed new legislation that impacts federal agencies and critical infrastructure owners and operators. The mandate states that agencies must report attacks within 72 hours. They must also report ransomware payments within 24 hours.

The new provision includes assistance for the departments of Defense, State, Justice, Treasury, Commerce and others. They will receive technological and continuity-of-government aid, which includes IT infrastructure and cybersecurity services. The legislation also gives the Cybersecurity and Infrastructure Security Agency (CISA) the authority to subpoena entities that fail to report cyberattacks or the payment of ransomware. Meanwhile, CISA will also sponsor a program to alert agencies of exploitable vulnerabilities connected with ransomware.

So, while increased assistance is part of the package, so is increased pressure and scrutiny.

Lack of Funding

Major barriers to defending against attacks include that it’s becoming harder to pay competitive salaries, the number of staff and lack of funds. All these involve tight budgets.

Despite the urgency, funding continues to be an issue for local and federal agencies. In 2021, $118.7 billion in technology spending was projected for state and local governments. Only a fraction of this was earmarked for security. It’s unlikely to cover all needs when the government faces $13.7 billion in security costs each year.

Lack of Insight

Many government offices also lack the strategies, experience and insight to prevent cyber crime. For example, in a 2019 attack on the Baltimore government, a well-known Microsoft patch could have easily prevented an $18 million Robinhood ransomware incident.

In 2019, attackers hijacked nearly all of Baltimore’s IT infrastructure and demanded a ransom of 13 bitcoin (about $76,000 at the time). The city refused to pay. Recovery efforts lasted months before systems came back online. During that time, services for water billing, property taxes, property sales, parking tickets, email and voicemail were all disrupted. The total cost of the Baltimore attack (plus remediation efforts) was around $18.2 million.

How to Respond to the Threat

The FBI and many other agencies recommend against paying ransoms. There is no guarantee that payment will result in restored systems and files. Paying ransoms also encourages attackers. Even worse, the Department of the Treasury may even impose sanctions on entities that pay malware ransoms.

Preparedness is critical. Some suggestions for government agencies from the FBI include:

  • Keep all operating systems and software up to date
  • Implement a user training program and phishing exercises
  • Require strong, unique passwords for all accounts with password logins
  • Require multi-factor authentication (MFA) for as many services as possible
  • Maintain offline (i.e., physically separate) backups of data, and test backup and restoration often
  • Ensure all backup data is encrypted and immutable
  • Protect cloud storage by backing up to multiple locations, requiring MFA for access and encrypting data in the cloud
  • If using Linux, use a Linux security module (such as SELinux, AppArmor or SecComp) for defense in depth
  • Segment networks to help prevent the spread of ransomware
  • Enforce the principle of least privilege through authorization policies
  • Implement time-based access for privileged accounts
  • Disable unneeded command-line utilities; constrain scripting activities and permissions and monitor their usage.

Improve Security Now

The ways to improve security may seem daunting at first. However, it doesn’t have to get all done at once. The idea is to begin improving security postures now. Then, continue to improve your preparedness along the way.

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…