September 7, 2022 By Jonathan Reed 4 min read

What happens when attackers breach local government, police departments or public health services? What would happen if attackers compromised the U.S. Treasury’s network? These types of incidents happen every month and lead to service interruptions at the very least. More serious problems could occur, such as leakage of classified data or damage to critical infrastructure.

What about the cost of a data breach for government agencies? According to the most recent IBM Cost of a Data Breach report, each public sector incident costs $2.07 million on average. In 2018, the U.S. government faced a total of $13.7 billion in costs due to cyberattacks. Governments at all levels and in every country are at risk. The stakes are high, and preparedness is essential.

Scope of government cyberattack risk

While threat actors still prefer to target health care, financial and technology firms, there are over 90,000 government entities in the United States alone. Also, research shows that there is a knowledge and awareness gap in the public sector when it comes to security measures. This makes government offices attractive targets for cyber gangs.

With increased tensions, it’s likely that state-sponsored cyberattacks will also continue to increase. Given the rising threat to government agencies, the FBI released a special notification about the risk. It states: “Ransomware attacks against local government entities and the subsequent impacts are especially significant due to the public’s dependency on critical utilities, emergency services, educational facilities and other services overseen by local governments, making them attractive targets for cyber criminals.”

Still, if even specialist cybersecurity providers themselves aren’t immune to attack, how is a small government office expected to protect itself?

Types of threats to government agencies

According to the FBI notice, the most common infection vectors against government entities are phishing emails, remote desktop protocol exploitation and software vulnerability exploitation. Threat diversification has also become a major concern. For example, the FBI states that actors have been:

  • Using service-for-hire business models
  • Sharing victim information among actor groups
  • Using diverse extortion strategies and attacking access and data sources such as cloud infrastructure, managed service providers and software supply chains.
Explore the Report

Government action

Earlier this year, the U.S. Congress passed new legislation that impacts federal agencies and critical infrastructure owners and operators. The mandate states that agencies must report attacks within 72 hours. They must also report ransomware payments within 24 hours.

The new provision includes assistance for the departments of Defense, State, Justice, Treasury, Commerce and others. They will receive technological and continuity-of-government aid, which includes IT infrastructure and cybersecurity services. The legislation also gives the Cybersecurity and Infrastructure Security Agency (CISA) the authority to subpoena entities that fail to report cyberattacks or the payment of ransomware. Meanwhile, CISA will also sponsor a program to alert agencies of exploitable vulnerabilities connected with ransomware.

So, while increased assistance is part of the package, so is increased pressure and scrutiny.

Lack of funding

Major barriers to defending against attacks include that it’s becoming harder to pay competitive salaries, the number of staff and lack of funds. All these involve tight budgets.

Despite the urgency, funding continues to be an issue for local and federal agencies. In 2021, $118.7 billion in technology spending was projected for state and local governments. Only a fraction of this was earmarked for security. It’s unlikely to cover all needs when the government faces $13.7 billion in security costs each year.

Lack of insight

Many government offices also lack the strategies, experience and insight to prevent cyber crime. For example, in a 2019 attack on the Baltimore government, a well-known Microsoft patch could have easily prevented an $18 million Robinhood ransomware incident.

In 2019, attackers hijacked nearly all of Baltimore’s IT infrastructure and demanded a ransom of 13 bitcoin (about $76,000 at the time). The city refused to pay. Recovery efforts lasted months before systems came back online. During that time, services for water billing, property taxes, property sales, parking tickets, email and voicemail were all disrupted. The total cost of the Baltimore attack (plus remediation efforts) was around $18.2 million.

How to respond to the threat

The FBI and many other agencies recommend against paying ransoms. There is no guarantee that payment will result in restored systems and files. Paying ransoms also encourages attackers. Even worse, the Department of the Treasury may even impose sanctions on entities that pay malware ransoms.

Preparedness is critical. Some suggestions for government agencies from the FBI include:

  • Keep all operating systems and software up to date
  • Implement a user training program and phishing exercises
  • Require strong, unique passwords for all accounts with password logins
  • Require multi-factor authentication (MFA) for as many services as possible
  • Maintain offline (i.e., physically separate) backups of data, and test backup and restoration often
  • Ensure all backup data is encrypted and immutable
  • Protect cloud storage by backing up to multiple locations, requiring MFA for access and encrypting data in the cloud
  • If using Linux, use a Linux security module (such as SELinux, AppArmor or SecComp) for defense in depth
  • Segment networks to help prevent the spread of ransomware
  • Enforce the principle of least privilege through authorization policies
  • Implement time-based access for privileged accounts
  • Disable unneeded command-line utilities; constrain scripting activities and permissions and monitor their usage.

Improve security now

The ways to improve security may seem daunting at first. However, it doesn’t have to get all done at once. The idea is to begin improving security postures now. Then, continue to improve your preparedness along the way.

More from Data Protection

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today