HOME
NEWS

Why are Government Agencies So Vulnerable to Hacking?


By VARINDIA - 2020-10-26
Why are Government Agencies So Vulnerable to Hacking?

In network security we talk about “attack surfaces,” the term for the total number of points or vectors through which an attacker could try to enter a computing environment. As government organizations at the federal, state, county, and municipal levels have become increasingly digital, their attack surfaces have vastly increased and consequently they’ve become far more vulnerable to all kinds of cyber attacks.

 

 

Federal information security incidents reported

 

Federal information security incidents reported to the U.S. Computer Emergency Readiness Team, fiscal years 2009 through 2018. Note: Until fiscal year 2016, the number of information security incidents reported by federal agencies to DHS’s United States Computer Emergency Readiness Team (US-CERT) had steadily increased each year. From fiscal year 2009 through fiscal year 2015, reported incidents increased from 29,999 to 77,183, an increase of 157 percent. Changes to federal incident reporting guidelines for 2016 contributed to the decrease in reported incidents in fiscal year 2016. Specifically, updated incident reporting guidelines that became effective in fiscal year 2016 no longer required agencies to report non-cyber incidents or incidents categorized as scans, probes, and attempted access.

Source: GAO

The main reasons for this high level of vulnerability are inadequate IT security expenditure on new equipment and staff training combined with overly bureaucratic processes, which together make it very difficult for these organizations to keep up with the pace of digital evolution. This, in turn, puts mission-critical public services such as court systems, municipal utilities, bill payment services, traffic control, power grids, and voting registration at serious risk of disruption. The 2018 Government Cybersecurity Report by Security Scorecard notes that:

 

Government organizations remain a primary target given the reams of personally identifiable information (PII) stored and processed by agencies, not to mention top-secret national security details. All the necessary components of critical infrastructure networks such as courts, traffic, public transportation, elections, and public utilities fall under the auspices of regional governments. Even ‘small’ governments can be huge, slow-moving bureaucracies with a mix of emerging technologies and a massive, highly vulnerable entrenched legacy infrastructure, all of which present a perfect storm for the modern hacker.

 

With the SARS-Cov2 pandemic now affecting just about every aspect of life, many government employees are working from home, which significantly increases the risks from government hacking, and consequently, data breaches and data exfiltration, malware incursions, phishing attacks, and ransomware attempts are on the rise.

 

Across all sectors, external actors account for a growing percentage of breaches, making up 75 percent in 2019, against 62 percent in 2018.This suggests that organizations are improving their defenses against insider threats and data loss protection, but they face new and potentially more dangerous threat actors. Chief among these are those who are backed by nation states.

 

PortSwigger

Why Has the Government Become a Hot Target?

Hackers love hacking the online service of government agencies because they are often “soft” targets. Often they are weakly defended, inadequately monitored, and poorly maintained (i.e. updates and patches are frequently out of date). But the biggest reason to attack government agencies is that the financial rewards for successful attempts can be huge or, in the case of hostile state actors, very valuable in political cyber warfare. Given how easy and valuable these targets are it’s no surprise that we’re seeing the frequency of attacks escalating.

Federal Information Security Incidents by Threat Vector Category

 

Phishing Attacks

All sectors of the economy are subject to phishing, a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card. According to Security Scorecard’s 2018 Government Cybersecurity Report:

 

Attackers will often profile email addresses obtained from data breaches and match them to existing social network profiles to target accounts and execute spear phishing attacks. For example, if an employee creates a Facebook or LinkedIn account with a government email address, it increases the risk of a phishing attack through one of those networks.

 

These phishing attacks may also involve malware sent as attachments in email, which can lead to data exfiltration and ransomware attacks. The biggest problem with phishing attacks is that the technique works surprisingly well. Verizon’s 2020 Data Breach Investigations Report revealed that an astounding 32 percent of confirmed data breaches involved phishing.

 

Holding the Government to Ransom

 

Of all hacking techniques seen “in the wild,” the use of ransomware-malware that encrypts data and demands payment usually in a cryptocurrency such as Bitcoin-has grown incredibly fast particularly in government agencies.

 

A study by Emsisoft, an anti-malware vendor, found that more than 100 cities across the United States suffered ransomware attacks in 2019 and a key issue in preventing ransomware attacks is staff training. However, a recent IBM-Harris survey found that only 38 percent of state and local government employees had ransomware prevention training. Three recent examples of successful ransomware attacks are:

 

  • In early May 2019, hacking systems succeeded in executing a ransomware attack on the City of Baltimore talking down the city’s voicemail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations, delaying 1,500 pending home sales. The demand: 13 Bitcoins or $102,000. As of August 2019, it was estimated that the attack had cost the city over $18,200,000.
  • In August 2019, 22 towns in Texas fell victim to ransomware attacks that were believed to be the work of a single actor. The attacker essentially shut down all information technology services in the towns and demanded a $2.5 million ransom.
  • Following a ransomware attack on December 13, 2019, the City of New Orleans declared a state of emergency. The cost to the city was reported to be $4,200,000 although other sources have claimed that the cost was at least $7,000,000.

Government Data Breaches

One thing all government agencies have is huge amounts of data. This includes vast stores of Personally Identifiable Information (PII) on citizens, as well as comprehensive and often highly sensitive commercial company data. Verizon’s 2019/2020 Data Breach Investigations Report found that 16 percent of breaches were in the public sector, excluding healthcare and the average cost of a data breach in 2018 was $2.3 million with an average cost of $75 per record.

 

Verizon found that espionage was a key driver for government data breaches, with public sector cyber-attacks making up 66 percent of all incidents in 2019. In addition, “state affiliated actors” have been the leading cause of external public sector data breaches and data exfiltration each year since 2017. In 2019, they accounted for 79 percent of incidents.

The list of government data breaches over the last couple of decades is long but here are a few examples to give a little perspective on the scale of recent breaches involving data exfiltration executed by hacking or exposed due to poor data security:

  • U.S. Postal Service (DC) – 60,000,000 records – 2018
  • Office of Personnel Management (DC) – 21,500,000 records – 2015
  • California Secretary of State (CA) – 19,200,000 records – 2017
  • Government Payment Service, Inc. (IN) – 14,000,000 records – 2018
  • Georgia Secretary of State (GA) – 6,000,000 records – 2015
  • Office of Child Support Enforcement (WA) – 5,000,000 records – 2016
  • Office of Personnel Management (DC) – 4,200,000 records – 2015
  • U.S. Postal Service (DC) – 3,650,000 records – 2014
  • Los Angeles County 211 (CA) – 3,200,000 records – 2018
  • Washington Department of Fishing and Wildlife (WA) – 2,435,452 – 2016

How Government Agencies Can Defend Themselves

The federal government’s Office of Management and Budget (OMB) Federal Cybersecurity Risk Determination Report and Action Plan concluded that 71 percent of 96 agencies studied were either “at risk” or at “high risk.” The plan outlined four key findings:

  • Limited situational awareness
  • Lack of standardized IT capabilities
  • Limited network visibility
  • Lack of accountability for managing risks

While training, up-to-date patching, and other basic security measures can bolster government agency defenses, removing limited network communications visibility is arguably the most easily and quickly addressed. There are two strategic technologies that vastly improve network visibility: the use of SSL encryption/TLS encryption to secure all communications and the use of SSL inspection/TLS inspection to detect data exfiltration, as well as phishing, ransomware, and malware payloads.

 

Babur Khan
Technical Marketing Engineer, A10 Networks and Sanjai Gangadharan, Regional Director, SAARC, A10 Networks

 

See What’s Next in Tech With the Fast Forward Newsletter

SECURITY
View All
Zscaler announces AI innovations to its Data Protection Platform
Technology

Zscaler announces AI innovations to its Data Protection Platform

by VARINDIA 2024-05-20
SHIELD to enhance Swiggy’s fraud prevention and detection capabilities
Technology

SHIELD to enhance Swiggy’s fraud prevention and detection capabilities

by VARINDIA 2024-05-20
Axis Communications announces its first thermometric camera designed for Zone/Division 2
Technology

Axis Communications announces its first thermometric camera designed for Zone/Division 2

by VARINDIA 2024-05-20
SOFTWARE
View All
Hitachi Vantara and Veeam announce Global Strategic Alliance
Technology

Hitachi Vantara and Veeam announce Global Strategic Alliance

by VARINDIA 2024-05-16
Adobe launches Acrobat AI Assistant for the Enterprise
Technology

Adobe launches Acrobat AI Assistant for the Enterprise

by VARINDIA 2024-05-11
Oracle Database 23ai offers the power of AI to Enterprise Data and Applications
Technology

Oracle Database 23ai offers the power of AI to Enterprise Data and Applications

by VARINDIA 2024-05-10
START - UP
View All
Data Subject Access Request is an integrated module within ID-REDACT®
Technology

Data Subject Access Request is an integrated module within ID-REDACT®

by VARINDIA 2024-04-30
SiMa.ai Secures $70M Funds from Maverick Capital
Technology

SiMa.ai Secures $70M Funds from Maverick Capital

by VARINDIA 2024-04-05
Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure
Technology

Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure

by VARINDIA 2024-02-08

Tweets From @varindiamag

CIO - SPEAK
Automation has the potential to greatly improve efficiency and production

Automation has the potential to greatly improve efficiency and production

by VARINDIA
Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

by VARINDIA
Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

by VARINDIA
Start-Up and Unicorn Ecosystem
GoDaddy harnesses AI power for new domain name recommendations

GoDaddy harnesses AI power for new domain name recommendations

by VARINDIA
UAE’s du Telecom selects STL as a strategic fibre partner

UAE’s du Telecom selects STL as a strategic fibre partner

by VARINDIA
JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

by VARINDIA
Rapyder partners with AWS to accelerate Generative AI led innovation

Rapyder partners with AWS to accelerate Generative AI led innovation

by VARINDIA
ManageEngine integrates its SIEM solution with Constella Intelligence

ManageEngine integrates its SIEM solution with Constella Intelligence

by VARINDIA
Elastic replaces traditional SIEM game with AI-driven security analytics

Elastic replaces traditional SIEM game with AI-driven security analytics

by VARINDIA
Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

by VARINDIA
Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

by VARINDIA
Dassault Systèmes to accelerate EV charging infrastructure development in India

Dassault Systèmes to accelerate EV charging infrastructure development in India

by VARINDIA
Tech Mahindra and Atento to deliver GenAI powered business transformation services

Tech Mahindra and Atento to deliver GenAI powered business transformation services

by VARINDIA