Many years ago when Distributed Denial of Service (DDoS) attacks were becoming a more common problem, I had a meeting with a government agency (not to be named here). The discussion was broad in terms of challenges they faced around cyber security, but it was their response to how they handled DDoS attacks that stuck out more than any part of the meeting. “Oh, we just shut down the servers that are being attacked until the attack subsides,” was their input on DDoS defense strategy. Now, to be fair, this was in the early days of advanced thinking on DDoS defense, and also in the context of a broader climate where the view was if there’s a DDoS attack going on, it might signal an attempt to breach data from the server so best to lose availability than lose data confidentiality.
Times have changed since then and most any government agency now has to more evenly balance the availability threats with those targeting data confidentiality or integrity. Indeed, a few recent situations have highlighted the impacts of a loss of availability and the constituent reaction to security strategies that don’t effectively balance staying connected with staying secure.
The first of these is the recent attacks (depending on whose story you believe) on the Australian Bureau of Statistics (ABS) and their online census. First, the outage highlights that any organization that takes for granted that they won’t be attacked is playing right into the hands of adversaries. The loss of public trust driven by the lack of availability of the census website will have far-reaching effects for future efforts of ABS to engage with constituents online. Second, the fact that, according to some reports, the attacks were not significant in terms of traffic volume reflects the changing nature of cyber-attacks. Smarter, stealthy attacks can evade basic traffic rate detection and exhaust most specific resources within the application.
The second example comes from Singapore, where the government recently announced that employees’ work terminals would no longer be connected to the Internet, in an effort to reduce the risk of cyber security incidents. This is one of the more extreme measures I can recall by a large public organization to combat (avoid) cyber-security risks. The more common approach is to segregate certain systems within a network that access or store highly sensitive data. This process is often referred to as “air gapping” and typically means some systems can only be accessed by certain terminals that have no physical connection to other open networks, such as the Internet. Air gap networks are very common in military networks and utilities environments running SCADA systems, but not necessarily for civilian government entities. As coincidence has it, I recently traveled to Singapore and asked many of those I met their thoughts on this move. Without fail, those I spoke with felt it was a bad move and a hit to general confidence in the government’s approach to IT and technology. Tech is such a central part of Singapore’s growth over the past 20+ years, it is hard for Singaporean citizens to imagine their government taking such an archaic approach.
The government sector is also an area we get good insights through our annual Global Application & Network Security Report. Their inputs shed light on current threat priorities and defensive strategies common in the sector.
The first thing you realize when you survey government security professionals is that they feel like everyone is targeting them. Most industries hone in on one or two threat actor categories, but the government was the only one where at least 40% of respondents identified each of our categories as a major risk. At the top of their list was, somewhat surprisingly, script kiddies with 61% of respondents putting them as either significant or very significant threat (top 2 box).
Despite the sense of being broadly targeted, inputs suggest that confidence is high in terms of preparation from most cyber-attacks. Around 60% of the respondents said they are confident or very confident of their current defenses against 6 of 9 threat categories we listed. The highest confidence level is on DDoS, with nearly 70% saying they are confident/very confident (highest of all industries surveyed). Their lowest confidence level is around protection of Intellectual Property from theft (only 30% indicated very confident). This could be more of a reflection of the lower priority due to less of a focus on IP development and protection.
Being confident in defenses doesn’t mean the government security respondents don’t fear attacks, some more so than others. The attack this group says can do the most harm is unauthorized access, followed closely behind by DDoS attacks and then Advanced Persistent Threats. It was somewhat surprising to me that APT wasn’t #1 given the high profile incidents, though it’s likely some selected unauthorized access as the end result of an APT attack.
So a bit past the midway point of 2016, we can see cyber-security attacks against government agencies around the world continue to have significant impact. Despite a concerted focus and recognition of the threats, and in most cases ample investment to provide protection, attacks disrupt operations, erode citizen confidence, and even point to a broader vulnerability that could be exploited by nation-state actors. As we approach the 2016 Presidential Election, it’s a safe bet that cyber-security issues will once again creep into the broader consciousness in the United States as both a legitimate issue and a tool for political banter.