Cyberattacks on federal, state and local government networks have become an increasing problem over the past several years, with no end in sight. Examples of recent high-visibility attacks abound. Perhaps the most notable was the attack on the U.S. Office of Personnel Management (OPM) discovered on April 15, 2015. The OPM fends off over 10 million attempted cyber intrusions every month. These are usually ''commonplace'' phishing and spam attacks familiar to every large organization. This attack was different, and when the attackers were eventually repelled about two weeks later, the complete personnel files of 4.2 million employees, past and present, had been grabbed, along with approximately 5.6 million digital images of government employee fingerprints. Many other government agencies have their own horror stories, including the Internal Revenue Service, which has been a regular target.
Cybersecurity Risks
The alarming trend was confirmed in a cybersecurity analysis, the ''2017 U.S. State and Federal Government Cybersecurity Report,'' released on August 24, 2017, by the SecurityScorecard, a security rating service. The Report analyzed 552 federal, state and local organizations and ranked the government 16th out of the 18 industries analyzed, ahead of only telecommunications and education. Industries ranking better included health care, transportation, financial services and retail. Fortunately, while the report focuses on uncomfortable government failures, it also provides a thoughtful path to improvement. The Report is a must-read for government board members. The most prevalent risks for cyberattacks of government organizations include:- Government organizations tend to struggle with ''basic security hygiene'' issues, such as password reuse on accounts. Adherence to outmoded password update protocol is a significant issue. No one has escaped the frustration of using, remembering and updating passwords for the growing number of devises, sites and apps in use every day. It is estimated that on a given day, the world collectively spends an equivalent of 1,300 years simply typing passwords. One study concluded that an average user has 6.5 different passwords, 25 accounts requiring passwords and enters an average of eight passwords a day. Recent suggestions that changing passwords regularly can, in fact, cause more problems have not been fully embraced. Government organizations are frequently delinquent in updating or replacing outdated software, patching current software and installing individual endpoint defense protections.
- Poor management of both older, rarely used devices and newer ones exposed to the public Internet, from laptops and smartphones to Internet of Things (IoT) units. ''Even things like emergency management systems platforms from the mid-2000s were available to the public,'' said Alex Heid, SecurityScorecard's chief research officer. ''There were more IoT connections available from government networks than I would have expected,'' Heid said. Each device, from government vehicles monitored by the organization to automated security entrances, is also capable of becoming an entry point for hackers to a much larger government universe. Forbes simplified this: ''If it has an on and off switch then chances are it can be a part of the IoT.'' BI Intelligence predicts that there will be ''more than 24 billion IoT devices on Earth by 2020.'' That equates to about four devices for every person on the planet.
- Many government organizations have simply not kept up with the new cybersecurity environment and have not developed the capabilities to combat the threat. Ironically, large government agencies are often the most aggressive investors in new technology. The problem seems to be that complexity and bureaucratic delay prevent massive cybersecurity technology platforms from ever being fully implemented. When newer and better solutions appear, as they do more frequently today, the older technology remains. ''They'll implement a technology when it's very new and then it'll just sit there and age. This creates a mix of emerging technologies, which might be misconfigured, or not everything is known about them yet, with legacy technologies that have known vulnerabilities and exploitable conditions,'' said Heid.