How Governments Can Mitigate Rising Cyberattacks

With 2015 nearing a close, Fortune magazine recently reported that the word of the year may be “cybersecurity.” It was a year when cyberattacks continued to make headlines:

• One in three Americans had their information breached when U.S. health insurance firm Anthem had 80 million customer records breached.
• One hundred thousand taxpayers had their information compromised resulting from a breach at the Internal Revenue Service.
• In June, it was estimated that 4 million people’s information had been hacked in a breach at the Office of Personnel Management. But July 9, 2015, that number exploded to 21.5 million, when a second breach at the agency was revealed.

We live in the age of mega-hacks, where no entity appears to be immune from being a target. Government is definitely vulnerable, and agencies have a huge responsibility to protect their digital assets, including intellectual property, agency and constituent data, and financial and classified information.

The risk to government from cyberattacks is increasing exponentially. In a June 2015 survey of federal government CIOs, 28 percent of respondents said attacks were up 50 to 100 percent during the past year. Six out of 10 state chief information and security officers from 49 states said the sophistication of attacks was increasing, according to an October 2014 report from the National Association State Chief Information Officers and the consulting firm Deloitte & Touche LLP.

Attempting to hack into government computer systems constitutes criminal activity. However, the motivations for doing so vary greatly. There are three primary categories of threat actors–those individuals or groups who initiate cyberattacks:

• Nation-state sponsored threat actors are those who perpetrate cyberespionage on behalf of foreign governments, often with the intention of pilfering research and development data or intellectual property or to spy on government operations. Typically, their purpose is to steal information that can be useful in gaining geopolitical power or that can be used against a rival nation.

• Hacktivist threat actors strike to draw attention to a specific cause. Their attacks generally are designed to disable government websites or defame them as a way to stage online protests. Anonymous is one such group.

• Commodity or sport threat actors conduct cyberattacks for sport and typically work on their own and for their own purposes. They may attempt to infiltrate websites “for fun” to test and improve their hacking skills. These threat actors also may try to breach an entity as a way to make a name for themselves within the hacker community.

Attacks on the Rise

Several factors are contributing to the rise in attacks on government:

• High-profile civic unrest. After the August 2014 shooting of teenager Michael Brown in Ferguson, Missouri, for example, hackers told city government they would “take every web-based asset of your departments and governments offline.” They then made good on the threat, leaving the city with the sole option of conducting business via phone and text messages for several days. Months later, when the nation waited to hear whether the police officer who shot Brown would face charges, the FBI warned government agencies across the country that they could be subject to cyberattacks.

• Controversial government decisions. In the last couple of years, Utah has seen an acute uptick in hackers trying to breach state computers. Utah Public Safety Commissioner Keith Squires said that, on some days, the number of attempted attacks has reached 300 million, and he attributes the sharp increase to the opening of an NSA datacenter near Salt Lake City. Controversial legislation also can accelerate cyberattacks. For example, after the passage of the Religious Freedom Restoration Act in Indiana in late March 2015, the Indianapolis Star reported on April 3 that, in response to the legislation, a hacker group temporarily disrupted access to the state’s website.

• Ease of launch. Attacks also may be increasing due to the prevalence of personal computers with high-speed Internet access, which has expanded the number of possible attack sources. In addition, certain types of attacks are cheap and easy for almost anyone, regardless of technological skill, to initiate. For example, as advertised on the Internet, for $6 a month an attacker can purchase a DDoS (distributed denial of service) subscription that can facilitate an attack with a small number of clicks and claims to virtually eliminate the chance of getting caught.

What Government Can Do to Reduce the Risk

Apart from the rare instances when hackers announce in advance that they are targeting a certain site, attacks occur without warning, and government can do little to prevent them. Agencies can, however, take action to reduce the risk of harm. In particular, they can take steps to protect themselves against and help mitigate the effects of a DDoS attack, including:

• Agencies should, at a minimum, talk to their Internet service providers before an attack happens. An agency needs to understand how its ISP handles traffic associated with DDoS attacks that attempt to take the agency’s services offline by flooding a website with bogus traffic beyond what the site can handle. Agencies need to confirm that the ISP has a service it can engage to reroute all traffic through a filter to clear out the “bad” requests and then reroute legitimate traffic back to the agency. If the ISP doesn’t have something in place to handle this situation, and an agency is attacked, costs to mitigate the attack potentially could be exorbitant.

• Government can consider storing data in multiple data centers. Spreading out storage in several locations makes it hard for hackers to compromise all of an agency’s data in an attack and has the added benefit of reducing the agency’s storage costs. Agencies that are more susceptible to being targeted, such as the state police or departments of revenue, should consider migration to locations outside of government’s central data centers.

• An agency should actively monitor its networks for suspicious activity, or engage a third-party to monitor its network, and take immediate action to mitigate an attack if one occurs. Ideally, the provider will offer automated mitigation that addresses the attack and restores service within a few minutes. The third-party provider also should maintain a team that can respond quickly to every attack, ensuring that mitigation is happening promptly and correctly and that any needed follow-up steps are taken to better prepare and defend against future attacks.

Undoubtedly, government is a top target for hackers. While attacks are unpredictable, agencies can take steps to prepare for and mitigate the effects of such an attack. With preparation and the right partnerships, agencies can be better equipped to protect their digital assets and manage attacks when they happen.

(Photo by Mark Van Scyoc / Shutterstock.com)