In the last four years, the average number of government data records compromised per breach increased by more than 400%. This upward trend demonstrates how the impact of any single attack is growing, and it reflects a grim reality in the cyber world — cybercrime is transitioning from targets of opportunity to focused targets of choice. The shift is bad news for government agencies.
For cybercriminals and hacker groups, government institutions are often lucrative victims, which means they’re also larger targets. More than 822 government organizations suffered from data breach incidents in the last eight years; a total of 174 million records were leaked, with a total financial impact of $26 billion.
Government data breaches can have severe consequences for both individuals and society as a whole. If hackers gain access to an agency with taxpayer information, such as the IRS, social security numbers and financial information can be stolen and used for identity theft. In addition to the financial risks, government data breaches can compromise national security by exposing sensitive information about government operations and infrastructure.
To counteract cybercrime and its associated risks, government institutions must identify vulnerabilities in their networks and understand how any previous attacks occurred. But bureaucratic hurdles across and within a government entity mean that technological processes, including investments and changes toward cybersecurity improvements, could be slow, budget-limited and prone to human errors due to inadequate cybersecurity awareness and expertise in-house.
State-sponsored cybercriminals take advantage of these limitations as they leverage sophisticated attack vectors and exploit technology vulnerabilities. Considering the scale of operations across government entities, it may take time to employ transformative measures to fight against increasingly sophisticated cyberattacks.
Reducing and mitigating risk
To combat evolving attack methods, governments can take the following steps:
- Implement robust security measures to limit access to sensitive information, such as encryption and multi-factor authentication.
- Regularly conduct security audits and vulnerability assessments to identify and address potential weaknesses in government systems.
- Develop incident response plans to quickly and effectively respond to data breaches.
- Increase awareness and education among government employees and contractors about the risks of data breaches and the importance of proper data handling and security protocols.
- Establish laws and regulations to govern the handling of sensitive data and increase the accountability of organizations, including government agencies and partners that collect and store it.
- Encourage the reporting of suspected data breaches and provide robust support and protection for whistle-blowers.
- Develop a network of public-private partnerships to share intelligence and best practices for protecting against data breaches.
Overall, government agencies need to adopt a more proactive stance in protecting sensitive information, rather than just reacting to data breaches after they occur. This requires strong technical security measures, ongoing awareness and education, and a cohesive security culture within and across government organizations.
Modeling potential threats
Government entities can also reduce the risk of cybercrime and attacks by studying the STRIDE principles, an acronym used to understand and classify different attack methods and threats. It stands for:
- Spoofing: impersonating another user or system to gain unauthorized access
- Tampering: modifying or altering system configurations without authorization
- Repudiation: denying that an action took place or denying responsibility for an action
- Information disclosure: unauthorized disclosure of sensitive information
- Denial of service: disrupting the availability of a service or system
- Elevation of privilege: gaining unauthorized access to higher-level system privileges
STRIDE is typically used as a framework to identify and evaluate potential security risks during the threat modeling process, a process by which potential threats are identified and cataloged. Breaking potential threats into these categories allows security professionals to systematically assess and address each type of threat and prioritize the most critical risks.
Though STRIDE is a prevalent and effective methodology, several others are available, including PASTA, VAST, Trike, OCTAVE and NIST. Some are more appropriate for IT disciplines or have different focuses, such as applications instead of networks. If you are a federal government agency, consider focusing more on NIST and FedRAMP standards. However, no threat modeling technique is perfectly tailored to a specific use. You should choose the one that most closely aligns with your goals and infrastructure.
Going forward, remember that your threat model is a living document that must be constantly reviewed and updated. After a system-wide threat model has been performed, it can be valuable to complete mini-threat models as a secure engineering design requirement.
Lastly, remember that security threats are constantly evolving, and the most frequent threat vectors tend to exploit the human element in some shape — in fact, according to IBM research, the human element is a significant contributing factor to 95 percent of all successful cyberattack incidents.
Government organizations should thereby focus on training for adopting security best practices such as maintaining strong and frequently updated passwords, not clicking unsolicited links or downloading email attachments, and avoiding the practice of Shadow IT, when users access certain systems and applications without explicit department approval.
Overall, government agencies will continue to operate with a target on their back, but the risk of an attack can be mitigated with better preparation and a more proactive approach.