The cost of a data breach for government agencies
What happens when attackers breach local government, police departments, or public health departments? What would happen if attackers compromised the US Treasury network? These types of incidents occur monthly and result in service disruptions at the very least. More serious issues could arise, such as leakage of classified data or damage to critical infrastructure.
What about the cost of a data breach to government agencies? According to IBM’s latest Cost of a Data Breach report, each incident in the public sector costs an average of $2.07 million. In 2018, the US government faced a total of $13.7 billion in costs due to cyberattacks. Governments at all levels and in all countries are in danger. The stakes are high and preparation is essential.
Scope of Government Cyber Attack Risk
While threat actors still prefer to target healthcare, financial and technology companies, there are over 90,000 government entities in the United States alone. Additionally, research shows that there is a lack of knowledge and awareness in the public sector regarding security measures. This makes government offices attractive targets for cybergangs.
With heightened tensions, it is likely that state-sponsored cyberattacks will also continue to rise. Given the growing threat to government agencies, the FBI has issued a special risk notification. It states: “Ransomware attacks on local government entities and the resulting impacts are particularly significant due to the public’s reliance on critical public services, emergency services, educational institutions and other services overseen by local governments, making them attractive targets for cybercriminals.”
Yet, if even specialist cybersecurity vendors themselves are not immune to attack, how can a small government office protect itself?
Types of threats against government agencies
According to the FBI’s advisory, the most common infection vectors against government entities are phishing emails, remote desktop protocol exploits, and exploits of software vulnerabilities. The diversification of threats has also become a major concern. For example, the FBI states that the actors were:
- Use of rental service business models
- Share victim information between stakeholder groups
- Use various extortion strategies and attack access and data sources such as cloud infrastructure, managed service providers, and software supply chains.
Read the CODB report
Earlier this year, the US Congress passed new legislation that impacts federal agencies and critical infrastructure owners and operators. The mandate states that agencies must report attacks within 72 hours. They must also report ransomware payments within 24 hours.
The new provision includes assistance to the departments of Defense, State, Justice, Treasury, Commerce and others. They will receive technology and continuity assistance from the government, which includes IT infrastructure and cybersecurity services. The legislation also gives the Cybersecurity and Infrastructure Security Agency (CISA) the power to subpoena entities that fail to report cyberattacks or ransomware payments. Meanwhile, CISA will also sponsor a program to alert agencies to exploitable ransomware-related vulnerabilities.
So while increased assist is part of the package, so is increased pressure and control.
Lack of funds
The main obstacles to defending against attacks include the increasing difficulty of paying competitive salaries, the number of employees and the lack of funds. All of this involves tight budgets.
Despite the urgency, funding continues to be an issue for local and federal agencies. In 2021, $118.7 billion in technology spending was planned for state and local governments. Only a fraction of this sum was intended for security. It is unlikely to cover all needs as the government faces $13.7 billion in security costs every year.
Lack of insight
Many government offices also lack the strategies, experience and insight to prevent cybercrime. For example, during an attack on the Baltimore government in 2019, a well-known Microsoft patch could have easily prevented an $18 million Robinhood ransomware incident.
In 2019, attackers hijacked nearly all of Baltimore’s IT infrastructure and demanded a ransom of 13 bitcoins (about $76,000 at the time). The city refused to pay. Recovery efforts went on for months before the systems came back online. Meanwhile, water billing, property tax, property sales, parking ticket, email and voicemail services have all been interrupted. The total cost of the Baltimore attack (plus remediation efforts) was approximately $18.2 million.
How to respond to the threat
The FBI and many other agencies advise against paying ransoms. There is no guarantee that payment will result in the restoration of systems and files. Paying ransoms also encourages attackers. Worse, the Treasury Department can even impose penalties on entities that pay ransoms for malware.
Preparation is essential. Here are some FBI suggestions for government agencies:
- Keep all operating systems and software up to date
- Implement a user training program and phishing exercises
- Require strong and unique passwords for all accounts with password logins
- Require multi-factor authentication (MFA) for as many services as possible
- Maintain offline (i.e. physically separate) data backups and test backup and restore often
- Make sure all backup data is encrypted and immutable
- Protect cloud storage by backing up to multiple locations, requiring MFA for cloud data access and encryption
- If you are using Linux, use a Linux security module (such as SELinux, AppArmor, or SecComp) for defense in depth
- Segment networks to prevent the spread of ransomware
- Enforce the principle of least privilege through authorization policies
- Implement time-based access for privileged accounts
- Disable unnecessary command line utilities; limit scripting activities and permissions and monitor their use.
Improve security now
Ways to improve security can seem daunting at first. However, it is not necessary to do everything at once. The idea is to start improving security postures now. Then, keep improving your preparation along the way.