Cybersecurity Reports Agree on Espionage, Differ on Public-Sector Data Breaches

Recent reports from Verizon, Symantec agree that cyber-espionage remains a problem for public agencies, but disagree on the extent to which data breaches are a significant issue in government.

by Theo Douglas / May 5, 2017

Two studies of Internet security released within one day of each other had many similar findings, primarily that the public sector generally fared no better or worse than retail, business and other areas last year — but it continues to be a significant target for cyber-espionage and email-based attacks, though not necessarily other common U.S. attacks like identity theft.

But there was one glaring difference between the Symantec 2017 Internet Security Threat Report (ISTR) released on Wednesday, April 26, which Government Technology covered thoroughly, and Verizon's 2017 Data Breach Investigations Report (DBIR) released the next day: Verizon, which devoted a section of its report to public administration, ranked the public-sector midrange among five types of entities surveyed for data breaches last year. Symantec, which offered rankings by industry at several points in its report, ranked public administration ninth out of 10 industries most affected by data breaches.

Verizon report author Marc Spitler echoed its writing, and told Government Technology that many breaches that were reported, contributing to the total number of incidents, could have been "of the non-cyber variety," but potentially amounting to missed paperwork deliveries wherein one employee received the documents of another.

"We do report on those," Spitler said. "Even though it’s not necessarily a hacker penetrating, it’s still something that we report on."

Kevin Haley, director of Symantec Security Response and an author of its report, said that in many ways, the public sector may be no different “from anyone else,” and pointed out Symantec's data set is different because it focuses on breaches that were publicly acknowledged.

"I think at the end of the day — and my concern — when we get too caught up in the rankings, we say, ‘Well, I don’t have to worry about it, I’m only No. 10,'" Haley told Government Technology. "I think the thing is, you shouldn’t feel safer if you’re at No. 3 out of 6 or No. 7 out of 10. Recognizing that your industry is in the Top 10 should be a concern, and even if you’re not in the Top 10, it should be a concern."

Verizon found public administration was the third most prevalent victim of data breaches of various types, accounting for 12 percent of all breaches behind financial organizations with 24 percent and health-care organizations with 15 percent.

Its report was based on investigations and intelligence operations done by Verizon using the Vocabulary for Event Recording and Incident Sharing (VERIS) framework, and reports from contributors, compiled from more than 42,000 cybersecurity incidents and nearly 2,000 data breaches across 84 countries.

The Symantec report closely documented how victims were hard-hit in 2016 and what types of attacks were popular in 2016, a fractious U.S. election year and a time when zero-day vulnerabilities and sophisticated malware are increasingly set aside for more simplistic solutions.

It recorded 1,209 breaches across all sectors last year, down just two from 2015, but down more than 300 from 2014. But Symantec tracked a rise of nearly 68 percent last year in emails sent containing a malicious link or attachment. In earnest numbers, 1 in 131 emails sent last year contained malware, the company reported, up from 1 in 220 in 2015.

The Symantec Global Intelligence Network tracks more than 700,000 global adversaries, records events from 98 million sensors worldwide and monitors threat activities in more than 157 countries and territories through its products and services.

But officials at both companies warned against reading too much or too little into these and other findings, noting that reports were somewhat informed by the origins of their material and by the time period surveyed; and cautioned that even sectors that ranked low for malware or spam should remain vigilant.

In its report, Verizon authors identified 21,239 incidents in the public sector last year — and reported all but 239, a little more than 1 percent, failed to rise to the level of a data breach. By contrast, the financial and insurance sector had just 998 incidents — but 471, more than 47 percent, resulted in confirmed data disclosure.

The report noted that “government is required to report up the chain on incidents that would remain unremarked upon in many organizations,” but Spitler said readers shouldn’t assume the high number of incidents means the public sector doesn’t know what it is doing.

“I don’t believe that the higher number with regard to the public sector necessarily means they are doing better or worse than others,” Spitler said. “The government is very big and the government does a lot of maintenance. And people in various sectors aren’t necessarily better at not losing things than others.”

Verizon identified the top three breach patterns within public administration as coming from cyber-espionage, misuse of privilege and miscellaneous errors, comprising 81 percent of all sector breaches.

The company also ranked the public sector sixth of eight for industry phishing, accounting for 9.2 percent of attacks.

Symantec authors ranked public administration ninth of 10 sectors breached last year by number of incidents, with six breaches; and ninth of 10 sectors breached where identities were stolen, at nearly 1.2 million.

That, Haley pointed out, “is still a pretty significant number,” emphasizing lower-ranked sectors still need to remain vigilant.

The company also rated public administration eighth of 11 sectors for email malware, with 1 in 141 emails bearing malware; and fourth of 11 for phishing, with 1 in 2,239 emails containing phishing.

Spitler and Haley agreed that simply because of their position, public agencies continue to be the targets of cyber-espionage. Verizon ranked the public sector second out of 13 with 112 incidents — behind only the manufacturing sector with 115.

But Haley said the larger story for his company was likely the rise in malicious email and the fact that an average of more than 229,000 Web attacks were detected every day last year — despite Web attacks having dropped 32 percent. Email security, he said, “has been kind of boring,” and people may not be updating or patching.

“I think it’s really a wake-up call to say, ‘We need to re-evaluate our email security to see if we’re doing everything we can do.' The landscape changes, the social engineering that people use changes,” he said, noting the increased use of business email compromise (BEC) scams, essentially spear-phishing employees by someone who pretends to be their CEO or senior manager.

As for origin stories, Symantec identified two distinct sides to cyber crime: what it termed “traditional mass-market cyber crime groups,” such as those behind ransomware and online banking threats; and organized criminal groups like those responsible for complex financial heists.

Within the public sector, Verizon reported a roughly 60/40 split between external and internal “threat actors.” It ranked misuse by insiders and those with privileged use as high in public agencies, with personal information targeted 71 percent of the time for financial crimes — though it found the criminals, more than half the time, are “the average end-user absconding with data in the hope of converting it to cash somewhere down the line.”

Miscellaneous errors, which with cyber-espionage and privilege misuse accounted for more than three-quarters of public-sector crimes, were reported more predominantly by government organizations, Verizon authors wrote. They noted that simple misdelivery of information was the most common mistake, followed by publishing and disposal errors.

More problematic, Verizon found, was the period of time public agencies took to discover they’d been breached. In 39 of 66 cases, or nearly 60 percent of the time, their discovery was years in the making. In nine of 66 cases, or nearly 14 percent of the time, discovery took months.

“It’s one [area] where almost everybody needs to improve,” Spitler said, noting that issues of employee misuse can be harder to spot than payment card breaches or identity theft.

And Haley pointed out a simple fact of life that can have negative consequences for the public sector or any other impacted area.

He praised governments for starting to embrace guidelines from the National Institute of Standards and Technology and other organizations — but said if an agency or business in your sector is breached, brace yourself.

“Once your industry kind of gets labeled an easy target, it really doesn’t matter whether it was you or not, or how good your security is — you’re going to draw flies. You’re going to get attacks,” Haley said.