When cybercriminals are successful, people lose confidence in the government’s ability to secure their information.
2016 was the year cyberattacks shook the public sector. From the start, we witnessed sophisticated attacks that targeted government employees (both federal and the state) and politicians, and aimed to breach sensitive data and infiltrate organizations. Targets included city, county and state government organizations in communities like Los Angeles, Salt Lake City and El Paso, Texas.
The public sector has become a top target for cybercriminals who are interested in more than just financial gain. For example, attacks carried out by cybercriminals, such as the highly publicized phishing attack against Los Angeles County, which disclosed usernames and passwords of more than 756,000 Californians, were intended to compromise sensitive employee credentials. And when cybercriminals are successful — when federal employee emails are made public or when tens of thousands of Social Security numbers are stolen — people lose confidence in the government’s ability to secure their information.
Just as with hacks of private organizations, the impact is felt not just by those whose information is taken. The stolen data can now be used to launch attacks on a victim’s family members and friends. Consider how many times we list an emergency contact and include a name, phone number and email address. That person can now be contacted by an attacker posing as the person whose record was stolen. It’s that easy.
Despite the increasing magnitude of cyberthreats, however, government agencies are struggling to keep personal data and public infrastructure safe. According to a recent KPMG report that surveyed a pool of executive-level government officials and contractors, nearly 65 percent said the government as a whole cannot detect ongoing cyberattacks and 59 percent believe their agency currently struggles to understand how cyberattackers could potentially breach their systems.
Why is government failing to keep ahead of the criminals?
As we work with government agencies and private companies, we see cybercriminals creating increasingly sophisticated attacks by using contextual information, such as what is available on social media sites like Facebook and LinkedIn, to understand company networks and employee interests, and then disguising themselves as a trusted source to trick victims into performing a desired action. For example, members of John Podesta’s staff were tricked into believing a fraudulent email was in fact legitimate and willingly clicked on a link, inviting the attackers in.
Standard defenses just don’t work. Attacks are specifically designed to work around awareness training, and even security professionals are challenged to identify today’s sophisticated phishing attacks. Spam filters, which examine bulk email for keywords, aren’t designed to detect these types of attacks, and most of these attacks don’t involve a virus that anti-virus software can detect.
That’s why these social engineering-based email attacks — which typically rely on identity deception, including spear phishing and business email compromise (BEC) — are the fastest growing security threat facing public and private organizations today. The FBI reported losses from BEC scams jumped from $2.3 billion (April 2016) to $3.1 billion (June 2016). One factor driving this increase is a “trickle-down effect.” It typically takes no more than a few weeks from the use of a new method in a high-value attack (such as a state-sponsored attack) until the same method is reused against enterprises — most likely because the same criminal organizations are behind both attacks.
So while the attackers are rapidly evolving their strategies and methods, government agencies and private companies are doing little to adjust their defenses.
Organizations should adopt email security technologies that focus specifically on preventing the more targeted, and increasingly popular spear phishing and BEC attacks. While firewalls and scanning for malware can aid with these defenses, the best solution is one that can identify the true identity of an email’s sender to detect and then block all fraudulent emails.
Given the global implications of recent cyberattacks, cybersecurity within the U.S. public sector needs to become a top priority. Government agencies need to stay informed of the latest cybersecurity trends and the innovative solutions available to protect against new threats. Attacks against this sector will only grow more sophisticated and more dangerous over the coming months if action is not taken soon. The government just needs to act — and fast.