New technologies have emerged to help fortify cyberdefenses. Will they work for government?
IRAN, desperate to boost revenue following the return of sanctions imposed by the United States, has encouraged its hackers to pursue ransomware attacks on individuals and organizations, according to a report in the Wall Street Journal. “Crypto-mining and theft is an opportunity to get cash for cash-strapped countries,” Keith Alexander, former director of the National Security Agency and U.S. Cyber Command, told the Journal in August.
Back in the United States, the number of state and local governments and agencies that have suffered ransomware attacks has continued to grow. During the month of July alone, Government Technology reported hacks in Riverside, Ohio, the state of Alaska and Washington, D.C. Earlier in the year, Atlanta suffered one of the worst ransomware attacks ever recorded against a government.
These anecdotes provide a glimpse of what has become a tech problem that has grown so significant that it nearly overwhelms discussion of all other topics in the gov tech space. The explosion in cyberthreats and data breaches has fueled the growth of cyberdefense products and services. In 2004, the military and civilian cybersecurity market was a modest $3.5 billion, according to Cybersecurity Ventures, a research firm. Last year, organizations spent $120 billion on tools and products, and the market is expected to grow by an annual rate of 12 to 15 percent for the next three years.
The cybersecurity market is also becoming more complex as it responds to the increasing number and type of attacks and threats. CB Insights, a market research firm, categorizes cybersecurity into 11 different markets, ranging from mobile and cloud security to threat intelligence, behavioral detection and even quantum encryption (see sidebar).
Despite the fast-growing number and range of products and services, a few key trends are emerging when it comes to security and risk management. First, executives, both in the public and the private sectors, are finally aware that cybersecurity has a significant impact on the ability to achieve business goals and to protect an organization’s reputation, according to a recent report by Gartner, the technology research firm. Legal and regulatory mandates to protect data are impacting business plans and have increased the emphasis on data liabilities.
Gartner also highlights some specific trends as far as cybertechnology:
Peter Firstbrook, an analyst with Gartner who co-authored the report, pointed out that traditional, on-premise cybersecurity tools suffered because updates were often delayed for months, if not years, not by the vendors, but because IT departments were slow to carry out what was a laborious maintenance task, resulting in gaps of coverage that hackers could easily exploit. “But the cloud allows vendors to deliver security products that are more agile and easier to maintain,” he said.
The cloud also provides security vendors with a stream of data from their customers about the size, scope and type of threats and hacks in real time, allowing them to respond faster. “They can provide services quickly, such as whether there’s an intruder, what should be done next and how to solve the incident,” said Firstbrook, who cited a service from CrowdStrike called Falcon Overwatch that does just that.
The cloud’s ability to deliver high-end security without the need for a robust, on-premise, digital infrastructure gives it a special value in the public sector, especially among small government entities, explained Larry Ponemon, founder of the Ponemon Institute, a research think tank specializing in privacy, data protection and information security practices. “It was once considered sacrilegious to put government data in the cloud,” he said. “But in reality, the cloud is even more safe than on-prem. That’s important, especially for small governments that don’t have the resources for security.”
The emergence of the cloud has not only changed the agility of cybersecurity technology, but it has also impacted how hackers go after data, according to Firstbrook. As workloads and the productivity tools that run them have shifted to the cloud, the level of security from the major vendors, like Microsoft, has increased significantly. As a result, it has become harder for attackers to find a way to break into a PC and steal data. “Instead, they go after your authentication,” said Firstbrook. “So, now they go after your [cloud] account by sending a phishing email, trick you into giving them your credentials and then lock you out and steal your data.”
To counter this kind of threat escalation, many organizations have stepped up their awareness training for employees, to educate them on how to spot a phishing campaign and avoid having their credentials stolen. But there are other things that governments can do. First, by using multi-factor authentication solutions, government can make it harder for the attacker to take over the account, especially when work is increasingly in the cloud. Multi-factor authentication forces the hacker to steal not just a login and password, but also the person’s unique token.
Georgia Chief Information Security Officer Stan Gatewood has made threat analytics a key component of the state's cybersecurity strategy.
But Firstbrook said that organizations also need to monitor their accounts for suspicious activity. To do that requires threat analytics, part of a new trend that mirrors the growth of data analytics. In Georgia, threat analytics has evolved into an important cybersecurity strategy, according to Stan Gatewood, Georgia’s chief information security officer (CISO). “We want to use threat analytics, user analytics and predictive analytics on all that data that’s moving through our networks. We want to look at it and be able to predict what might happen.”
It’s the same reason Florida is using threat analysis along with more traditional security practices, such as security information management (SIM) and firewalls. “Threat analytics is about using the information you gather internally from SIMs and combining it with external sources as well as some of our own capabilities,” said Thomas Vaughn, the state’s CISO. “The data enriches what we are seeing in our environment and allows us to see threats that are impacting our environment,” he said.
Analytics can also be brought to bear on user behavior. “Behavioral analytics considers how a user performs certain actions, and then by looking at the patterns created by certain individuals, we can determine if their actions may be dangerous for the network or may indicate something nefarious,” he explained.
Ponemon calls threat analytics one of the smart investments his organization sees happening in both the public and private sector as a way to thwart the rise in cybercrimes and -attacks. “Threat intelligence or analytics is about getting more information from different sources about risk and threat vectors, what kinds of vulnerabilities an organization faces — the big picture,” he said. “Analytic tools are very effective in helping organizations manage their security in a systematic way that optimizes the budget.”
To make the most of threat analytics, states have hired analysts to carry out this critical cybersecurity function. But as Gartner’s 2018 trend report shows, machine learning presents an opportunity to automate some of the simpler threat intelligence tasks, such as identifying a problem and then elevating suspicious events for human analysts to evaluate. Machine learning can solve multiple security issues, such as authentication, insider threat, malware and advanced attacks, according to Gartner. By 2025, machine learning is expected to be a normal part of security practices.
This form of artificial intelligence, in which computers look for certain types of patterns, learn from them and refine their ability to detect anomalies in the data, is beginning to catch on. Ponemon Institute surveyed companies and found that 15 percent have either partially or fully deployed AI technology. “That’s higher than we thought,” said Ponemon, who pointed out that companies are increasing their purchases of AI security tools because they see value in those investments. However, the new technology is not replacing existing systems so much as augmenting them.
One measure of just how important cybersecurity has become is to look at the number of startups that are investing in the field and where they are putting their money. CB Insights, a market intelligence firm, identified 106 cybersecurity startups in 2016, and mapped them to 11 main categories for security.
Network and endpoint security: This is the largest startup security market, according to CB Insights, and includes firms that specialize in protecting enterprise computer networks from vulnerabilities.
IoT/IIoT security: This category includes firms that provide protection for connected vehicles and industrial control systems.
Threat intelligence: Startups in this category focus on targeting malicious activity on the deep Web to uncover potential threats and thwart attacks. Mobile security This security category includes firms that provide enterprise mobile threat protection for Android and iOS devices.
Behavioral detection: Companies are developing technology to detect abnormal behavior in order to identify threats and manage risks. Cloud security This category of startups offers enterprise solutions for secure application delivery across all types of cloud technology.
Deception security: Companies in this category can identify, deceive and disrupt attackers before they cause harm. Continuous network security Solutions in this category visualize network activity and response to attacks in real time.
Risk remediation: Companies look for vulnerabilities in technologies, people and processes and then give recommendations on how to plug the gaps.
Website security: Security firms offer website developers the ability to identify and police malicious website traffic. Quantum encryption Using the science of quantum mechanics, startup firms in this category offer encrypted wireless and data communications technology.
Source: CB Insights
Gartner warns that applying machine learning well enough so that it actually detects something new and different in terms of a threat can be difficult. “There are gradients of machine learning,” said Firstbrook. “It’s not a perfect identifier of a threat. The technology tends to cause more false alerts and false positives.” For example, intruders can camouflage themselves in what appears to be normal activity. They can also evolve quickly and move in directions not addressed by existing machine learning algorithms.
Gartner recommends machine learning for addressing narrow and well-defined problems, like classifying executable files. And it can help short-staffed security teams be more efficient, “find threats they couldn’t before, perform investigations more efficiently, and better anticipate future threats and risks.”
Gartner’s assessment of machine learning, AI and automation fits with how Florida’s Vaughn views the technology. “We tend to talk about AI and machine learning as topics unto themselves, but from my perspective, these technologies are enhancements that are being added to tools we already have,” he said. Vaughn pointed out that his team has been doing correlation searches for a long time, using data from the state’s firewall as well as data from SIM and malware tools. But with AI and machine learning, he can automate that correlation effort. “But it doesn’t change the core functionality of the SIM when you do that, it just adds an enhancement.”
In August, a research team from IBM revealed during a Black Hat security conference in Las Vegas that it had built a machine learning program that could slip past some of the most sophisticated cyberdefense measures. According to Reuters, the announcement could foreshadow a new generation of AI software that can be “trained to stay dormant until they reach a specific target, making them exceptionally hard to stop.”
Because the cost of AI software continues to drop — and in some cases can be used for free — the likelihood of some bad actors creating these sorts of next-generation cyberthreats is a growing concern, according to experts. For state and local governments, strained by lack of resources and already exhibiting a wide range in the quality of cybersecurity, a further leap in the sophistication of cyberthreats comes at a bad time.
In 2017, the Ponemon Institute researched the challenges in public-sector IT operations and found that confidence in current IT performance has declined, with survey respondents pointing to an ongoing lack of tools, skills and resources that has degraded performance since 2016. One key point was that the majority of IT decision-makers and staff in the public sector are unsure or “don’t think the data sets they are using can solve multiple challenges, such as IT troubleshooting, service monitoring, security and mission analytics.”
While that’s a problem that extends to all aspects of government IT, it is a particular challenge in IT security, where intruders and hackers are exploiting new vulnerabilities daily, making it vital that government build up the right resources against cyberattacks, whether they come from the next town, the next state or half way around the world, such as Iran or North Korea.
Firstbrook laid out the dilemma government faces as cyberthreats grow while investments in the latest IT security products and strategies continue to stagnate. “Government is stuck with legacy systems, so it’s unlikely they can wipe everything out and start over with an entirely new IT system that is entirely secure,” he said. To counter that problem, government needs to be cognizant of how hackers, intruders and data thieves operate.
“Attackers go after vulnerabilities that are generally well known. Their business model is built around a known vulnerability, where there are lots of potential victims,” he said. “You don’t have to be the Department of Defense [when it comes to cybersecurity], but you do have to be better than the next guy. You don’t want to be an obvious victim. That’s how they get you. If you have an open or exposed vulnerability, you are an easy target.”