New Year, New Threats? Managing Cyber Risk in 2021

The COVID-19 pandemic has dramatically altered the way we live, work and interact, creating new cyber-risks and challenges that will continue in 2021. A large portion of these new cyber-risks resulted from the sudden move to telework, which presented a particular challenge to the public sector because of its strong norms of on-premise work. Nevertheless, telework in government agencies has proved a success, with a number of agency leaders citing benefits including cost savings, increased productivity and broader pools of talent. Even as vaccinations are underway, many government employees look likely to permanently work from home. The question remains: Can public-sector cyber defenses meet the new realities of a post-pandemic cyberthreat landscape?

Risk from third-party providers

In recent years, U.S. public-sector agencies have experienced a shift towards digitization, with greater use of new technologies including cloud-based infrastructures, Internet-of-things (IoT) devices, network management software and other software-as-a-service solutions. The pandemic accelerated the adoption of these new technologies, as well as additional new third-party applications for remote work collaboration like Zoom and Slack.

While federal procurement programs like the Federal Risk and Authorization Management Program (FedRAMP) can ensure a base level of cybersecurity compliance, the reality is that in cyberspace, it is still easier to attack than defend. Every year, cyberattacks become cheaper, easier and faster, with attackers growing increasingly persistent and sophisticated. Because government agencies perform critical functions and store large amounts of sensitive data, they are prime targets of a variety of cyber-adversaries — from financially motivated cybercriminals to nation-state hackers conducting cyber-espionage.

The massive SolarWinds breach on multiple federal agencies has starkly highlighted the risk of supply chain vulnerabilities to both public- and private-sector organizations. The U.S. Intelligence Community has formally stated that the breach was part of a broad cyber-espionage campaign by Russia’s foreign intelligence service, the SVR. While the compromise was severe, the outcome could have been much worse if, for example, a ransomware group had been behind the intrusion and encrypted the affected systems for payment.

As government agencies have grown more reliant on third-party providers, supply chains have become a major attack vector. Increasingly advanced attackers — including ransomware operators — are devoting more attention and resources to target supply chain companies as it allows them to compromise many networks at once. Managing supply chain risk is an essential part of cyber-risk management, but the majority of public-sector organizations — already underfunded and understaffed — do not have the resources to develop frameworks to measure and evaluate cyber-risk exposure from suppliers by themselves.

One good way public-sector organizations can evaluate the cyber-risk exposure of prospective service providers before engaging them as trusted third-party partners is through security ratings. These ratings, from companies like SecurityScorecard, provide a standardized snapshot and ongoing monitoring of a companies’ cybersecurity capabilities. Public-sector organizations should leverage cybersecurity ratings alongside programs like FedRAMP to make effective strategic risk decisions.

In February 2020, the National Institute of Standards and Technology (NIST) released new draft guidance around cyber supply chain risk management. Public-sector organizations from local, state to federal agencies, should look to this guidance for best practices on managing and mitigating supply chain risks. Measures should include communicating and validating cybersecurity requirements to suppliers, as well as identifying and adding protections around systems or components that would cause the greatest organizational impact if compromised.

Lastly, given how difficult supply chain compromises are to prevent and detect, organizations must develop, test and train incident response plans so that if an attack were to occur, the “blast radius” can be contained. Part of this includes knowing who to engage in the broader cyber ecosystem for intelligence gathering and containment strategies to mitigate the effects of an attack.

Ransomware, a growing threat

Supply chains are just one vector allowing threat actors to launch a variety of cyberattacks from data breaches to ransomware. Indeed, in 2020, the public sector faced a far greater risk from financially motivated cybercriminals than nation-state cyberspies. Verizon reports that last year, 75 percent of cyberincidents involving public-sector organizations were financially motivated, with ransomware accounting for 62 percent of malware incidents. Ransomware attackers have long targeted the public sector. The city of Baltimore has now experienced severe ransomware attacks three times: in 2018, 2019 and just last Thanksgiving, with an attack that crippled the district’s remote learning programs, and grading and emailing systems. These attacks on public-sector entities will likely grow even more this year.

In addition, ransomware threats are becoming even more advanced. In the last couple of years, a growing number of nation-state hackers have begun to conduct financially motivated attacks alongside their nation-state missions. This situation has resulted in an influx of highly advanced tools in the hands of cybercriminals, resulting in more impactful and costly attacks. Last year, Ryuk ransomware was seen going from initial phish to domain-wide encryption in just five hours, and “double extortion” ransomware attacks — where attackers steal sensitive data before encrypting systems — are now standard operating procedure.

Aside from more advanced tools, ransomware threats are difficult to detect and defend against because once malware is running on a user's system, from an operating system view, the ransomware effectively appears as the user. User accounts can be compromised in a variety of ways, including business email compromises (BEC), phishing, stolen credentials and more. As such, a large part of cyberdefenses against ransomware attacks relies on good cyber-awareness and hygiene from employees — an even bigger challenge with the new teleworking arrangements.

Securing teleworkers

Teleworkers are using more devices, more applications and connecting to organizational infrastructure over home networks that are often poorly secured. Increases in endpoints, operating systems and applications have caused the cyberattack surface — i.e., the number of possible ways an attacker can get into a network — to expand significantly. In addition, many employees working from home are forced to juggle the demands of work, childcare and general stress over pandemic uncertainty. Distracted employees paying less attention to security are much more susceptible to clicking on malicious links and social engineering attacks. These factors create a situation where attackers can gain footholds in networks through negligence, careless mistakes and poor personal cyberhygiene.

As employees continue to work from home, public-sector organizations must improve cyber-awareness and promote a good cyberculture across all levels. In October, the Cybersecurity and Infrastructure Security Agency (CISA) released its Telework Essentials Toolkit, detailing best practices to keep employees and networks secure while working from home. Government agencies should consult and implement these guidelines across networks, paying special attention to ensure that mobile and tablet devices are also adequately protected.

---

About the Author

Christopher Hetner - Click here for Bio