Are We Finally Going to Upgrade Government Cybersecurity?

As the recent massive SolarWinds cybersecurity breach has shown, U.S. government cybersecurity is still playing catch up with evolving cyber threats. The Russians and other state-sanctioned hacking groups have been running circles around our federal government for years, and the SolarWinds hack is just the most egregious example. The truth is that, in general, government cybersecurity at all levels is no match for the advanced sophistication and ferocity of modern hackers, who are often state sponsored with significant resources to mount long-term campaigns. A recent interview with Brad Smith, president of Microsoft, a company affected by the SolarWinds attack, stated that they believe over 1,000 developers were involved in the hacking effort.

There have been other high-profile failures in government cybersecurity over the last few years. There was the breach of government worker data at the Office of Management and Budget (OMB) a few years ago, attributed to the Chinese government that had over 20 million current and former workers’ data stolen, including background investigations for security clearances. In another massive government data breach, over 191 million voter registration records were revealed in an unsecured cloud archive. To put this into perspective, that’s almost 99 percent of all registered voters! And the SolarWinds attack, which introduced a critical vulnerability into many major federal agencies, showed that these organizations are essentially asleep at the wheel when it comes to monitoring for successful attacks underway.

Ransomware is here to stay

States and cities have fared no better. Small towns and cities across the nation have been infected with ransomware and charged hundreds of thousands of dollars to bring their systems back. Twenty-two small towns in Texas were shut down simultaneously in 2019 in the first known instance of a “mass” ransomware attack, perpetrated through a hacked managed service provider. These smaller towns often have minimal IT staff or outsource the function completely, which puts them at risk from insecurities at those providers, which this attack illustrated. But even big cities, like Atlanta with significant IT departments, have been successfully breached by the ransomware attackers, with large impacts on critical systems operations. Many of the entities had no choice but to pay the ransom in order to restore civic operations. And major state operations have been affected, too. The state of Louisiana had to shut down several state agencies and declare a state of emergency when ransomware infected them. And these are just a few well-known examples.

Given their success, we can expect the large criminal organizations and state-sponsored hackers to increase and intensify their attacks on government entities, both for profit and political gain.

Why governments continue to be the target of hackers: Budget cuts, shortage of personnel and lack of action taken.

And the problem is that, to date, efforts to improve cybersecurity for government operations have been limited and sporadic. Time after time, U.S. federal government agencies have failed their external security audits, but rarely do you hear any serious sanctions such as top officials being fired or limitations put on that agency's activities. The problem is that we can’t just shut them down or cut their budgets. That would be punishing the citizens for the incompetence of the agencies.

Part of the issue is budgets. Cyber defense budgets haven’t significantly increased in most small to medium government entities. Events such as the pandemic have made matters worse, as government revenues have dropped significantly in most areas due to lack of spending by locked down citizens and businesses. Budget cuts often dig deeply into cybersecurity spending since it is often seen as a zero-sum gain by politicians.

Another issue is the lack of qualified talent to work in government cyber positions; there is a general shortage of security personnel across all industries and these specialists are in demand. Often, a well-paid corporate job or an exciting startup appeals over a lower-paying government position. This situation is unlikely to improve any time soon as enrollments in computer science programs are not growing with demand, and women, who represent over 50 percent of the workforce are often driven away from these well-paying careers by issues such as sexism and harassment. Efforts are underway to encourage STEM careers and tackle the social issues, but it will be years before our training pipelines are full of future cybersecurity professionals, ready to work for the government.

Direct government action has also been limited and often focused on niche industries or are toothless in terms of penalties. It has literally taken decades to get HIPAA and HITRUST fully enforced so that health-care agencies take it seriously. Last year, the Office of Civil Rights, the agency that issues fines and penalties for HIPAA violations, issued $13 million in monetary fines to offending organizations. This sounds like a lot until you realize it is a drop in the bucket compared to the billions earned by the health-care industry each year.

Cybersecurity must be a priority for government agencies

Up until last year, things seemed bleak and unlikely to get better. However, there are a few signs that change may be coming. The National Defense Authorization Act passed in 2020 included a limitation on using telecommunications gear made by companies known to be affiliated with foreign intelligence operations (mainly Huawei and ZTE). And an executive order issued in 2020 also encourages bulk-power providers, like utility companies, to avoid using equipment provided by foreign companies that may pose cybersecurity risks. These efforts are piecemeal, but still a step toward protecting our most critical infrastructure.

And so far in 2021, the new administration has promised funding for national cybersecurity improvements to the tune of $10 billion. These funds would go toward security improvements at the various federal agencies, including staff augmentation and purchasing new technology. This is badly needed as much of the IT infrastructure of the government is aging and not up to modern standards. However, the bill still has to pass in Congress and is more of a down payment on the money needed to truly fix our national cybersecurity problems.

This is a positive movement and after years of mostly status quo and underfunding cybersecurity, the SolarWinds attack seems to have been a wake-up call. There is some hope that the government is finally taking cybersecurity seriously. Time will tell whether it is just a flash in the pan or a seriously concerted effort across all levels of government. What is really needed is a coordinated “Manhattan Project'' style public works initiative that would unite the disparate forces across federal, state and local to fight the cyber war that we are currently engaged in.

How to prioritize cybersecurity

And simply throwing money at the problem isn't going to be good enough. The effort needs to be put into spending it effectively. That means not just pouring the dollars into the same bloated defense contractors who are part of a cyber industrial complex that has clearly not been effective so far. More private-public partnerships, with medium and smaller size firms that have outside-the-box thinking with a startup’s mentality will allow us to leverage the ingenuity that is uniquely American and has allowed us to succeed in every other area of commerce.

This is about more than just not having the government lose your social security number or your voter records. It is about our cyber future as a nation. How wars will be fought, how elections will be secured and how our citizenry can feel comfortable that we are protected digitally, the same way we expect that our military will defend us physically. This will take politicians and citizens at all levels to step up. Nothing less than our national security and safety of our citizens is at stake.