As the World Economic Forum stated, cybersecurity is too big a job for governments to handle alone.
But when it comes to cybersecurity for the government and public sector, only the best will do. That’s why Fortra brings its vast portfolio, compliance expertise, and of course, experience to the game.
Uncover this year’s threat landscape, the unique challenges faced by the sector, and how partnering with a seasoned provider can prepare your public sector agency with the tools it needs to come out on top.
What Cybersecurity for the Government Looks Like in the U.S.
Cybersecurity in the public sector needs to take into account the unique topography of that sector, and plan accordingly.
The U.S. public sector covers the following:
- Federal agencies
- State agencies and departments
- Local municipal entities
- Educational institutions
Each of these entities is a valuable spoke in the wheel. Attackers understand this and target them for their vast impact on the economy and everyday life; a small disruption could ripple out to have far-reaching consequences.
Federal Government Risks and Threats
When it comes to threat profiling, the government is a sector of extremes.
State and local agencies, along with educational organizations, are attractive ‘soft’ targets. Utilities like water and power can be owned by different companies, municipalities, or even the state itself, causing inconsistencies in policy and governance. Additionally, government-sponsored cybersecurity requirements have been largely piecemeal until recently. For that reason, their security systems are typically unsophisticated and riddled with legacy errors, making them low-hanging fruit for attackers.
On the other hand, the National Security Agency (NSA), the Department of Defense (DoD), and other federal agencies have been the subjects of intense cybersecurity scrutiny. Rich in information and high in their potential impact, they have become highly prized targets, especially from state sponsored cyber attackers that want to threaten US national security, destabilize and interfere with the internal politics, distribute disinformation, and more. With 2024 being a U.S. election year, it will be especially important to keep an eye out for these kinds of attacks.
And then there are supply chain attacks, or the ways in which cybercriminals seek to attack the public sector by exploiting downstream government contractors. There are now laws to secure against these types of threats as well.
What’s the Same
Despite having problems all their own, the public sector also suffers from all the same security issues as any other industry. This makes the task of securing government entities particularly challenging.
These issues include espionage, data breaches, intellectual property theft, and more. Meanwhile, rising global interconnectivity, complex technologies, and diminishing boundaries between the digital and physical worlds also increase the risks of cyber threat.
These cyber threats include popular exploits such as:
- Phishing Attacks: According to one report from March 2023, 5% of federal employees have fallen victim to a phishing attack. And Lookout’s 2022 Government Threat Report states that one in eight government employees were exposed to phishing threats.
- Social Engineering: One county in North Carolina forfeited $1.7 million in a clever social engineering scheme; as noted by MITRE, the U.S. government has lost “hundreds of millions of dollars” in social engineering attacks over the past ten years.
- Ransomware: State and municipal governments suffered over 105 ransomware attacks last year, resulting in 27 cases of confirmed data breach.
- Exploiting Misconfigurations: OWASP reports that 90% of the applications they tested had some form of misconfiguration. A recent report notes that 51 network device misconfigurations were discovered within the systems of the U.S. government over the past two years. Four percent were deemed to be critical.
- Finding Application and Software Bugs: Little over a year ago, US government agencies were ordered to fix serious software flaws that foreign nation-state actors were likely moving to exploit. The flaws were found in software widely used by government entities.
Real-World Cyber Threats to Government
While hearing of hypothetical attacks is still sobering, there is nothing like experiencing them first hand. For instance, this past August, cybercriminals allegedly got their hands on a dataset from China’s Ministry of State Security. That same month, Russian hacktivists disabled Poland’s rail system, and a U.S. military procurement system was the victim of snooping and attempted exfiltration by Chinese hackers.
These issues (and many, many more) are what prompt CISA to issue warnings about advanced persistent threats (APTs) and nation-state actors. The two often go hand in hand, and fellow governments are commonly the targets of these types of attacks.
Optimizing Cybersecurity in the Public Sector
Fortunately, government-sponsored steps are being taken to improve the cybersecurity of the public sector.
National Cybersecurity Strategy
This past March, the National Cybersecurity Strategy was released by the White House with the intention of “Ensuring that the biggest, most capable, and best-positioned entities...assume a greater share of the burden for mitigating cyber risk,” and “Increasing incentives to favor long-term investments into cybersecurity”. While the whole strategy can be read here, the takeaway is that government entities have been so much the target of attack – and so infrequently the recipients of clear, top-down cybersecurity policy – that it was time to take action.
The National Cybersecurity Strategy provides five pillars that lead to optimized security measures for utilities and government agencies in the U.S. They are:
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals
Watch our in-depth breakdown of the White House’s 2023 National Cybersecurity Strategy.
Besides following the recently released guidelines mentioned above, governmental departments must also adhere to a number of compliance requirements. These include following the boundaries of Controlled Unclassified Information (CUI) and following the International Traffic in Arms Regulations (ITAR).
CUI protection governs how government agencies and their private sector partners handle and share data that is not classified, but still not available to the public.
ITAR controls the import and export of certain military technologies and equipment from the United States. It impacts those selling anything covered in the United States Munitions List (USML), and those in the private sector selling products to the US Department of Defence.
At the end of the day, collaborations between the public and private sectors can help implement effective cybersecurity practices and protect the national interests by sharing expertise and developing talent. For example, in April 2021, the Department of Energy (DoE) spurred a public-private initiative to improve the security of industrial control systems (ICSs) in the industry. This move was followed up by the White House launching several other sector-specific programs, including the chemical sector public-private cybersecurity initiative.
The NIST Risk Management Framework
The Risk Management Framework (RMF) is another effective approach to bolstering the security resilience of American companies. Created by the National Institute of Standards and Technology (NIST), it was originally developed to secure federal information systems. While its application has been extended beyond the public sector over the years, the bespoke standards are still a backbone of government security. The framework outlines a measurable, seven step process.
- Prepare: Identify areas of risk and determine key management roles.
- Categorize: Prioritize risks and classify data based on sensitivity and impact level. This organizations will inform subsequent security controls.
- Select: Choose the NIST SP 800-53 controls that will be used to protect the identified and prioritized assets.
- Implement: Put the controls into action and record how they are deployed. This includes hardware and software configuration and patching vulnerabilities.
- Assess: Verify to make sure the controls are in place and operating as intended.
- Authorize: The organization’s authorizing official grants permission for the security system to begin operations.
- Monitor: Continuously monitor the performance of the implemented controls and any associated risks.
By focusing on the core functions CISA laid out, government entities can find the most value with limited time and resources.
The right technologies can also be powerful force-multipliers when it comes to doing a lot with a little. From classic anti-malware to Artificial Intelligence, leveraging the right solutions can mean the difference between easy-pickings and “too hard to hack”.
Building a Resilient Digital Ecosystem with Fortra
Let Fortra help you manage your cyber risks and build a resilient digital ecosystem.
Fortra can help secure government systems against both the basic and advanced exploits launched against the public sector. Our battle-tested cybersecurity solutions empower agencies to:
Identify critical vulnerabilities and prevent possible attacks
Fortra’s offensive security suite lets you discover hidden vulnerabilities and how well your security team is prepared to defend them. Ready your technologies and your team with vulnerability management, penetration testing, and red teaming solutions.
Reduce human error and educate employees
If 74% of data breaches are attributed to human error, Fortra’s Security Awareness Training (SAT) helps to block the leading cause of breaches at the pass – a significant boon to government agencies responsible for invaluable swaths of personal data. Automated email security and anti-phishing tools contribute further to reducing instances of error, protecting against Business Email Compromise (BEC), spear phishing, social engineering, spam, and data exfiltration.
Safeguard agency information and comply with strict regulatory mandates
It is a matter of national security to safeguard the sensitive information pertaining to your agency. Fortra’s Data Protection suite offers Data Loss Prevention (DLP) for immediate visibility into the state of your information, Secure Collaboration to control access to files no matter where they go, and Data Classification to help you sort and secure sensitive information, thereby facilitating compliance with data privacy and other regulations.
Stay secure in the cloud
Cybersecurity in the public sector means monitoring critical assets stored in the cloud. Because the cloud is a highly complex environment filled with vast digital connections, being able to configure cloud policies accurately is of primary importance. Fortra’s File Integrity Monitoring collects detailed change data in real time, contextualizes it with change intelligence, and automates remediation capabilities so your cloud environment stays agile and secure.
We understand the threat landscape governments face, and we have the solutions and expertise to help you build a stronger line of defense.
Leave nothing to chance
Partner with Fortra and know that the protection your federal agency needs is the protection it receives. Visit Fortra’s Government and Public Sector hub and discover how we can support your initiatives.