Governments vs cyber criminals: which will prevail?
Government organizations around the world must prepare ahead for the omni-present threat of being shown up by cyber criminals.
The US federal government has fared well on the cyber security of its government websites, according to the results of the latest Online Trust Audit & Honor Roll conducted by the Internet Society’s Online Trust Alliance (OTA). With 91% of their websites on the honor roll, the US government websites have shown a marked difference from 2017’s performance of 39%.
Governments around the world can take a lesson from the US government. Government websites always contain vital information, whether it is about state security or personal data of citizens. When a government site is hacked, it is not just embarrassing but also results in people losing trust and confidence in the ability of the government.
In February, the Australian parliament was hacked, so that all the passwords on its computer network had to be reset. The attack allowed access to the networks of the ruling Liberal and National coalition parties as well as the opposition Labour Party — three months before a national election.
Apart from embarrassment, some leaks can be downright dangerous for the people involved. In 2015, Japan’s pension system was hacked with over a million cases of personal data leaked.
In December 2018, unknown hackers accessed a South Korean resettlement agency’s database and leaked personal information of nearly 1,000 North Korean defectors. According to the South Korean Unification Ministry, an internal address was used to send emails to plant the malware.
Cyber Attacks of a Blockchain Nature
Attacks of a blockchain nature have also become the norm after the advent of digital currencies.
In an incident in February, a UK computer consultant found out that hackers had attacked over 4,000 infected websites around the world to mine the Monero cryptocurrency. Those infected included Australian sites such as qcat.qld.gov.au, casey.vic.gov.au, bayswater.wa.gov.au, parliament.vic.gov.au, and legislation.qld.gov.au. UK’s National Health Service and the US court information system were also victims.
In 2016, over a hundred Indian government websites were hacked within a matter of weeks across states for secret and unauthorized crypto currency mining.
Hackers seek to infect the computers of those who visit these government websites, since crypto currency mining requires massive computing. Ignorant users fall for click-bait, after which their computers are used to verify transactions for numerous crypto currencies, recording them in a digital ledger.
Trusty Government Sites Are Soft Targets
Last month, according to an investigation by a team of security researchers, out of 3,220 UK government websites with domain names registered under the .gov.uk, hundreds have serious security vulnerabilities, including central government departments to local and district councils such as the National Archives, the Scottish prosecution service and the Health and Safety Executive. Some of these vulnerabilities have been known for over a decade now.
Ironically, government servers are considered a soft target because, apart from the fact that they are mostly non secure and generate high traffic, people also trust them, because they belong to the government.
Last month, the Organization for Economic Cooperation and Development (OECD)’s report, How’s Life in the Digital Age? found a relationship between “the level of exposure to disinformation and trust in government across countries”. Also, that “self-reported experiences of disinformation are higher in countries where trust in government is lower.”
The report pointed out that Denmark, Germany and the Netherlands had the lowest levels of exposure to “completely made-up news.” On the other hand, Greece, Mexico and Hungary had the highest. In accordance, citizens of Denmark, Germany, and the Netherlands displayed high levels of trust in their governments, whereas citizens of Greece, Mexico, and Hungary trusted their government less.
In summary, OECD concluded that ‘self-reported experiences of disinformation are higher in countries where trust in government is lower.’
Checking for Website Hygiene
One way of keeping a website safe is to keep checking and fixing any issues listed on the Common Vulnerabilities and Exposures (CVE) system, as and when they appear. The CVE is the industry standard for vulnerability and exposure identifiers.
CVE Entries provide reference points for data exchange so that cybersecurity products and services can connect. CVE Entries also provide a baseline for evaluating the coverage of tools and services so that users can identify the tools that are most effective and appropriate for their organization’s needs. In short, products and services compatible with CVE provide better coverage, easier interoperability, and enhanced security.
The CVE system rates vulnerabilities on a scale of 1 to 10, where 10 is the most dangerous, based on how easy it is to exploit them and the consequences of an attack. The most common rating given to government websites has been 7.5.
Web servers that have this kind of vulnerability store cookies at times, which can identify who is accessing a website for longer than usual. An attacker can easily steal someone’s cookie to access their account.
Building a Cybersecurity Force
One way of dealing with this serious problem is for governments to prepare a cybersecurity force. As Ken Xie, the CEO of cybersecurity software company, Fortinet, said at the World Economic Forum, the reasons for organizations struggling to keep up with the cybercriminal community are many.
Digital transformation, like cloud adoption, SD-WAN, and IoT, increases chances of attacks by forming novel and sometimes unexpected means of attack.
“The reality is that there are simply not enough skilled humans available to properly plan, manage, integrate, and optimize security devices, strategies, and protocols,” he says.
The two reasons for this, he says, are “the expansion of the digital marketplace has generated more jobs than the current supply of security professionals can meet.” And, “there is currently not an efficient way to create skilled security practitioners at the same rate.”
While cybercriminals are sophisticated government organizations need to remain a few steps ahead.
Gartner has predicted a growth of 8.7% in the Information Security market in 2019, an amount worth $124 billion. However, at the same time, Juniper Research has predicted that growth in cybercrime, resulting from rapid digitization of consumers’ lives, will increase the cost of data breaches to $2.1 trillion globally by 2019, quadrupling from the estimated cost of breaches in 2015.
A recent CSIS survey that quizzed IT decision makers in eight countries revealed that 82% of employers report a shortage in cybersecurity skills in their organizations. Also, 71% agreed that this talent gap results in direct and measurable damage to their organizations.
Need for Regulations and Policy
The Adobe Cyber Security Survey of 2018 found that an overwhelming majority of cybersecurity professionals feel government regulations have a positive impact on cybersecurity. 45% agree that more common standards and frameworks are necessary.
Policy can be a driving force in how companies or governments to react to different threats, whether before or after. “The most important issue is how to effectively share threat information and automatically detect and mitigate them in real-time as well as how to motivate organizations to implement best practices,” the report says.
Ditch the Legacy
The study also found that respondents agree that modernizing technology and transitioning legacy systems to the cloud are crucial for effective government cybersecurity. Open vulnerabilities in legacy hardware and software can pose the direst cybersecurity risks of not modernizing government technology.
There is no telling how far cyber criminals will go to destabilize smooth running of operations, whether their aim is to gain information or simply cause chaos. Governments around the world must remain alert by putting systems in place to make regular checks in their digital processes.