Now in 2021, cybersecurity has become a national — and international — focus, with ransomware attacks hitting consumers at the gas pump and the supermarket. Increasingly ubiquitous technologies like artificial intelligence, the cloud and IoT are reshaping the threat and defense landscape.
Government Technology caught up with cybersecurity experts about how the past decade shaped our present cybersecurity picture and what the next 10 years may bring.
CASHING IN
Hackers in the early 2000s may have been largely aiming to boost their reputations, experiment with technology and cause disruptions, according to security software firm Sophos. But ensuing years introduced new motivations, and the 2010s saw cyber criminals increasingly realize their vast potential to make money, Pennsylvania CISO Erik Avakian told GovTech.
Hackers in the mid-2000s and early 2010s used botnets to power massive pharmacy spam campaigns that tried to sell recipients what were often counterfeit or illicit goods, according to Sophos. But criminals’ business models then advanced to tactics like stealing and selling personally identifiable information (PII) online.
“We’ve seen a shift from simple hacking to the monetization of information and data,” Avakian explained. “[As] they realized they could gain profit from it, we saw this shift from just hacking to stealing data where they can post online and sell it for profit.”
Ever-more popular ransomware attacks see malicious actors encrypt victims’ data and hold files locked until the targeted parties pay up. Cyber criminals recently have graduated to “double extortion” in which they seek payment twice — first to unencrypt the stolen files, and second to refrain from publishing them.
Bad actors may view the public sector as a particularly tempting victim, because agencies’ efforts to be transparent to constituents also let hackers identify which ones have desirable information, said Mark Weatherford, CISO for risk management company AlertEnterprise. His former roles include serving as California and Colorado state CISO and Obama administration deputy undersecretary for cybersecurity.
“Because so much information is public, and publicly available, it may be a little easier for bad guys to figure out where, how and when they can target state and local government organizations” compared to large private organizations, Weatherford said.
The past couple years have seen ransomware rise to new heights of disruption, taking cities and critical infrastructure offline. Atlanta city personnel and residents became unable to use a variety of digital government services following a 2018 attack, and 2021 saw ransomware threaten critical infrastructure operators like Colonial Pipeline.
Hackers also seized greater opportunities for social engineering as the 2020 COVID-19 outbreak prompted so many societal activities to shift online, from business to education and shopping. Criminals unleashed a flurry of phishing attempts and other attacks against residents, local agencies, health care and school facilities and private targets in efforts to trick victims during the confusing transition and exploit weaknesses in digital systems not designed for such high-volume use.
Political goals — not just profit — have also become a frequent driver of cyber intrusions conducted by foreign nation-states and domestic hacktivists, Avakian said. 2016 saw Russian hackers strive to undermine the election, and the same year also brought several instances of ideologically motivated hacks that downed government websites or leaked their data. A North Carolina law prohibiting transgender residents from using bathrooms matching their gender identities and Baton Rouge, La., police’s fatal shooting of Alton Sterling both triggered retaliatory hackings, to name just a couple of examples.
THREATS ON ALL SIDES
The past decade taught public officials that threats can come from all angles. The 2013 Adobe breach compromised a trusted brand and demonstrated the necessity of software security, Deb Snyder, former New York CISO, told GovTech. The SolarWinds hack — which spread malware to the IT company’s clients through infected software patches — has underscored this point, putting “supply chain security” on everyone’s lips, as well. California CISO Vitaliy Panych told GovTech that his state is currently heightening attention on third- and fourth-party risks, which come from vendors (and vendors’ vendors) of everything from IT to legal services.
The field of potential adversaries has widened as well, with cyber crimes no longer the exclusive realm of tech-savvy perpetrators. Attackers now create and sell their malware to other parties seeking to wield high-tech attacks, opening the doors to a wider array of perpetrators, Panych said.
“It’s no longer where there are sophisticated adversary elements that have sophisticated knowledge,” Panych said. “It’s more widespread, horizontally, where your common criminal element can pick up hacking tools and start targeting organizations.”
Organizations have also turned their focus inward. Edward Snowden’s 2013 exposure of NSA’s mass espionage program shocked U.S. citizens and the world with its revelations. But Snyder said that for many agencies, it also delivered a second message: that their sensitive information can be put at risk by contractors and other insiders, and thus emphasized the importance of tightly controlled account privileges.
Major attacks in recent years have taken cybersecurity from an abstract idea to something that impacts the general public’s daily lives. A breach of Sony in 2011 revealed details on 77 million customers, alerting organizations to the seriousness of data protection, Snyder said. Public pressure intensified as the 2017 Equifax breach exposed 147 million residents’ data, while 2021 ransomware attacks on JBS and Colonial Pipeline hit people at the pump and the dinner table.
Equifax’s 2017 compromise and “Experian being hit again in 2020 and exposing credit scores for nearly every U.S. citizen ... started the rise in public ire and public expectation of ‘why aren’t organizations taking care of our data and what punishment should they suffer when those kinds of things happen?’” Snyder said.
If public pressure wasn’t enough to put government on alert, the 2015 Office of Personnel Management breach and 2016 Democratic National Committee hacks revealed just how seriously cyber criminals will go after government.
Constituents increasingly expect government to keep its troves of resident information private, and Europe’s General Data Protection Regulation (GDPR) drove forward thinking in the space by offering a model. States like California responded with their own data privacy legislation two years later. Panych said recognition of the growing importance of data is prompting California to seek to ensure that, going forward, its technology adoptions and practices include privacy considerations.
A Decade in Cyber Incidents
2013: Edward Snowden’s disclosure of the NSA’s massive, covert cyber surveillance alerts the world to new forms of digital privacy and security concerns. Some organizations see this leak by a federal contractor as a wake-up call about the risk of insider threats to the confidential information they hold.
2015: The Office of Personnel Management suffers a breach that exposes sensitive personal information and security clearance files on 22.1 million people in an espionage attack attributed to Chinese state actors. Officials worry that China may use the information to unmask undercover operatives.
2016: Russian actors attempting to sway the elections hack into emails from the Democratic National Committee and Hillary Clinton campaign and share them with WikiLeaks. They also penetrate state voter registration databases. The events spur negative media coverage of the Clinton campaign and trigger concerns over the security of elections.
2017: Credit reporting agency Equifax is breached, exposing personally identifiable information on 147 million people. Roughly 45 percent of the U.S. population is impacted.
2018: Atlanta internal and external digital systems and devices are crippled by a ransomware attack, as cyber extortionists perfect their techniques. At the time it’s deemed the most expensive and extensive cyber disruption to hit a city. A similarly scaled ransomware attack on Baltimore followed in 2019.
2020: IT solutions provider SolarWinds sends out a software patch, not knowing it includes malware from Russian-based actors. The hackers access systems of customers — including government agencies and leading cybersecurity companies. Organizations realize security gaps at third-party suppliers can also bring significant risk.
2021: Colonial Pipeline and JBS pause operations after being hit by ransomware, in separate incidents that disrupt residents’ daily lives and spark fears over the vulnerability of critical infrastructure to cyber attack. The incidents down the nation’s largest refined oil pipeline and the supplier of about one-fifth of its meat, respectively.
STATES GET SERIOUS
States have responded to the growing sophistication and visibility of digital threats by elevating cybersecurity to an enterprisewide concern and mindset.
States and localities increasingly incorporate cybersecurity recovery into their emergency response planning — alongside terrorism and natural disaster plans, said Avakian. Many agencies are now adopting emerging best practices and strategies like zero-trust authentication in which they require every user and device to verify itself for each interaction, and adoption of technologies that have privacy and security incorporated into the designs, Panych said.
Across the nation, state CISOs now have the ear of key decision-makers.
“Ten years ago, for me to get time or an audience with the legislature [as state CISO] was almost impossible,” Weatherford said. “But today, CISOs are routinely meeting with legislators or briefing legislative players at the beginning of every session.”
But despite the increased visibility of cyber leaders within government, states and localities still grapple with legacy technologies and historical technological underinvestment that leaves them open to cyber attack.
Ransomware perpetrators often launch automated mass attacks in indiscriminate attempts to penetrate wide swathes of organizations — and school districts’ and local governments’ antiquated defenses are especially likely to fall, Center for Internet Security (CIS) President and CEO John Gilligan told GovTech.
Agencies struggle both to obtain enough resources and also to know how to use them most impactfully. Organizations need to prioritize evaluating their cyber positions and maturities so they can see where to best invest available dollars, Avakian said. Greater visibility into their networks, data collection and storage practices, and user behavior also are essential to helping identify vulnerabilities and differentiate between normal and suspicious behaviors, Snyder said.
Still, some resources are becoming scarcer. Agencies that traditionally relied on cyber insurance to assist their recoveries also are seeing prices rise — possibly out of their reach, according to Dan Lohrmann, chief strategist and chief security officer for Security mentor, and former Michigan CSO and current GovTech columnist. (For more on cyber insurance, see Is Cybersecurity Insurance Out of Reach for Government?) Governments of all levels also struggle to recruit enough cyber specialists, with 36,000 federal, state and local positions currently unfilled, according to The Washington Post.
Snyder said agencies will need to establish more hiring pipelines, expand recruitment efforts to include candidates with nontraditional backgrounds and upskill existing staff. Departmentwide cyber awareness training will also be key to effective security, because humans remain one of the greatest chinks in defensive armor, Avakian said. Social engineering remains core to many attacks.
“Even over the past decade, email threats and phishing attacks are still predominant because people will be people,” Avakian said. “That’s the common denominator, and as long as people are clicking on things they shouldn’t be, the bad actors are finding ways to get in.”
CALLING ON PARTNERS
Partnerships are helping to bolster efforts. The CIS’s Multi-State Information Sharing and Analysis Center (MS-ISAC), formally launched in 2003, provides assistance to supplement agencies’ resources and has expanded its membership and offerings in the years since.
Gilligan emphasized the outsized impact of any such organizations capable of offering localities low-cost, easy-to-implement defensive tools that may not be perfect, but which are at least able to thwart run-of-the-mill threats most of the time. Third-party organizations like MS-ISAC also sidestep concerns over jurisdictional autonomy that can deter some states from turning to federal agencies for help, he said.
States are driving their own cross-border collaborations, too, including regional efforts like the North Dakota Joint-Cybersecurity Operations Command, which facilitates interstate intelligence sharing. Many states also work to share tools and build relationships with their local partners, sparing the localities from having to conduct their own procurements and ensuring they know who to call in case of an incident (for more on these jurisdictional partnerships, see Whole-of-State Cybersecurity Gains Ground in Government).
FEDERAL RESPONSE
Federal efforts over the years have produced advancements like the National Institute of Standards and Technology’s first cybersecurity framework in 2014, the Cybersecurity and Infrastructure Security Agency (CISA) in 2018 and the Cyberspace Solarium Commission report in 2020.
But in the wake of SolarWinds, Colonial Pipeline and JBS, the federal government is settling itself into a greater role. President Biden’s May executive order signaled intent to deal seriously with cyber problems, and experts speaking with GovTech in July expressed tentative optimism that more action, including funding support, would follow.
Biden’s order obligates federal agencies and their vendors to follow fairly basic cybersecurity best practices — which is, nonetheless, an improvement, Snyder said. She and others highlighted the need for the White House to press forward with additional measures.
State and local governments need recurring, long- and medium-term funding streams to maintain strong cyber postures — not just one-off grants, Lohrmann said. Gilligan suggested providing federal dollars to more ISACs beyond just the MS-ISAC so those groups can avoid charging membership dues that block participation from localities with slim budgets.
Some such change may come, with an August national infrastructure proposal delivering $1 billion over four years to state, local and tribal governments for upgrading their software and hardware against cyber attacks. It also could bring more cohesion to national cybersecurity policies and greater information sharing across agencies by budgeting $21 million to the newly launched Office of the National Cyber Director. Cyber experts applauded the 2021 appointment of Chris Inglis, a former deputy director of the National Security Agency, to the post, while waiting to see if he would get sufficient funding to be impactful.
FUTURE READY?
As they eye the next decade, states need to employ emerging strategies and technologies to detect, deflect and mitigate threats. Artificial intelligence applications, particularly machine learning and predictive analytics, will increasingly help departments detect potential threats and amplify staff efforts, Avakian said. Organizations are already improving their post-attack analysis to better understand the kinds of defenses that could stave off future attempts, according to Gilligan, and more agencies are adopting zero trust and context-informed security analysis, said Panych.
The shift to remote work has also enabled states to draw upon experts from around the U.S. — and even around the world — for cyber projects, expanding recruitment abilities, said Lohrmann.
Ransomware, social engineering and “commoditized threats” that see criminals buy PII and malware from other criminals are unlikely to go away soon, and compromised IoT devices may become an increasing risk.
Additionally, foreign nation-states that have been unable to compete with the U.S. in traditional military might are finding that cyber attacks put them on more even offensive footing and are unlikely to back away, said Lohrmann. This adds pressure to ongoing efforts to establish rules of cyber warfare and aggression. In June 2021, Biden told Russia that 16 certain critical infrastructure sectors should be off-limits to hacking, and NATO said this year that it would consider military response to cyber attacks.
The past decade has shown malicious actors continually raising the stakes.
Practitioners fear that attacks may eventually progress from disrupting essential infrastructure to actively destroying it. The World Economic Forum has warned that nations should anticipate a massive, society-changing cyber incident, with impact on the scale of the COVID-19 pandemic.
“There are a lot of people that are predicting that we’re going to have a major incident, whether that’s the Internet going down for 10 days, or power grids all go down,” or some other worst-case scenario, Lohrmann said. Such an event coming to pass would redefine how organizations and society view cybersecurity.
“You’re also going to see a different paradigm with cybersecurity following that,” Lohrmann said, “because organizations that are hit with major ransomware, or a major cyber attack, tend to act a lot differently than ones that haven’t.”
A Framework to Follow
Incident Reporting. Requires — and contractually permits — federal software vendors to report cyber incidents to agency clients and, often, CISA.
Modernizing Defenses. Requires federal agencies to follow cyber hygiene practices like zero trust and multifactor authentication, create plans to protect sensitive data, and encourages the adoption of secure cloud services.
Supply Chain Security. Federal contractors selling — and federal agencies buying — software that performs critical functions will have to ensure products meet certain security requirements and are used in secure ways.
- NIST will outline a Software Bill of Materials for vendors to provide, helping attest to secure development.
- Vendors will be encouraged to voluntarily put labels on consumer IoT offerings that attest to the security of the devices and their development processes.
Cybersecurity Safety Review Board. A public- and private-sector group will be created to investigate major cyber incidents, threats, vulnerabilities and responses.
Standardized Cyber Response Playbook. A common (but flexible) cyber incident and vulnerability response playbook will be created for all federal agencies to follow. It will include standard definitions of key cyber terms.
Incident, Vulnerability Detection. Agencies will improve efforts to catch issues early and provide CISA with data. CISA will report on its efforts to hunt threats on agency networks without interrupting their operations or getting their permission first.
Investigation and response. Federal agencies and IT service providers will need to collect and maintain federal IT system and network logs and provide them to CISA and the FBI as needed to support their handling of cyber incidents and risks.