The recent spate of large supply chain data breaches has affected government organizations across the national, state and local levels. The SolarWinds attack discovered in December of last year exposed many top U.S. federal agencies to Russian hackers. This breach, billed as one of the largest of all time, came through an infected update from a software provider. This was followed pretty quickly by the revelation that French government agencies had been hacked in a multiyear effort, also by the Russians, that used a network monitoring tool similar to SolarWinds. And just in the last few weeks, we have heard that Accellion, a company that offers security software, was breached by ransomware hackers who used network access to infiltrate many of their clients. The list of victims includes several government organizations such as New Zealand’s National Bank and Washington state’s Auditor’s Office that handles unemployment claims (Imagine the banking and payment information the hackers can access!). It seems these sophisticated hacking groups, known as advanced persistent threats (APTs), have decided to take on a “hack once, breach many” strategy to increase the impact or profitability of their efforts. And indeed, this method can be a real force multiplier in terms of the number of organizations and volumes of data they can access. Attacks through third parties have been around for years — most notably the Target hack in 2013 where 40 million credit card numbers were stolen — but only recently have the state-sponsored bad actors really capitalized on these types of attacks.
These efforts are often focused on either surveillance or intelligence rather than monetary gain, though they are not without financial elements, especially for groups affiliated with poorer countries. These groups try to go after long-term persistence in a network — get in the system and stay there for a while — rather than “smash and grab” efforts, like earlier hackers. Perhaps it's just to wreak more havoc, like ransomware hackers who want to infect all your backups and live servers. Or, as in the case of the recent Russian hacks, they are more interested in gathering data to advance national intelligence goals. And in some cases, particularly those with extremist elements, they might be looking for access to industrial controls in critical infrastructures to cause real-world or “kinetic” events. This was demonstrated by the joint (allegedly) U.S./Israel effort to hack Iranian centrifuges in their nuclear program, which was successful in destroying thousands of centrifuges. And the Russians have been particularly active in this area, shutting down a Ukrainian power plant and affecting operations at several other industrial plants. This doesn't just apply to large governments or major facilities.A small water plant in Oldsmar, Fla., was recently breached by unknown hackers who managed to adjust levels of chemicals in the water supply to highly dangerous levels. An observant plant operator who noticed and corrected the setting was the only thing that stood between the hackers and a major health impact on the area.
From these examples, we can see that hackers are highly interested in using government third-party suppliers at all levels, from the Pentagon to small water processing plants. And it is clear that they have significant resources to do this. It is estimated that it took over 1,000 Russian developers to write the software for the SolarWinds malware. Statistics like that can make hackers appear like an overwhelming threat to defend against, especially for smaller counties or city governments.
However, inaction is not an option. Small governments must protect their citizens’ rights and safety as much as big governments, perhaps more so, since they are more closely connected to the daily lives of their constituents.
What can be done in the short and medium-term? A formal third-party risk management (TPRM) program would be ideal. However, if you don't have the resources for that, do an audit of any and all vendors who might have access to your systems and data in any capacity. Many small cities and entities like municipal utility districts (MUDs) use proprietary software packages which are often operated by mom-and-pop developers with little concern for security. Such was the case in the Florida water plant hack. You must insist they bring their security up to par, or you find an alternative solution.
And don’t forget your software-as-a-service (SaaS) providers either. Just because the software or data does not reside on your infrastructure does not make it any less sensitive or critical. Once the review is done, you have to go through and remediate any gaps you find, whether that is through new policies and procedures (no sharing accounts or simple passwords) or technical controls, which may cost money and impact local budgets.
In the bigger, long-term picture, the federal government has to take cybersecurity more seriously, both from a funding and a legislation standpoint. There is some hope that this will happen with the new administration, but it remains to be seen if talk will turn into action and real change. Only with a concerted effort across all levels of government, big to small, national/state to local, will we be able to overcome this cyber assault and keep our citizens safe and secure.
Sponsor Content