Government agencies are increasingly finding themselves as targets for cyberattacks. Summarizing some of the best practices these agencies can use to stay secure and highlight some of the possible consequences to having vulnerabilities. Our elections systems have been a strong focus in recent years; we are drawing upon lessons learned in that realm and extending them across the government IT infrastructure. Above all, this should be reference architecture for Security Officers and CIOs, for all government entities and departments.
Read how to do more with less in government >>
Today’s world is dramatically different than just five years ago. Ransomware attacks used to make global headlines. Now, they are commonplace. Cybercriminals have historically targeted large enterprises. Now, almost every day, we learn that a new city, county or state government entity has been attacked.
“Island hopping” attacks are also becoming more frequent, meaning that attacks are proliferating to suppliers and customers and becoming harder to stop.
Newer, sophisticated cyberattacks are bypassing traditional, signature-based antivirus solutions at an alarming rate. More than 60% of attacks are not malware based. Even malware is much more sophisticated than ever before, and phishing attacks that used to be laughably detectable by misspellings and incorrect graphics are now quite convincing.
In recent months, we’ve seen high-profile attacks against major U.S. cities. These attacks have included ransomware variants and permanent data loss. The damages have totaled in the millions of dollars. Some cities are still recovering from these attacks and the lessons learned have been sobering.
Attackers will often introduce an attack via a spear phishing email, which is opened by a city employee, exposing the entire infrastructure to an attack. In some examples, ransomware has been able to encrypt all city data, computers, workstations, phones, and dispatch systems for first responders. For example, the City of Pensacola, Florida was hit with a ransomware attack in early December, 2019. The Maze ransomware variant was used, and the hackers threatened to release data if $1M in ransom was not paid. True to their word, they did release a small percentage of the data to prove they could. Making this especially damaging – this occurred days after a shooting at a nearby Naval Base. Experts estimate that it may take six months to a year for the city, which was mostly shut down, to recover from this hack. No one knows if the city paid the hackers or not, but we do know they paid the consulting firm upwards of $140K to fix the issue.
Other cities in the news for December attacks include New Orleans, the city of Galt, CA near Sacramento, and St Lucie, Florida. All attacks are costly in terms of productivity, city image, and potential privacy concerns. What is “new” is how often attackers are taking advantage of smaller, more vulnerable entities. We continue to see new attacks on state, city, county and local governments, which the need for more comprehensive cybersecurity protection and awareness.
After the widely publicized Target attack of 2013, many enterprises and retail businesses saw the importance of moving away from outdated security solutions and realized the potential cost of a breach. They put into place more sophisticated solutions to stop attackers. In many cases, government entities did not follow suit; they were often hampered by limited budgets and a lack of solid security staff.
Some data to ponder:
The International City/County Management Association, better known as ICMA, released the results of a survey conducted in 2018 and found that municipalities cited the following as severe barriers to implementing cybersecurity in their patch:
In addition, more than 50% had not performed any cybersecurity training for personnel.
Government agencies are adding Internet-connected services and technology at a rapid rate, often without securing that new technology. This provides new and attack surfaces for cyber criminals and nefarious nation-state actors. The risk of an increased attack surface is compounded by the reality that organized crime groups have adopted cybercrime as an emerging business model with help from the dark web.
The above is very concerning when considering all the points of vulnerability in government and the potential impact to the public at large. Criminals and domestic and international terrorists can now manifest an asymmetrical cyberattack in the following ways:
Given the heterogeneous architectures of state and local systems (and the stark reality that many of these systems are older and unmanaged), it is imperative that we learn from the security exposures of another critical infrastructure. The most visible use case study is election security. A great deal of study has been done in this area. It pays to review lessons learned as well as the types of attacks and vulnerabilities so that this knowledge can be applied to the above scenarios and help to keep our cities, towns, counties and states safe as well as our elections fair.
Study of these attack surfaces by white hat hackers, security experts, lawmakers, and companies such as VMware Carbon Black have led to the formulation of a set of best practices codified by the U.S. Department of Homeland Security – CISA and a questionnaire for State and Local Governments to use to determine their vulnerability, which can be found here: https://www.us-cert.gov/ncas/tips/ST19-002
Carbon Black’s RESTful APIs, and integration with cloud security providers such as NetSkope can help ensure that the cloud doesn’t become a point of ingress for bad actors.)
Business shut down. Airports are empty. Hospitals are full. Many Governors (21 states) have issued “Stay-At-Home” Executive Orders closing all non-essential businesses and eliminating all public meetings. How does government and education provide “Continuity of Operations” (CooP) in this pandemic?
All level of government organizations are trying to find ways to deliver essential services with a remote workforce. Education institutions, k-12 and universities, are forced to close their doors and now expected to deliver the same education through online and distance learning platforms. Some organizations have developed policies, processes and infrastructure to support this new remote demand, but others are trying to keep up.
At VMware, we are seeing hundreds of organizations reach out to us for assistance in building platform capabilities and implementing best practices to support their Continuity of Operations. Below is a list of new business requirements our customers have asked us to help address with Covid-19 and how we have helped.
With Covid-19 many of our customers now are seeing a need for new service delivery centers close to the citizen for things like child welfare, job centers, community corrections and public health. These customers are setting up Remote Field Offices to provide the needed office infrastructure (copying, printing, video conferencing) without the need to go to large central office. This brings up the need to set up a site with secure internet quickly without waiting 90 days for traditional carrier-based installations. Around the country VMware is helping customers establish new secure internet-based networks which can be strictly controlled and managed by network staff. These new networks, set up in a day, are fully encrypted and managed, enabling government organization departments to meet citizen demand.
Now faced with “Stay-At-Home” orders, many customers are asking for large quantities of Virtual Desktop Infrastructure (VDI) or access to critical applications (BYOD) from non-government owned devices. Organizations are now faced to support 80% of their workforce remotely vs sitting in an office. VMware is helping customers provide highly secure remote access to the mission critical applications, like Child Welfare, to their employees on any device. Remote employees, either issued a government notebook or using their own device, need secure access to published applications and sometimes full access to a VDI desktop. Customers can both publish applications and implement VDI either in the data center or in a public cloud. This remote capability enables our government organizations to continue to provide critical services from anywhere. Some of our customers are able to quickly migrate into a BYOD to meet the remote worker need through VMware’s ability to provide device, network and data security through segmentation.
Universities and K-12 organizations now have closed their doors and had to quickly adapt to online course delivery, changing the paradigm from classroom-based education to a digital-collaborative education. Faculty and administrators are now required to stay home and need the capability to create, manage and deliver digital online education. Additionally, some organizations have very complex physical training lab environments, with highly specialized compute intensive software like CAD, on campus to augment the classroom. These labs are now inaccessible and need to be accessed virtually. VMware is helping our customers establish the virtual environment with the capability and capacity to meet their training needs. We are helping the faculty and administrators gain access to their systems through VDI enabling digital content to be delivered to students. We are helping students gain remote access, from any device, to the content and the sophisticated “virtual training lab” environment remotely enabling them to continue with their education requirements. All of these virtual environments are wrapped with sophisticated security to manage the content, access and data to meet federal requirements.
The demand for remote access outside of “lock down networks” is high but opens us a large security risk. How do we trust the user, the device and network outside of normal security controls? Now with access from remote devices, opposed to a traditional on-premise network, our customers are faced with having to lock these systems down. New security controls from device, thru the network to the data center and the cloud are required. VMware is helping our customers answer these security questions. VMware is providing customers the ability to implement a zero-trust security architecture to ensure appropriate security controls are maintained even though the scale of remote access has quadrupled. Customers can meet their data and application security requirements through a comprehensive security platform enabling strong device management, controlled user access, application level VPN and application network segmentation.
Data analytics and cybersecurity pushed cloud out of the top spot for increased technology investment by government CIOs. This increased focus on data reflects CIOs’ acknowledgment that artificial intelligence (AI) and data analytics will be the top “game-changing” technologies for government.
Government respondents in 89 countries and across major industries, including 528 government are segmented into national or federal; state or province (regional); local; and defense and intelligence, to identify trends specific to each tier.
Taking advantage of data is at the heart of digital government — it’s the central asset to all that government oversees and provides. The ability to leverage that data strategically in real time will significantly improve government’s ability to seamlessly deliver services, despite increased strain on finite resources.
Read how to do more with less in government >>
When it comes to strategic business priorities, the survey found that 18 percent of CIOs across all levels of government have prioritized digital initiatives again this year as key to achieving mission outcomes, compared with 23 percent from all other industries. The next three business priorities for government are industry-specific goals (13 percent), operational excellence (13 percent) and cost optimization/reduction (8 percent).
The data indicates that governments are making deliberate progress toward designing and delivering digital services, achieving comparable maturity to other industries overall. However, government is still lagging other industries (33 percent overall) in scaling and refining digital initiatives. The gap is particularly marked in defense and intelligence, where just nine percent of respondents have scaled digital initiatives. To meet increased demand and evolving expectations of citizens for effective and efficient services, government must continue to enhance its digital maturity. Government CIOs clearly recognize the potential of digital government and have started developing new digital services, but now need to take digital beyond a vision to execution through digital leadership.
Despite the focus on digital, only 17 percent of government CIOs plan to increase their investment in digital business initiatives, compared with 34 percent of CIOs in other industries. While government CIOs demonstrate clear vision in the potential for digital government and its emerging technologies, 45 percent report they lack the IT and business resources required to execute.
Game-Changing Technologies
Rank |
Government Priorities |
% Respondents |
1 |
Artificial intelligence/machine learning |
27% |
2 |
Data analytics |
22% |
3 |
Cloud |
19% |
4 |
Internet of Things |
7% |
5 |
Mobile (including 5G) |
6% |
6 |
Business intelligence |
6% |
7 |
Digital transformation |
6% |
8 |
Blockchain |
5% |
9 |
Automation |
3% |
10 |
Customer relationship management |
2% |
AI introduces new insights and delivery channels that will enable governments to scale in magnitudes not previously possible. This will allow reallocation of valuable human resources to more complex processes and decisions.
Among government it appears that 10 percent have already deployed an AI solution, 39 percent intend to deploy in the next one to two years, and an additional 36 percent intend to deploy an AI solution within the next two to three years.
Among all levels of government, business intelligence (BI) and data analytics (43 percent), cyber/information security (43 percent) and cloud services/solutions (39 percent) are the most common technology areas for increased technology investment.
Rank |
Government Priorities |
% Respondents |
1 |
BI/data analytics |
43% |
1 |
Cyber/information security |
43% |
3 |
Cloud services/solutions |
39% |
4 |
Core system improvements/transformation |
33% |
5 |
Software development/upgrades |
26% |
6 |
Infrastructure/data center |
23% |
7 |
AI/machine learning |
22% |
8 |
Technology integration |
21% |
9 |
Customer/user experience |
20% |
10 |
Mobile applications |
19% |
The fact that cybersecurity remains an area of projected increased spending reflects government’s recognition of its role as the steward of public data, with secure transactions now table stakes for governments in a digital world.
In today’s digital world, cyberattacks are highly visible, increasingly malicious and costly, and they erode the public’s trust. Government CIOs have steadily increased their prioritization of cybersecurity over the years and have gained executive commitment to vigilance in ensuring that ever-evolving malicious attacks and threats are mitigated to the greatest extent possible.
Sample a free training demo of VMware Carbon Black here or get an introduction to What's New with vSphere 7 here. For complete VMware, Red Hat, and PowerShell training courses select from the following government training solutions: