Six myths about government cyber security

Australia is not alone in confronting malicious cyber attacks. Many governments face similar threats and can learn from each other’s approaches and the technologies they are deploying. First, there are several myths public agencies need to get over if they are to build deep resilience against cyber attack. Ari Weil, a US cyber technology expert and the strategic product leader at Akamai explains.

Mistaken belief #1 – Malicious actors aren’t much interested in a mid-ranking economic and geopolitical power

It’s true that the vast bulk of cyber attacks are directed against the US. Nonetheless, Australia currently places a respectable ninth (just after Japan) on Akamai’s ‘Top 10 Target Countries for Web Application Attacks‘.

Weil isn’t at liberty to provide much information about why Australia is such a popular target. But he does volunteer, “There are people who feel passionately about certain issues, especially hot-button ones such as immigration. News stories about a national government’s actions or policies can lead to an influx of attack traffic. Individuals can and do levy DDoS attacks against government agencies because of the stances governments take.”

Mistaken belief #2 – If the cyber security of government agencies was being breached, we’d never hear the end of it

Many government agencies, both in Australia and elsewhere, remain none the wiser when their cyber defences are breached. A recent investigation by the NSW Auditor-General found 40 per cent of that state’s government agencies had a “low” or “very low” capacity to detect data breaches. There’s little reason to believe the situation is better elsewhere in the country.

“What you don’t know definitely can hurt you,” Weil says. “What are termed ‘low and slow’ attacks, which disguise themselves by mimicking the behaviour of a website’s users, are not uncommon and can be devastating. One such attack in the US saw the exfiltration of tens of millions of user credentials from one government agency.”

Mistaken belief #3 – Surely all these AI technologies are keeping us safe

“AI shows some promise but, so far, the reality hasn’t matched the hype,” Weil notes. “Machine learning is proving useful in identifying anomalies and hence detecting potential threats, but it’s still limited in what it can do. We’re a long way away from any organisation being able to completely automate its cyber security defences.”

Mistaken belief #4 – GDPR will make life much more difficult for digital troublemakers

GDPR is the new European data privacy regime. It’s well on its way to becoming the de facto global standard for the collection, handling, protection and deletion of data and will undoubtedly make life harder for malicious actors. Unfortunately, it will take time for Australian government agencies (and all the organisations they digitally interact with) to become GDPR-compliant. And by the time they are, the bad guys will have adapted to a more challenging environment.

“GDPR or no GDPR, the arms race between threat actors and security companies will continue,” Weil notes. “Those threat actors are getting more sophisticated all the time and finding ways to overcome even the most robust defences.”

Mistaken belief #5 – Nothing really bad has happened in the past, so it won’t in the future

It may not be too long before attacks occur that make 2010’s Operation Titstorm – which saw Anonymous launch a pornographic DDoS attack on the Parliament of Australia’s website, taking it offline for several hours, to protest internet-filtering legislation – look like a good-natured prank.

“There’s no chance cyber attacks are going to stop,” Weil says. “They are going to become more remarkable, by which I mean they will be more powerful and their consequences more serious.”

Weil notes there’s a growing trend in the US for attacks to target government agencies in possession of sensitive data or in charge of critical infrastructure. There’s no reason to assume something similar won’t soon happen in this part of the world.

“As they always have, threat actors continue to evolve their tactics,” Weil says. “We’re increasingly seeing the defences of branches of the US military, the US Department of Energy and the US Department of Revenue tested by those who wish to compromise infrastructure or exfiltrate data. Even more so than has been the case in the past, organisations need to partner with companies that can identify and respond to threats rapidly and which have the capacity to scale up cyber defences to the point where they can repel a mega DDoS attack. Or a cyber attack aimed at interrupting a nation’s water or electricity supply.”

Mistaken belief #6 – My department spent up big on cyber security recently, so everything must be OK

Think of your organisation like a castle with a moat and drawbridge. Historically, cybersecurity was focused on letting certain people walk across the drawbridge and pulling it up when anyone suspicious approached. This typically resulted in all-or-nothing ‘perimeter’ access; either individuals had no ability to log in to the system at all or they had the run of it. This approach made sense back in the days when organisations had clearly delineated workforces labouring on office desktops.

It’s not so useful nowadays.

“It’s more and more the case that third-parties, such as consultants and contractors, are temporarily part of private- and public-sector workforces,” Weil says. “Plus, staff often bring their own devices to work. They also use a range of devices – their own or those supplied by their employer – on wi-fi and other networks that may be contaminated.”

This being the case, organisations can no longer afford to assume applications are secure. “It doesn’t matter if they’re on the corporate network, behind a firewall or some bot-based system or in a cloud server,” Weil says. “You simply can’t trust they are secure.”

There is good news and less-good news for Australian government agencies about this.

The good news is that something called the “zero-trust approach”, which focuses on confirming the identity of individuals using applications and only granting individuals access to the applications they require to undertake their work, has been proving effective in the US and Europe in mitigating threats.

The less-good news is that your organisation’s cybersecurity is probably based on an old-school perimeter (raising or lowering the drawbridge) approach and uses perimeter technology.

Organisations need to invest in ‘zero-trust ecosystem technologies’ if they are to stay one step ahead of malicious actors. A zero-trust architecture of the kind Akamai creates boasts DNS protection and secure internet gateways, as well as features such as inline data inspection and single sign-on with multi-factor authentication. This allows lots of people to walk across your organisation’s drawbridge but only provides them with access to the dudgeon, pantry or throne room if they need it and can demonstrate they are who they are meant to be, while always being escorted by a guard who will be watching all their actions.