Nigel Thorpe, technical director at SecureAge, looks at the growing cyber security threats to global governments and suggests that it is time for a new approach to data protection
In mid-September, UK Foreign Secretary Dominic Raab condemned the continued Chinese attacks on telecoms, tech and global governments. Following an announcement by the US Department of Justice, along with Malaysian nationals relating to malicious cyber attacks, he stated the UK would continue to counter those behind them and work with its allies in holding them to account.
According to Gov.uk, criminal charges indicate that Chinese-linked actors, among others, are targeting super computers, communications companies and systems which allow home working in countries around the world.
As a result, the UK’s National Cyber Security Centre (NCSC) produced practical advice for individuals and organisations on protecting against the cyber security threats outlined in the indictment, which included, among others: mitigating malware and ransomware attacks; defending against phishing; using multi-factor authentication and setting up two-factor authentication (2FA); supply chain security guidance; preventing lateral movement in IT systems if attackers gain access; and End User Device (EUD) security guidance.
The vital role that cyber security plays in protecting our privacy, rights and freedoms is likely to be more prominent than ever, even going just slightly forward into the future. This is because more and more of our vital infrastructure is coming online and is therefore vulnerable to digital attacks. Data breaches involving the leak or theft of both national and personal information as well as intellectual property, are becoming more frequent and bigger; plus there is an increasing awareness of political interference and state-sanctioned attacks.
With no end in sight to the ‘trade wars’ between the world’s superpowers, along with an ongoing tech-driven arms race among international competitors, the stakes are increasingly high. Russia has already announced it has tested what it called an ‘unplugged’ internet – a country-wide alternative to the global internet – which could effectively give the government control over what citizens can access. And it’s no secret that Iran and China are already censoring content and blocking access to external information.
More recently, the Chinese government has been pushing a pro-China narrative around elections in Taiwan and during the protests in Hong Kong via fake social media accounts, as well as being suspected of hacking US election candidates’ private emails.
Just last month, the Norwegian parliament announced it had been the target of a significant cyber attack which breached the email accounts of several members and staff of Norway’s Labour Party. Other examples throughout the summer months include the suspected access to sensitive information held by North American and Israeli government entities; a phishing campaign via a Russian hacking group during preparations for operations on Ukraine’s independence day; Taiwan accusing Chinese hackers of infiltrating the information systems of at least 10 government agencies, and an Iranian hacking group was found to be targeting US government agencies by exploiting recently-disclosed vulnerabilities in high-end network equipment. The list goes on.
Victim of progress? Not entirely
Despite all of these, however, it has also been found by the Synack Trust Report* that the government sector (along with financial services) is globally the most hardened against cyber attacks in 2020. It was discovered that both scored 15% and 11% higher respectively than all other industries when it came to preventing attacks and responding to breaches. Government agencies earned the top spot in part due to reducing the time it takes to remediate exploitable vulnerabilities by 73%.
This part success on behalf of government organisations has been a direct response to the increase in digitalisation and the need to build stronger defences to mitigate the increase in new attacks emerging. Consequently, we can expect more investment in technology designed to counter them, as well as efforts to raise public awareness of the issue.
Throughout this year, governments faced unprecedented challenges due to the pandemic, but still maintained a commitment to thorough and continuous security testing that lessened the risks from cyber attacks.
Time to focus on the data
Traditionally, cyber security defences have focused on stopping the bad guys getting in, but this clearly is not working. Rather than focusing on protecting access to information where it is held – on disks, in databases and in applications – we should accept that it’s not 100% possible to block access by cybercriminals and rogue insiders, and we should build security right into the data itself. We’ve got all the right technologies, but historically, there has been a trade-off between security and ease of use. For example, full disk encryption is easy to deploy, but security is compromised because a running system seamlessly decrypts any data for any process – legitimate or not.
We need better technology that delivers more effective security to protect data, combined with ease of use. Such technology needs to be transparent to users while removing them from security decisions. The principle that everything – 100% – should be encrypted all of time, in storage, in transit and in use, is the goal. This means that when a file on a running system is copied from one location to another, it remains encrypted. Furthermore, strong authentication should be built into the encrypted file so that only authorised individuals can decrypt the data.
With this transparent, 100% file encryption, all data will be protected no matter where it gets copied because security is part of the file rather than a feature of its storage location. And by continuing the 100% encrypted principle, IT security experts no longer need to spend hours tweaking data classification rules so that ’important’ data gets more strongly protected.
Compliance, not just checkbox compliance
Government organisations continue to perform risk analyses and implement security silos, with the result being that they can check all the boxes and show that they are ’checkbox compliant’. But this approach is a major contributor to the fact that we still see so many successful data exposures.
To become truly compliant, with security that persists even if data is stolen, organisations’ information security focus must change from stopping threat actors getting access to data to protecting the data itself.