Why Governments Are Vulnerable to HackersSpecial Advisor to the Cabinet Office for the Government of Japan
Cyber-attacks are on the rise and everyone and everything from celebrities to hospitals are being targeted.
Some are expecting government to take the lead on next steps, but earlier this year, a cyber-security risk analysis firm scored U.S. local, state and federal governments at the bottom of a ranking comparing 17 private industries such as healthcare and retail.
The report, by security rating startup SecurityScorecard, took in 600 government organizations and said they struggled in particular with malware infections, network security and software patching.
“Federal agencies may be susceptible to more risk due to the sheer size of their infrastructure, but in many cases, may be prepared to fare better against cyber-security threats due to larger budgets and teams of security personnel,” SecurityScorecard analysts wrote.
As an advisor to the Japanese government, I see these sorts of problems all too often—both inside Japan as well as outside when talking with colleagues overseas, including regularly at World Economic Forum gatherings.
Governments are in many cases sluggish instead of nimble when dealing with cyber threats. But they have also realized that stopping cyber threats is a balancing act: too many overprotective laws and regulations and the productivity gained from online activities and the use of information and communications technology slows to a crawl. Government size is often a handicap but, as the report notes, IT budgets can be secured to deal with cyber-security. That’s why it’s hard to be sympathetic when the public sector gets hacked.
One thing I’ve preached time and time again is the need for various ministries and agencies in government to coordinate strategy and resources when fighting cyber-attacks. The interconnectedness and interdependence of today’s world means that a threat to one part of government is a threat to the whole.
The Perils of Silos
Even worse, control over certain critical infrastructure such as power grids or air traffic control can have regional or global ramifications. Criminals are attacking the seams and weak points of online targets. That means every government organization has to work together to be in the best security posture. The challenge here is overcoming the territorial mindset of government agencies. Hackers don’t care about traditional silos or fiefdoms and indeed will view these as weaknesses to be exploited.
Complacency is another potential problem. Many governments and their agencies look toward an IT or security authority for direction, and implement its directives without thinking. But simply going through the motions and ticking off a checklist is dangerous since it doesn’t free them from their responsibility; this is especially problematic in cultures that place a premium on hierarchy and conformity. It actually gives downstream bureaucrats an excuse because if something happens, they can say they were simply following orders. Bureaucrats, end users and everyone else need to understand why we are doing something and how to be proactive – even preventative – when it comes to computer security.
Another point on the psychology at play here: being open and honest is key in cyber-security. That’s a difficult ask, but everyone is a target these days. It’s not necessarily a question of negligence or that someone failed to do their job—it’s more often a question of not wanting to be blamed. But reporting an incident as soon as possible is critical. Customers are often far more upset by an attempted cover-up of a hack, real or perceived, than the fact that their personal information was stolen.
A Global Struggle
Cyber-security is truly a global problem for which new rules need to be created. That’s why it’s critical for governments to cultivate experienced IT professionals who won’t get rotated into an unrelated job after two years. They also need to get independent outside experts who can assess their security problems and recommend solutions. External measures of readiness and security are no less crucial. International forums can serve as an exchange for best practices among peers and experts.
The Global Cybersecurity Index (GCI) is a ranking established in 2014 under the U.N. International Telecommunications Union that assesses the status of cyber-security worldwide. This multi-stakeholder initiative ranks countries’ commitment to cyber-security in the categories of legal measures, technical measures, organizational measures, capacity building and cooperation. Published with ABI Research, the inaugural edition of the ranking put the U.S. first, followed by Canada, Australia, Malaysia and Oman. Japan tied for fifth place.
“Unfortunately, cyber-security is not yet at the core of many national and industrial technology strategies,” ITU Telecommunication Development Bureau Director Brahima Sanou writes. “Countries need to be aware of their current capability level in cybersecurity and at the same time identify areas where cyber-security needs to be enhanced.”
The GCI is a good example of the importance of public-private partnerships tackling cyber-security. Politicians now realize that while government has a key role in promoting cyber-security, the private sector must be engaged on an equal footing because most of the internet operates on privately owned networks. It goes without saying that the public and private sectors must cooperate and share information to address the myriad threats posed by hackers today. This is happening in business; well-known security technology vendors, many of them competitors, are working together as part of organizations like the Cyber Threat Alliance to share intelligence information to protect customers.
We need more forums for government and industry to interact and share information, including more casual, less academic vehicles for exchanging ideas and best practices as well as conducting joint training, exercises, capacity-building and R&D. Entities such as Japan’s National Center of Incident Readiness and Strategy for Cyber-security (NISC), set up in 2015 to defend against cyber-attacks in cooperation with the National Security Council, could test ideas from such a forum, both in terms of the technology and how to manage it.
With better tools to assess, publicize and mitigate cyber-security threats, governments could do a far better job of protecting our online lives. There’s no reason for them to be anything less than our best defense against hackers.
This piece first appeared on the Agenda blog of the World Economic Forum.