Transmitting and securing critical information has long been a challenge for the Public Sector, in general, and the defence industry, in particular.
In the past, perhaps the greater difficulty was in simply getting information from one place to another.
Before radios, telephones and the Internet, armies depended on things like carrier pigeons and flag signals to transmit orders. In the days of the Roman Empire, territories interacted via messengers who took days to travel by horse. It’s hard to even imagine such a delay now when we can instantly chat with colleagues halfway around the world!
But with the advent of digital technologies that connect people easily and in real-time in remote places, the greater challenge comes, not from sharing information, but in protecting it.
It’s a bit of a double-edged sword: Users require and expect wider and faster access via more channels and devices – and today’s technology can provide it. But this ability only increases the attack surface for cybercrime.
And we should all know by now, the threat of cyberattack is very real for the Public Sector. To note a few recent cases:
- In 2015, news of a major attack on the U.S. federal government’s Office of Personnel Management filled the headlines. The hack affected 21.5 million Americans, including military personnel and veterans. (Here’s a good overview of that event.)
- Australia confirmed earlier this year that a cyberattack on its Bureau of Meteorology will cost millions of dollars to fix. It’s thought to have been launched from China.
- And recent news in the UK disclosed that 28 NHS Trusts had undergone ransomware attacks “multiple times” in 2016.
Organisations such as the Ministry of Defence recognise the threat and want to do everything they can to protect themselves. However, it’s not easy, and certainly not cheap!
Financial constraints; a lack of skilled cybersecurity personnel; a culture that’s still learning about cyber threats and things like phishing emails – all of these factors make it difficult to stay safe.
But there are some approaches that can make a difference, in our view.
- Agile and more risk-based approaches that encourage taking a closer look at security validation processes and evaluating the real need for protection. Does a piece of intelligence require the highest level of protection throughout it life? Or could the classification, security requirements and, as a result, costs be reduced at some point? Often in the public sector, aggregated data will predicate the use of more and / or stricter security controls since the impact of a breach has increased. Could an organisation disaggregate data and reduce the security requirements for certain segments?
- Enterprise architecting of secure systems that starts from the ground up. With this approach, agencies embed clear security policies and standards in all phases of the system development lifecycle and systems, covering people, process and technology. The approach involves educating staff on risk and response and using technology to address both internal and external threats. This includes routine security administration and patching/update activities. By creating a coherent security strategy with the security architecture defined from the beginning of the project, agencies can ensure the end-to-end solution is better protected.
- Assessing and understanding future threats and vulnerabilities, and ensuring responses are pre-planned, regularly reviewed and rehearsed. For examplerganisations might consider using mitigations such as ‘red teaming’, controlled self-attacks by “ethical hackers” to explore their system’s weaknesses and fix them before someone else can exploit them. A proactive security/cyber innovation programme can also assess, adopt or develop secure ways of storing, processing and sharing information to protect agencies from ever-more novel and damaging attacks.
If there’s one consolation, it’s that the Public Sector is far from the only industry confronting this significant challenge. Healthcare, financial services, energy, retail, maritime – they’re all struggling with the same difficult questions.
So before we resort to carrier pigeons again, perhaps we should pool our knowledge and learn from best practices and successes all around us, in the public sector and beyond. (The U.S. has started an initiative with this very aim.)
And when it comes to inevitable failures, remember, don’t shoot the messenger!
Lawrie Abercrombie is a CSC consultant specialising in Information Assurance support to companies and organisations with high-value assets to protect.
Mark Perry is CSC’s Industry Chief Architect for Public Sector in the UKI&NL