In the public sector, government must defend against the full spectrum of threat actors, whereas many in the private sector hope (often incorrectly) that they only need to be secure enough to drive intruders towards easier targets. But the public sector cannot make that excuse. Whether it is nation-state activity seeking intellectual property or criminals who want money or personal identifying information, cybersecurity is daunting for government organizations because they face attacks from threat actors of all levels of sophistication using a wide variety of techniques and tactics.
Public Sector Cybersecurity: Examining the 2022 Threat Landscape
To help shed light on this issue, Derek Manky, FortiGuard Labs’ Chief, Security Insights and Global Threat Alliances, and Jim Richberg, Fortinet Public Sector CISO, offered their perspectives on the threat landscape the public sector is facing in 2022, and how to defend against these threats. For more details, read the Fortinet 2022 Threat Landscape Predictions.
In the FortiGuard Labs report, what threat landscape predictions specifically affect the public sector?
Derek Manky: In the public sector, we’re seeing a convergence of advanced persistent threats (APT) and cyber crime. When you think about what the acronym APT means, it hints at sophistication and a more premeditated, targeted type of attack cycle. We’re starting to see a lot more investment from cyber criminals in the reconnaissance and weaponization phases of an attack. And it’s literally an investment because of how much they’ve profited from ransomware over the years, particularly weaponization. We are calling this convergence of cyber crime like APTs “advanced persistent cyber crime” (APC).
One thing that’s concerning for the public sector in 2022 is aggressive attack code. Ransomware is one example, but we’ve also seen wiper malware that’s been put into ransomware campaigns. Another name for wiper malware is “killware,” and the basic idea is that it’s destructive. I have a sense that given the innovation by cyber criminals, they’re going to blend these together. When they add killware into their strategy, some can destroy systems as an upfront message to show that they mean business, and then demand a high ransom payment in return in exchange for the rest of the systems being spared. In the past, we’ve seen these strategies affecting IT, and now that’s going to start hitting OT and the public sector too.
Jim Richberg: It’s always been cost-effective for cyber criminals to keep using existing exploits that are known to work, even if they’re 10 years old. But now, large organizations and governments that do a decent job of defending themselves with security patches are going to have to stay closer to the bleeding edge of newly discovered vulnerabilities. In some cases, they may even have to do virtual patching to keep up.
Derek Manky: The other thing to look at is the infrastructure piece. The attack surface is connected now. In the past, there was an air gap between IT and OT, but now everything is connected, so a lot of areas that were inaccessible before are now vulnerable. For example, modern remote terminal units (RTUs) out in the field for oil and gas are now becoming more and more connected through broadband and 5G. And now satellite broadband is being rolled out, as well.
Jim Richberg: I think there’s going to be a paradigm shift for government. When you talk to some government organizations they’ll say, “I’m not a manufacturer; I don’t have OT.” But the fact is that they might have smart buildings, green infrastructure, security video cameras, or sensors linked to air filtration to safeguard employee and public health. That means there’s an OT presence and an IoT footprint, whether they realize it or not. So, governments must understand that they have to defend against OT threats.
Derek Manky: Exactly. And in OT, the dominant platform is Linux, which is now in the crosshairs. Attackers are writing new malware code specifically for Linux because it’s widely deployed on IoT and OT devices. So that’s expanding the attack surface and attack capabilities (weaponization phase of APC). For example, Mirai was the number-one botnet that we observed in 2021, and it’s a Linux-based botnet. And this is just the tip of the iceberg. I think there are going to be a lot more.
How do these threats map against what is top of mind for government?
Jim Richberg: Here in the U.S., President Biden signed the $1.2 trillion infrastructure and jobs bill. Planning for implementation and setting standards will rely on government understanding the operational technology environment and security implications. Being a steward or regulator becomes exponentially more difficult because these government organizations are also busy implementing the tasks assigned to them by recent Executive Orders in areas such as implementing zero-trust and accelerating cloud migration. So, I think cybersecurity is getting more difficult for the public sector, not easier.
When we talk about threat activity targeting the public sector, I think it’s critical we remember that the public sector is not monolithic. National-level governments tend to have the most financial resources and expertise, although even they have trouble dealing with the skills gap and staying close to the leading edge of technology. When you look below the national level, entities such as local government or public utilities have fewer resources to deal with cybersecurity. Yet these are the levels of government that most people interact with in their daily lives.
What threat trends do you see affecting smaller public sector organizations?
Derek Manky: Cybercrime is a whole ecosystem, and the ransom-as-a-service model is part of it. Now, there are cyber criminals paying affiliates commissions to wage attacks. Because of this, there’s going to be more diversification in cyber crime operations with more horsepower, more weapons, and more people. If you consider all the elements that fall under cyber crime like money laundering, all of those networks are going to expand. And these threats just add to what public sector organizations already face like APT and nation-state threat actors.
However, more attribution is helping. When it comes to threat intelligence and research, finding people is the ultimate goal, but it is not the only goal. By gathering additional data centered on why cyber criminals are attacking or what verticals or infrastructure they’re targeting, security teams can disrupt campaigns and activity. Tracking down attackers and tactics makes it easier to know what to do about an attack. Attributing where funds are moving also helps, which includes crypto wallets and currency flows.
Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.