While governments are increasingly spending more IT resources and budgets on cyber security, there are still blindspots and weak links in their IT management, usage and policies, which makes them vulnerable to cyberattacks, according to an independent study released by research consultancy firm TRPC, titled “Public Data At Risk: Cyber Threats to the Networked Government”. The study reflects that while governments across Asia-Pacific are strategically looking at adopting IT solutions to streamline and enhance the efficiency of their work, management of data and delivery of public services, a networked environment is being actively targeted by cyber threats affecting safety and security of government data, national security, critical infrastructure, as well as international diplomacy.
The study, commissioned by Microsoft, assessed the trends around IT systems and infrastructure being built by governments and related IT investments, types of public and sovereign data stored by governments, as well as the types of the cyber crime threats being targeted towards government. The endeavour of the study is to propose a roadmap to senior government policy leaders and business decision makers to enable a resilient, reliable and strong cyber security strategy and trusted IT usage framework. It has also been established that an unmanaged and unregulated IT supply chain is one of the most potent ways in which malware infections are taking root inside systems and committing cyber security breaches, according to the TRPC study.
“Current government efforts to address cyber security to date are often piecemeal at best,” said Dr Peter Lovelock, Director, TRPC. “Two problems are arising for procurement professionals in Asia – the increasing prevalence of infected networks, including in supply chains, and the lack of experience in dealing with actual threats.”
“A more holistic approach towards cyber security must be undertaken if a country is to be “cyber-ready” – such as setting up of agile and empowered computer emergency response teams (CERTs), to sensitizing and educating civil officials particularly non-IT focused personnel, to regulating and monitoring the IT procurement and purchasing processes, to using trusted technologies capable of defending and responding to cyber security breaches – are all elements of building a safer government ecosystem,” said Keshav Dhakad, Regional Director, Digital Crimes Unit (DCU), Microsoft Asia.
For example, a global survey by security firm ISACA found that most security professionals have not yet had to deal with an actual Advanced Persistent Threat (APT) attack – a type of network attack in which an unauthorized person gains access and stays undetected for a long period of time, usually with the objective of stealing data. According to the ISACA study, only 21.6 percent of respondents having been subject to an APT attack. It also pointed to a worrying sign that many were not taking enough precautions against the threat of an APT – up to 81.8 percent of respondents had not updated their agreements with vendors who provide protection against APT, while 67.3 percent of respondents have not held any APT awareness training programs for employees.
Many security loopholes can be addressed by ensuring that best practices guidelines are enforced for the purchase, maintenance, and upgrading of IT infrastructure and services, according to the white paper. This includes following a cyber security roadmap to identify which risk areas require attention and more resources.
Roadmap to Constructing a Resilient Cyber Security Strategy for Governments
A resilient cyber security strategy must be holistic and address different stages of an attack, including prevention, response and mitigation. An effective roadmap towards constructing a resilient strategy should include steps taken to:
- Raise awareness through regular training on cyber-hygiene to government officers and staff and mandate usage of genuine and current software products, safer internet practices, and added malware protection through anti-virus solutions. On the other hand, government IT procurement officers, government contractors and agencies should be strictly regulated, audited and sensitized towards the standards of security and safety of public data as well as national security.
- Ensure Readiness by having a central agency responsible for coordinating cyber security preparedness and prevention protocols and for coordinating cyber-security responses in the event of a state-targeted attack. Establish a strong and empowered Computer Emergency Response Team (CERT) and create or join a network of trusted CERT partners to share information and cyber-threat intelligence and mock attack exercises.
- Prevention of attacks through building and maintaining a safe and secure network infrastructure and clean and genuine IT supply chain through strong IT maintenance and procurement practices. Develop, implement and enforce cyber security standards for IT vendors and suppliers for all public sector, particularly for critical infrastructure and sensitive national projects.
- Responding effectively by establishing domestic, regional and international legal avenues for pursuing redress following a cyber-attack. Develop best practices for recommended timeframes and standards for constant upgrading and updating software used in the public sector.
- Mitigate damage by establishing a cyberforensics team in place which can work alongside the CERT, private industry and police to investigate security breaches and prevent further losses. Develop or join a cyber-security network of other government or international organizations for information, intelligence and alliance-building purposes.
Founded in 1975, Microsoft is the worldwide leader in software, services, devices and solutions that help people and businesses realize their full potential.
TRPC Pte Ltd is a research consulting firm which focuses on the economics of telecommunications and information technology, particularly the policy and regulatory issues associated with national information infrastructure development, with an emphasis on the Asia-Pacific region.