How nation-state cyber attacks disrupt public services and undermine citizen trust

In this Help Net Security interview, Rob Greer, VP and GM of the Enterprise Security Group at Broadcom, discusses the impact of nation-state cyber attacks on public sector services and citizens, as well as the broader implications for trust and infrastructure.

Greer also discusses common vulnerabilities in government IT systems and the potential of AI and public-private collaborations to enhance cybersecurity defenses.

How do nation-state attacks affect the public sector and services provided to citizens?

All attacks, nation-state or not, have the potential to impact public sector services and the citizens who rely on them.

Just recently on June 3, 2024, Synnovis, a provider to the UK National Health Service (NHS), suffered a cyber attack preventing the processing of blood test results and impacting thousands of patient appointments and surgeries. In 2017, the WannaCry attack, which spread to 150 countries across the world, disrupted the UK NHS, limiting ambulance service, patient appointments, medical tests and results, and forcing the closure of various facilities.

In the United States, many private sector organizations that provide public or critical infrastructure services have been significantly affected by cyberattacks. In 2021, JBS Foods, the largest US meat processor, was breached, forcing it to cease operations at 13 of its meat processing plants, impacting the US meat supply. One month prior, Colonial Pipeline was hit with a ransomware cyberattack, causing a run on gas in the eastern seaboard and requiring a presidential executive order to allow gas transport via semi-trucks.

A cyber attack in the Ukraine in 2015 brought down power for 230,000 customers, and such attacks have continued to disrupt the Ukrainian power grid since then.

In the US, we have seen the same nation-states employ less aggressive but potentially more disruptive strategies of espionage and misinformation in an effort to undermine the public’s trust in the electoral system.

While these are just a few notable examples, the impact ranges from delays and inconveniences to more significant repercussions like reduced capacity of healthcare services and other critical infrastructure. What’s harder to calculate is the degradation of trust when the public sector is compromised due to a cyber attack.

What are the most common vulnerabilities within government IT systems that cyber attackers exploit?

Many of the attack techniques that we see nation-states use are picked up by more common cyber criminals shortly after. While nation-states do have advanced capabilities and visibility that are hard or impossible for cyber criminals to replicate, the general strategy for attackers is to target vulnerable perimeter devices such as VPNs or firewalls as an entry point to the network. Next they focus on obtaining privileged credentials while leveraging legitimate software to masquerade as normal activity while they scout the environments for valuable data or large repositories to disrupt.

It’s important to note that the commonly exploited vulnerabilities in government IT systems are not distinctly different from the vulnerabilities exploited more broadly. Government IT systems are often extremely diverse and thus, subject to a variety of exploits. CISA actively maintains a Known Exploited Vulnerabilities (KEV) Catalog. These are vulnerabilities known to be exploited in the wild and pose an increased risk of exploitation for government organizations using any of the technologies cataloged.

How can governments use AI to strengthen cybersecurity defenses against sophisticated attacks?

AI has been in use for more than a decade in state-of-the-art security technologies, primarily to detect novel and constantly evolving attacks. Detecting the sheer volume of attacks today, as well as finding the singular “needle in a haystack” cannot be done by classic technologies, but is possible with sophisticated AI techniques. As a baseline, governments should evaluate their security technology to understand how effective AI and machine learning are at detecting the latest threats.

The more advanced capabilities can analyze the infrastructure to determine typical behavior and usage patterns and auto-configure security settings and policies, providing adaptive security that is even more efficient at detecting anomalous activities.

The latest generative AI technologies are also helping drive efficiency in the Security Operations Center (SOC). GenAI can help SOC analysts more quickly and fully understand attacks, and provide guidance to analysts using natural language. This is especially important as we face continued challenges staffing security professionals.

Are there any specific regulatory frameworks or policies that must be implemented or improved?

Currently, there are numerous policies and regulations, both domestically and internationally, which are inconsistent and vary in their requirements. These administrative requirements take significant resources which could otherwise be used to strengthen a company’s cybersecurity program. Therefore, it is imperative that existing and forthcoming cybersecurity regulations be harmonized and policies be considered comprehensively.

The recent summary from the Office of the National Cyber Director (ONCD) on the 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI) shows that the U.S. Government understands this problem. The report finds that the “lack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens.” The ONCD is working with other federal agencies as well as the private sector to address these issues by seeking to “simplify oversight and regulatory responsibilities of cyber regulators” and “substantially reduce the administrative burden and cost on regulated entities.”

This is a much-needed exercise and it’s encouraging to see steps being taken to ensure that cybersecurity regulations are comprehensive, effective, and efficient.

What role should the private sector play in supporting government cybersecurity efforts?

The private sector has threat intelligence that the government often doesn’t have. This makes the bidirectional sharing of information between the private and public sectors essential in combating bad actors. Partnerships between leading cybersecurity research groups and vendors like the Cyber Threat Alliance (CTA), as well as public and private sector partnerships like the Joint Cyber Defense Collaborative (JCDC), help the cybersecurity community at large bring its combined intelligence to bear to help defend our global digital ecosystem.