March 21, 2022
Over the last three years, we’ve all grown to rely on critical infrastructure for basics such as power, water and connectivity that allow us to work remotely or logistics networks that keep shelves full and economies on track. This reliance has made infrastructure a target for cyber-attacks, and we’ve seen increased attacks on power grids and electricity providers, as well as attempts to take down banking systems.
Some attacks, such as those on the banking industry, are targeted toward the private sector, but often we also hear about breaches in the public sector and government. Both sides are investing in protecting these critical assets. Still, there are areas where governments can learn from the private sector and vice-versa, which will help both sides adapt more quickly and effectively to a continuously evolving threat environment.
The old approach to securing information was to apply a blanket protection level to everything, which is still followed by many government organizations today. The private sector has recognized that this is not practical; too much protection slows down the response to a breach. It makes it more challenging, therefore slower, to identify the incursion point.
The best way to protect information is by considering the concept of ‘key data’ only. Different types of data require different levels of protection at points in the lifecycle. This sounds complicated, but it’s not.
Consider a product launch; whilst under development, this process is secretive. Documents are highly guarded as to have them leaked into the public domain would jeopardize any competitive advantage, and the highest levels of protection are essential. Then on launch day as this information moves from secret to public, the protection can be removed as everyone now knows about the product.
Governments could learn from the private sector levels of protection that can be adapted across the lifecycle of information, making management easier, speeding up detection and, should a breach occur, high-risk items are more identifiable to the security team.
Governments use intelligence to gain insight into threats at a national or international level. An example of this is working with agencies to maintain a broad vision of which threat actors may be planning attacks targeted at country or regional levels. The private sector leverages intelligence to spot industry or vertical level threats, watching for the latest potential DDoS, ransomware or software vulnerability that could impact business.
Bringing these resources together to share knowledge would create an almost high-definition picture of cyber threats in real-time. We have seen this happening in some countries, for example, the United Kingdom National Cyber Security CiSP, but this is only a start. More initiatives are needed worldwide to help both sides build trust and become happier to co-operate in the future.
“It started with a click” sounds like the opening of a song, but refers to how more than 90 percent of successful malware and ransomware campaigns start their attacks. We live in a world of click, like, swipe and move-on access to online information. Unfortunately, it’s all too frequent that people respond to emails, online campaigns or messages without putting online safety first.
This challenge would be impossible to eliminate, but the risks are reduced as more vendors design security into their solutions and devices. However, some vendors of cheaper products still overlook security in the excitement of getting to market early. These products are then purchased at a low cost by users who feel that voice-controlled egg-timing is an essential kitchen tool, without realizing that this device is broadcasting their Wi-Fi password to anyone who wants it!
Governments can help address this, with some U.S. legislation changes in recent years for security standards in IoT devices, and other regions adopting principles to increase public awareness of online security, including the U.K. and Australia (PDF). These are a start, but there is an opportunity for governments to enforce direction that will make security by design an imperative rather than an option.
These are just a few areas in which private and public sectors working together effectively can make a difference. In most cases, the need is not for anything new – but better and more regular collaboration. Technology is crucial today to support business, personal, financial and even environmental requirements, and this is not going to change. In fact, as overall reliance on technology increases, cybersecurity will become an even more significant challenge – government and the private sector carry a shared responsibility to face the challenge and threat together.