Assumptions that government organisations' strict governance requirements make them more secure than conventional businesses are a dangerous fallacy, a security expert has warned in the wake of a growing string of high-profile data breaches in both the public and private sectors.
Shortcomings in government departments' IT security are often never discovered until hackers lay their troves of personally identifiable information (PII) bare for the world to see, Nuix senior vice president for cyber threat analysis told CSO Australia in the wake of a massive and damaging data breach at the US Office of Personnel Managment (OPM) whose 21.5 million victims include Pogue himself.
With this week's publication of the massive Panama Papers archive of stolen confidential information in a searchable format for all to view, the world had yet another example of the consequences – this time for Panamanian law firm Mossack Fonseca – when data breaches cannot be detected or stopped in time. The massive size of the Panama Papers breach – which at 2.6TB in size dwarfs the OPM breach in terms of its sheer volume of data if not its national-security implications – has fast become yet another bullet point in the argument for better controls over private and public-sector information.
“Any government agency that retains that kind of data needs to understand that there is tremendous value for that data on the black market and the attackers want it,” Pogue said, “so they are going to actively pursue it. And, as evidenced by recent breaches in the Philippines and Turkey, it's not just the US or Australia they're going to target; it's literally anything, anywhere.” As in the private sector, government decision-makers often laboured under the assumption that they are more secure than they actually are.
“These government systems are assumed, because it's the government, to be more comprehensive and to deploy more controls,” Pogue said. “But when you peel back the covers, they don't. They are just as holey, just as vulnerable and have as many issues and flaws as other systems – and in some cases, even more so.' Even those that try to improve security often find themselves hobbled by the weight of official process, he added.
“They're dealing with taxpayer money and budgets in a way that private industry isn't: you have people almost with one hand tied behind their back. They are dealing with an exhaustive and sometimes overburdened procurement process where getting the tools and technologies that they need is so difficult and time-consuming that just to do the right thing takes several orders of magnitude more effort than it does in private industry.”
Ponderous procurement processes will get a boost from the government's 2016-17 budget, which includes $12.4m “to upgrade information technology systems to support greater transparency in the reporting of procurements conducted by limited tendering” associated with the Trans-Pacific Partnership trade agreement – which is expected to improve Australian access to overseas markets and vice versa. The effectiveness of such changes will be judged over time, but in the short term both government and non-government bodies should proceed as if their confidence around security is somewhat optimistic.
Yet this may prove difficult for executives that, studies repeatedly show, are more overconfident and underincluded around organisational security planning than their peers overseas. Strong executive involvement in security planning has been linked with an increase in organisational confidence in IT security even though many executives blame security breaches on bad user behaviour.
They wouldn't be entirely wrong, Pogue says: “there are a whole lot of IT hygiene basics that can be done – things like network segmentation, data encryption, and proper use of firewalls – but we still passwords being used that are dictionary-based words, very simple vendor-supplied or even default passwords.”
“The sorts of things that can make attackers' lives ore difficult, really aren't being done at scale,” he continued. “We've collectively got 20 years' worth of data about how attacks take place, but it's like we haven't learned our lessons and haven't taken cues from other industries that have dealt with this. We're not even really putting up a good fight.”