The phrase Civilian Federal Agency sounds somewhat official, safe, and orderly, doesn’t it?
You might be shocked to learn that quite often, these agencies (and many others in the public sector) rank dead last when it comes to securing their systems and data. Rather than investing in the proper controls and infrastructure, it seems like public officials would instead shrug and make excuses. These are government agencies, though.
They regularly work with some of the most sensitive data in the world — shouldn’t it follow that they should prioritize keeping that data safe?
By overlooking apparent weaknesses and ignoring past mistakes, elected officials put all of our data at risk. In many government sectors, there seems to be a somewhat blase attitude of waiting until something happens. Given that we so frequently must provide personal and private information to these agencies, that is unacceptable.
Many of these attacks could be prevented simply with a bit of proactivity. Unfortunately, there’s rarely any real means of holding these agencies accountable; they can merely blame some frightening, invisible villain like a state-sponsored black hat. And even where regulatory frameworks exist, regulators are often effectively toothless where actual enforcement is concerned.
Wherever our tax dollars are going, it’s clearly not towards better information security. And why should it? If there are no tangible consequences for poor security, why bother putting in any effort?
Shining a light on governmental IT practices, it becomes increasingly evident that the security breaches we’ve seen recently are not simply the result of a pandemic and rushed planning. Nor is this an issue that applies to only a few countries. This is extensive and widespread — and it’s been happening for a while.
The Solarwinds breach is perhaps the perfect illustration of this issue, and the results of the devastating supply chain attack are still keenly felt. If you need a refresher, sophisticated attackers compromised a DLL file in the Orion software update, affecting up to 18000 organizations. This included all US military, the Pentagon, the State Department, the NSA, the White House, and the Department of Justice.
As it turned out, the attackers needn’t have bothered with such advanced tactics; the update server that was compromised was only protected by the password Solarwinds123.
You might think it makes sense for people to make mistakes, especially during something as unprecedented as the pandemic. Sadly, the issues with government cybersecurity are not the result of COVID-19. They are part of a disturbingly long history of lax practices and half-measures.
Inadequate security protocols are a severe problem, especially with the shift to distributed work. This might be less infuriating if it wasn’t for governments spending obscene amounts of money on digital infrastructure and a pathetic fraction on dedicated cybersecurity. And though measures like Biden’s recent executive order might do something to address the issue, we’re not holding our breath.
In the meantime, all you can do is take a few measures to protect yourself:
- Use a password manager
- Sign up for digital identity protection/fraud insurance
- Pay attention to data breaches, and use sites like haveibeenpwned to monitor for compromised accounts.
- Practice mindfulness, and train yourself to avoid phishing attempts