Public Sector Security Gets a Wake-Up Call
- By Winston Thomas
- December 21, 2022
Ask any government or public sector CISO before 2019, and they will say onshoring your data and owning your infrastructure in your jurisdiction was the best formula against threats.
While we can argue the pros and cons of data sovereignty, the traditional approach had a clear line of thinking: having data in your country means you control the outcomes when breaches occur in your jurisdiction. It also gives your legal branch a local advantage in prosecuting cybercrime.
This thinking was severely tested during COVID-19. Before vaccines, government workers saw themselves working from home using cloud-native apps. The border between work and home lives blurred. And it was easy for data to slip across these porous borders.
Ransomware hackers pounced on this opportunity, giving many workers a hard lesson about walking the talk about secure computing. But soon, government organizations had to learn about supply chain attacks and sophisticated ransomware, where attackers lock down or wipe backup data.
Governments could not press pause on their SaaS and cloud deployments as they needed to service and engage locked-down citizens. But cybercriminals couldn’t help themselves when gaping holes stared at their faces — especially when ransomware as a service and attack kits were freely available on the Tor-based dark web.
So it’s not surprising that governments across the world, from Singapore to the U.S., started embracing the zero trust concept, where you don’t trust anyone or any device unless verified, says Daryl Pereira, director of the office of the CISO in the Asia Pacific region at Google.
Then the Ukraine war happened, and security thinking got turned on its head.
The Ukraine reckoning
The Ukraine war added a new dimension to cyberwarfare and defense.
“Typically, the reaction from governments is we can't put our data in the cloud because it's untrusted, we lose sight of it, and we lose control. Let's keep it all on-prem and onshore,” says Pereira.
The kinetic cyberattack in Ukraine targeted essential infrastructure, with many planned months in advance. Banks stopped functioning, electrical services and communications lines went down, and the country was in chaos.
That was the main intent. “It was psychological warfare at its best,” says Pereira. And for a short while, it worked. The population was in a panic, and military forces were isolated.
So, Google expanded its Project Shield initiative, a free anti-DDoS service, for Ukraine. It ensured that Ukraine's government websites and essential services stayed online.
According to this Google blog, Google’s Threat Analysis Group (TAG) found that government-backed actors from Russia, Belarus, China, Iran and North Korea targeted Ukraine and Eastern European institutions and individuals, including NGOs and journalists.
Mandiant, now part of Google Cloud, helped Ukraine’s Crisis Resource Center triage and mitigated attacks under the Cyber Defense Assistance Collaborative.
The localization myth
The biggest takeaway from the Ukraine kinetic cyberattacks is that you can’t have data localization as your major defense against data attacks.
“The Ukraine war made traditional approaches to public sector security obsolete. It’s time to embrace the cloud — again,” Pereira observes.
You need to think bigger, especially when attackers are not just stealing but blowing your data into bits with wiperware. Keeping the data in the country only made the government “sitting ducks.”
“So, the Ukraine Government had to effectively move the whole government onto the cloud in two weeks. Imagine the scale of that!” exclaims Pereira.
“Cyber warfare will actually take things down. And if you don't have scalability and resiliency built in a myriad of locations, you've lost all your data once it is breached or the lines are disconnected,” he adds.
Digitalizing assurance
So how can governments balance their data privacy concerns with possible cyber warfare threats in the future?
Pereira points to Google’s Assured Workloads as a possible solution. It allows governments to easily configure regulated workloads, prevent misconfigurations and meet cloud compliance requirements. When these requirements change, reconfiguring can be done with a few clicks.
The main advantage of Assured Workloads is its ability to support data residency. Administrators can determine where their data at rest will live. It then restricts the regions based on the Organization Policy. Meanwhile, it encrypts the data at rest and in transit to keep out prying eyes.
“So, for example, in Australia, as part of the strategic alliance with the U.K. and the U.S., they can get sovereign data to be based in those two locations as well as Australia,” says Pereira. This increases resiliency.
Another advantage is that governments can decide who touches the data. So, for example, anyone working in the U.K. and the U.S. who's cleared for the Australian Government's version of top secret can maintain and administer the data.
The biggest advantage is scalability and resiliency. The data is fully encrypted in all of the cloud locations, and it can help to meet the regulations of the data hosting country.
Cybersecurity is now national security
The biggest development after the start of the Ukraine war is that government thinking around cybersecurity is now seen as a national concern.
Previously, you had a separate division. Often the people heading these aren’t always on the same influential level as their field colleagues. But now, this is changing, with collaboration occurring at the top ranks.
This is not just occurring in the government sector. Pereira sees the same developments in other major industries like healthcare, pharmaceutical, utilities and even oil&gas.
He notes that these industries are beginning to realize that you can’t have a CISO being far removed in terms of hierarchy from the chief executive officer or the head of the organization.
“Would you like a heart surgeon to operate on your brain? In the same way, you can’t have a CIO run your security,” says Pereira.
“Their thinkings are very different. One is very much focused on innovation, transformation, and bright new shiny toys, and the other guy is more like the glass half empty what could go wrong? Very different specializations,” he adds.
Changing the conversation
Pereira notes that governments are waking up to the reality that cybersecurity is a team sport. And you also need inputs when decisions are made.
This is probably why concepts like DevSecOps developed, where you add security practices in the CI/CD workflow. It mainly came to the fore when supply chain attacks reared its ugly head some years back as malicious code injected into legitimate security patches.
“Public sector security is now evolving. It is also changing the security culture within government and other public sector organizations,” says Pereira.
In turn, it is also changing how vendors and solution providers look at security by design and embedded security with their clients.
“The good thing is that cybersecurity is no longer an afterthought or someone else’s problem; we’re having these conversations right at the top,” says Pereira.
Winston Thomas is the editor-in-chief of CDOTrends and DigitalWorkforceTrends. He’s a singularity believer, a blockchain enthusiast, and believes we already live in a metaverse. You can reach him at [email protected].
Image credit: iStockphoto/gorodenkoff
Winston Thomas
Winston Thomas is the editor-in-chief of CDOTrends. He likes to piece together the weird and wondering tech puzzle for readers and identify groundbreaking business models led by tech while waiting for the singularity.