The Scariest Cybersecurity Trends Impacting the Public Sector

A recent article examined two of the scariest cybersecurity trends currently impacting public-sector organizations and their networks and systems.

One concern is the fact that public-sector organizations only recently have started to understand the severity of the cybersecurity problem.

Another concern is the fact that such organizations generally fail to adhere to — or even acknowledge the existence of — longstanding cybersecurity recommendations. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have worked collaboratively with their counterparts in Europe and Australia for years to ensure that public-sector organizations are well-informed regarding emerging threats and the best strategies and tactics for mitigating them. (Click here and here to read these blogs.)

In this article, we delve into the third, fourth, and fifth scariest trends.

Scariest Trend No. 3 — Cyberattackers keep getting better at what they do

Cyberattackers constantly evolve their strategies and tactics, seemingly at warp speed. For example, they are employing increasingly sophisticated, automated software tools that leverage algorithms to identify millions of network, system, and device vulnerabilities every second.

A corollary factor contributing to this trend concerns the fact that it is extremely difficult for developers to create software that is vulnerability-free. This is the reason that patches are continually issued. Now consider that the software utilized by public-sector organizations interconnects to all manners of software employed by dozens, even hundreds, of other organizations, and each piece of software contains its own intrinsic vulnerabilities. It is easy to imagine a cyberattacker exploiting a vulnerability discovered in another organization’s software and then worming their way into your organization’s software, which in turn enables them to attack every connected network, system, and device.

Another is that, in most countries, cyberattacks aren’t considered crimes. The philosophy seems to be, “shame on you for not having the proper protections in place.” The result is that cyberattackers outside the United States operate with virtual impunity.

For all these reasons and more, cybersecurity fraud is the third-largest economy in the world and only will get bigger. It’s the proverbial monster under the bed that keeps every cybersecurity professional working in the public sector up at night — or at least it should.

Scariest Trend No. 4 — Not enough cybersecurity experts to go around

Nearly all public-sector organizations are dealing with an acute staffing shortage across the entire enterprise. This includes information technology (IT) and cybersecurity personnel. It should be noted that not every IT professional has the experience and expertise required to work in the cybersecurity realm. Indeed, cybersecurity professionals possess very specific skill sets, which makes it more difficult to recruit, hire, and retain them. Because their skill sets are so specialized, cybersecurity professionals tend to require compensation that puts them out of reach of many public-sector organizations, especially if they’re competing with private-sector organizations that have deeper pockets.

A related factor is that smaller municipalities and counties often share cybersecurity personnel across multiple agencies. The result is that personnel typically are spread very thin, so much so that they find it exceedingly difficult, if not impossible, to execute even the most basic elements of a cybersecurity program for a single agency, much less all of them, and to keep pace with constantly evolving threat vectors.

Scariest Trend No. 5 — LMR systems are just as vulnerable as every other system

This is a trend that primarily affects public-safety agencies, which rely extensively on two-way voice communications during emergency response — in fact, it has been said, with some justification, that the most vital tool that law-enforcement officers and fire/rescue personnel carry is their land mobile radio (LMR). In the past, LMR systems, whether analog or digital, have been isolated, standalone, self-contained, and not connected to the internet, which generally meant that no pathway existed for cyberattackers to infiltrate them.

Unfortunately, however, a plethora of vulnerabilities exist that increase the risk profile for LMR systems exponentially. This is true even for Project 25 (P25) systems, despite the existence of certain protections that are baked into the standard, such as encryption, use of multiple frequencies, and a feature called “radio inhibit,” which enables system managers to identify a rogue radio and essentially turn it into a brick.

Arguably, the greatest vulnerability is that the systems used by public-safety agencies to backhaul radio traffic from the tower(s) to the facility leverage the Internet Protocol (IP), which has inherent security flaws — ergo, IP-based networks and systems are intrinsically vulnerable to cyberattacks. The reality is that most public-safety agencies tend to think of their LMR systems in terms of radio frequencies and not IP — thus, they fail to grasp the criticality of this vulnerability. A corollary factor is that backhaul systems often are shared by public-safety agencies with other entities — and each of them has its own vulnerabilities. The result is a dramatically diminished cybersecurity posture for all concerned.

As I have written before, cybersecurity is a big, messy problem that will get bigger and messier as time passes. MCP’s team of subject-matter experts would love to help you develop strategies and tactics to improve your cybersecurity posture — please reach out.

Jason Franks is an MCP cybersecurity analyst. Email him at JasonFranks@MissionCriticalPartners.com.