The general perception of hackers is that they’re Mr. Robot-esque renegades who utilize futuristic technologies in order to single-handedly take down monolithic foes, like multinational corporations or entire governments. The reality is more mundane. Most malicious actors choose the path of least resistance, such as straightforward phishing attempts, in order to acquire credentials that grant them network access. Simple tactics work, so if it ain’t broke, don’t fix it. There is one area, however, where sophisticated hacks are more common: the public sector.
The value of public sector data
Public sector data, from citizen records to national security intelligence, isn’t just sensitive, it’s also mission-critical. This kind of data can give threat actors a lot of leverage to extort large sums of money. Because of the potential value of public sector data, ambitious hackers are willing to hazard incursions into more heavily defended networks. That’s why system intrusion, a relatively complex attack pattern, continues to be a top choice for threat actors in the public sector, according to Verizon Business’s 2024 Data Breach Investigation Report (DBIR), a report that analyzed over 30,000 security incidents and 10,000 confirmed data breaches across 6 continents and 20 industries.
The motivations of public sector hackers
The public sector doesn’t just draw the more entrepreneurially-minded hackers. It also attracts more nation-state hackers, who tend to have access to more funds and resources. Such malicious actors are compelled by espionage in addition to, or sometimes in place of, financial motivations. According to the DBIR, nearly a third (29%) of malicious actors in the public sector are driven by espionage—higher than any other vertical or industry by a wide margin.
The weaker links of the public sector
Public sector data may have more layers of protection than data in other industries—stealing state secrets from the DoD, for instance, would be no simple feat—but not all public sector data is so fiercely guarded. The growing digitalization across industries has ushered in unprecedented capabilities, but data is also more distributed than ever before. In more decentralized industries, such as media and entertainment, for instance, the cybersecurity of big studios is only as strong as the third-party vendors they work with. Some high-profile hacks have taken place when valuable IP was stolen through small post-production companies that typically don’t have the resources to invest in more advanced cybersecurity systems. These vendors end up serving as a de facto backdoor for hackers who otherwise wouldn’t have been able to gain access to such valuable data. The public sector has similar backdoors.
Institutions of scientific research and higher learning often overlap with the public sector, sometimes conducting research with national security implications, such as nuclear research or satellite technology innovations. Even though these institutions often deal in valuable data, their cybersecurity typically lag behind organizations in the public sector, such as federal agencies and departments. As a result, threat actors will sometimes perceive such institutions as relatively soft targets for high-value data.
Changing the culture around cybersecurity
One reason why academic institutions lag with regard to cybersecurity is culture. Institutions of higher learning promote values such as collaboration and the free exchange of ideas. These values may be conducive to academic rigor, but it can make researchers, academics and students more lax in their digital communications.
Training researchers and academics (and employees and users in most industries) to spot the most common social engineering tactics can go a long way toward protecting such institutions. According to the DBIR, the vast majority of security incidents and 68% of full breaches involve the so-called “human element,” essentially human error—the very factor social engineering preys upon. If users are apprised of typical pretexting, phishing, vishing and other social engineering methods, they’re much less likely to fall victim to one of these attacks.
Save them from themselves
Cybersecurity education can help, but it isn’t foolproof. These institutions are built upon notions of intellectual collaboration. Eliminating that culture altogether isn’t realistic, but you can remove some of the guesswork with stricter access control. Additionally, incorporating more rigid multi-factor authentication for devices and networks can prevent cyber gaffes, especially in this age of distributed workforces and remote learning.
Trust no one
The case for a zero trust approach to cybersecurity is especially strong in the public sector, given the sensitivity of its data. Zero trust takes a “never trust, always verify” approach to cybersecurity—a model that acknowledges the reality that security threats can come from anywhere, including from within an organization. A zero-trust approach not only requires strict authentication of users, but it also applies the same rigor to applications and infrastructure, including supply chain, cloud, switches and routers.
The public sector can strengthen its cybersecurity as a whole by shoring up its weak points. Part of that is structural. Part of it is cultural. Much of scientific and academic research hinges on applying healthy doses of skepticism. If they can apply some of that same skepticism to digital communications, the wider public sector will be the better for it.