Lorna Rea at BAE Systems Applied Intelligence investigates the cyber-security challenges and opportunities facing central government
The COVID-19 pandemic has been a mixed bag politically for the government. But Whitehall IT has largely emerged with burnished credentials. Despite civil servants working under stay-at-home orders, government departments managed to deliver 69 new digital services by the end of May 2020 alone, to support a gargantuan effort.
Yet despite these gains, there remain large pockets of legacy IT exposed to a greater risk of compromise by threat actors.
Central government IT leaders we spoke to for a recent study are well aware of this. Yet ironically, cyber-security is often viewed as a block on digital transformation. The good news is that there is a way forward, with closer IT-security collaboration and a keener understanding of acceptable risk.
UK: a world leader in digitisation
The drive to modernise government IT began well before the pandemic. Although the UK remains one of the world’s leading digital exponents in public sector transformation projects, there is much to do. Legacy systems threaten to impact staff productivity and IT efficiency, drive up operational costs and, most pointedly, increase cyber risk. Legacy applications, for example, are typically lacking in functionality and have a poor user experience.
Yet the need to upgrade is beyond question. A third (32%) of respondents told us that legacy systems are limiting the quality of public services they’re able to offer, and their ability to collaborate and innovate internally. That’s why 60% of departments have plans to upgrade—although plans and actions can be two very different things.
The cyber-security challenge
The need for government IT modernisation is given extra urgency by the current cyber risk landscape. Vulnerabilities were cited by three-quarters (75%) of respondents as the reason for legacy upgrades, second only to performance improvements (76%). Just over half (53%) also claimed that poor integration between legacy IT and modern security solutions is their top data protection risk.
It’s easy to see why. Governments and critical infrastructure are under increasing pressure from hostile nations and financially motivated threat actors. The SolarWinds campaign, which breached at least nine US government agencies in a sophisticated and audacious operation, is the stand-out story of recent months.
But there will be more. A recent report from the National Cyber Security Centre (NCSC) revealed a 15-fold increase in the number of takedowns of spoof government websites.
Vulnerabilities remain a key attack vector. The sheer number of CVEs disclosed every year—over 18,000 at the last count—makes automated risk-based patching programmes essential to help teams prioritise individual vulnerabilities and systems. Mission-critical systems can’t easily be taken offline to patch, and compatibility issues with legacy apps compound the challenge.
Of equal concern is the growing number of bugs that are easy to exploit. The majority of vulnerabilities recorded by the US authorities in 2020 were “low complexity”, and required no user interaction to exploit.
The recent exploitation of Microsoft Exchange Server vulnerabilities showed just how quickly APT groups are ready to jump on critical flaws to deploy ransomware, steal data, mine for cryptocurrency and achieve other nefarious ends. Nearly two-thirds (63%) of respondents to our study said they had experienced a security incident in the past six months and over half of these (52%) came as a result of missing patches.
Tackling the cyber-security block on modernisation
However, cyber-security is also a challenge for digital transformation-minded government IT executives. It’s not only viewed as a top driver for IT modernisation but also one of the biggest barriers to infrastructure upgrades (68%), second only to integration issues (69%).
Why is this? Too often, security and IT departments work in siloes, with the former seen as slowing progress, delaying decisions and enforcing restrictions which would erase all the benefits newer digital systems can offer. A lack of funding and resources can exacerbate the problem, slowing decision-making further and meaning security teams lack the digital-centric skills that could remove such roadblocks.
Fortunately, there are things government IT departments can do to change the status quo. It all begins with breaking down those traditional IT-security siloes. This could be achieved by embedding security functions within each department, and ensuring future hires understand the importance of supporting digital transformation projects.
DevSecOps approaches can also help to integrate security further into digital projects, by ensuring teams are involved in developer decisions from the start.
Fundamentally, it’s about understanding that operational risks can be taken, as long as they’re fully understood and mitigations are worked through. Yes, ubiquitous cloud and mobility may expand the government attack surface. But with Zero Trust approaches and tools like Cloud Security Posture Management (CSPM), for example, risk can be kept to acceptable levels.
As the country emerges from the shadow of a long and destructive pandemic, more efficient, innovative government is exactly what we need.
Lorna Rea is Consultant for Central Government at BAE Systems Applied Intelligence
Main image courtesy of iStockPhoto.com