Government Cybersecurity: An Inside View
When he isn’t protecting businesses in the fast-changing cyber threat landscape, Bill Conner is often found using his four decades of experience in the security industry to help government agencies and organisations to improve their cybersecurity strategies. Luke Christou sat down with the SonicWall CEO to find out what governments are getting right and what needs to change for good to prevail in the cyber arms race
With four decades of experience in security with companies like AT&T, Entrust, Silent Circle and SonicWall, Bill Conner has been at the forefront of this arms race for longer than most.
That experience proves valuable to governments and authorities, many of which are just beginning to take the threat seriously. Conner regularly consults the United States Senate, once co-chaired the US Department of Homeland Security's (DHS) Corporate Governance Task Force and previously lent INTERPOL a hand in the development of the Global e-ID card.
Before sitting down with Verdict, Conner had spent the morning talking cyber with GCHQ officials in London and had been in Washington DC the previous week for similar discussions with their US counterparts.
Yet, while Conner continues to encourage change, there is still a long way to go before government response to cybersecurity is up to scratch.
It is estimated that businesses spent more than $114bn on cybersecurity in 2018 according to Gartner, an increase of 12.4% or $14bn on 2017.
In the same period, malware attacks rocketed, increasing by 22% from 8.62 billion recorded attacks to 10.52 billion according to SonicWall’s annual Cyber Threat Report. Malicious actors made 3.9 trillio n intrusion attempts, while web app and ransomware attacks grew by 56% and 11% respectively as attackers continue to exploit new attack methods.
“It’s a cyber arms race” says Conner, and one that, as an endless stream of data breaches, ransomware attacks and election hacks suggest, is proving difficult to win.
The right cybersecurity response
Conner points to the United Kingdom as an example of a good government approach to cybersecurity.
The UK was hit particularly badly by the WannaCry ransomware and to a lesser extent the Petya attack. WannaCry brought the National Health Service to its knees, costing £92m in damage in May 2017. However, SonicWall’s data shows that the UK’s response to those attacks has been effective.
Ransomware attacks in the UK fell by 59% in 2018. In comparison, attacks climbed by 62% in the US and a staggering 206% in Germany, which Conner feels is a result of differing government responses to cybersecurity.
“You’ve [the UK] got one group that is just focused on cybersecurity for the country. They own it for the entire government and for the public-private partnership,” Conner says. “This is where the UK got it right.”
“We don’t have that in the States… They don’t have that in Germany.”
“You’ve got one group that is just focused on cybersecurity for the country. This is where the UK got it right.”
Part of the problem for those nations, the US in particular, is size. As Conner points out, “the US is a much bigger target”. Not only does this mean that there are far more businesses and citizens to protect, but the various different jurisdictions that make up the US also presents a number of legal issues for the government to overcome.
“Here it’s much more tactical, whereas in the US, because it’s on a bigger scale, it’s more like ‘tell me what you’ve got, because we don’t have enough resources’,” Conner says.
According to Conner, progress is starting to be made in the US though. The DHS has recently created a cyber-centre similar to that of the UK’s National Cyber Security Centre, Conner explains. Likewise, the DHS recently agreed on the creation of a cybersecurity framework by the National Institute of Standards and Technology (NIST).This voluntarily framework will provide security standards for private sector organisations to follow.
Yet, the executive order grants NIST a year-long consultative process in order to create the framework which will ultimately leave the US three years behind the UK.
“You’ve got some people that have already been doing that – screw Brexit or not – they’ve been doing it for two years.”
So do governments need to do more to protect against cyber threats? Absolutely, Conner says.
Often attackers are out to cause political harm. Incidents such as the hacking and leaking of emails belonging to the Hillary Clinton campaign in the run up to the 2016 US presidential election is a good example of this. And given a recent study by cyber risk analysis firm SecurityScorecard recently found that many political parties across the US and Europe are still vulnerable, this is still a big issue three years on.
However, it isn’t just cybercriminals aiming to cause political harm that governments should be worried about. Some 46% of threats detected are against businesses (the majority of which fall in the small-medium business category), and while protecting these businesses from cyberattacks may not be the direct responsibility of governments, authorities need to recognise the wider economic impact that this could have.
“If you look at the big companies in the big countries, where’s the money?” Conner asks. “The whole economy in general in the UK and the US is SMB [small-medium business].”
“If you look at the big companies in the big countries, where’s the money?”
According to the Federation of Small Businesses, SMEs make up more than 99.9% of businesses in the UK, employing approximately 16.3 million people, or approximately 60% of the private sector workforce. SMEs account for £2tn in annual turnover, or more than 50% of all private sector income. These businesses are vital to the economy, yet extremely vulnerable to cyber threats.
“Who’s the least prepared? Probably them,” Conner claims. “And who can least afford it? You hit them, they’re out of business. They’re gone. They can’t afford £200m or $200m.”
A “false sense of security” has convinced many business owners that they’re safe from these threats. Yet, SonicWall detected more than 10 billion malware attacks in 2018, or approximately 25,000 attacks against each of its customers. Nobody is safe, and the responsibility to educate businesses falls on government authorities.
“When you look at the data, it’s kind of alarming,” Conner says. “That’s why this [the UK] government is doing a very good job of trying to operationalise that data for the UK, for SMBs and residents.”
A global response needed
However, while particular countries have made improvements in the fight against certain threats, Conner believes that a global effort is needed if good is to prevail in this cyber arms race.
“You need global integrated law enforcement, and global intel involvement to disrupt the guys that are doing it,” Conner explains. Or else, cybercriminals will simply move on to the next target.
“It’s like your house. I go rob it once, I’m going to keep coming back if you don’t do something different and you have good stuff,” Conner says. “But if I don’t go there, I’ll go to the next house.”
“The UK was a gold mine, so where do they go next? More to Germany and more to the US, where it’s just easier to get the gold.”
An impossible fight?
While, from his discussions with government authorities, Conner notes that attitudes and action towards cyber threats have progressed, he avoids claiming that the situation has improved. This cyber arms race is an “asymmetric” one that is balanced more in the attackers’ favour.
“This is where we’ve got to be careful,” Conner explains. “As much as we can do here, there’s more opportunity to disrupt.”
The average business spent $1,200 per employee on cybersecurity in 2018 according to BCG. On the other hand, cybercriminals can buy the equipment they need to launch an attack for “a few pounds”.
The 3.9 trillion intrusion attempts detected by SonicWall last year show the scale of the problem and the difficulty that businesses subsequently face coping with the fast-changing threat landscape. As Conner puts it, “you close one door and they’re going to look for the next two to go open”, as we’ve seen with the rise of cryptojacking and the use of IoT devices to create botnets.
However, the biggest threat comes from state actors, Conner says:
“If a country state wants to attack a individual, they’re going to get in. If they want to attack a company, they’re going to get in. If they want to attack a country, then it’s kind of similar to what has happened throughout history – who’s got a stronger offence and defence?”
“As much as we can do here, there’s more opportunity to disrupt.”
While many would assume that the western world’s cybersecurity is up to scratch, a lack of funding and access to talent in places like the US means that ‘bad’ states “probably have an advance”.
“We’ve got great cyber offensive capabilities”, Conner explains. “But our defensive weakness is a lot of points scored on us if they go after it.”
Distractions like Brexit in the UK and the recent government shutdown in the US don’t help matters. While bad actors plot their next exploit, those in the UK and US continue to bicker over backstops and border walls, which “costs you time and resources” Conner says.
The government shutdown saw those defending the US in cyberspace pulled off of their jobs, while Brexit will undoubtedly make it harder to achieve the cross-border collaboration that cybersecurity desperately needs.
This is perhaps the biggest problem that cybersecurity faces – those making the decisions simply don’t understand that they’re in a cyber arms race that they can’t afford to lose.
“The people that are doing this – the ground soldiers, the lieutenants and the captains – they all know what we’re playing,” Conner says. “But the higher up you go, many times, the more polarising it gets.”