Security threats aren't all the same. Although there are some widespread security events like the recent WannaCry and NotPetya outbreaks, some industry verticals are hit in more in more targeted ways. Mike Brown is RSA's vice president and general manager for the public sector. I spoke with him at the recent RSA Conference in Singapore about the threat landscape for the public sector.
"The biggest thing I'm seeing in the public sector," said Brown, "is that they've got to move to a risk based strategy. We don't know where things are going to come from. We don't know what's going to be targeted. We have seen huge losses of data that don't particularly lead one specific use. And ransomware is a significant issue for the public sector".
Brown said public sector entities are trying to work more closely with the private sector to find opportunities in order find effective ways of countering different attacks. Brown is seeing a shift from a defensive posture that sought to protect against specific types of attacks to one that is focussed on where risks lie and can adapt to changing threats more readily.
Among the new pressures within the public sector is the interconnectedness of the lives of citizens and the services they access and how they interact with government.
One of the drivers behind this change said Brown, is the expansion of the threat surface. As more devices are connected through the Internet of Things and operational technology, governments, large and small, need to reconsider how they assess risks. In some cases, that risk assessment is happening early in the project cycle while in other cases it happens later.
"Governors of states in the US, or state premiers in Australia, are recognising that they have to assess risk at the same time as they're trying to make life easier for their citizens. But, because we are in the early days, individual projects are still started without security in mind. Sometimes you have forethought but for the most part, at the strategic level you have to be talking about risk but at the tactical level it's not built in".
Some parts of the public sector, said Brown, are more adept at assessing risks as they have identified assets they hold which are of high value to attackers. For example, the healthcare sector has high-value data. But by recognising and understanding this there's a need for private and public sector organisations to work together as the responsibility is shared.
"In some cases it can lead to regulatory action or asking what needs to be done to be effective," he said.
One of the other major challenges Brown sees is with legacy systems. While health care has long battled with finding a balancing point between adopting new technology for the back office with emerging trends in devices that deliver specific therapeutic outcomes, Brown said the electricity sector is another that is hampered by legacy technology. And the transportation sector is another as it becomes more autonomous.
Driver-less vehicles, not just cars but mass transit systems, will become increasingly targeted by threat actors.
Some governments are thinking about it.
"But you know governments. They think a lot and then they try to usually legislate or regulate. That process is going on but the private sector is attempting to drive standards and best practices in a faster manner. I think there will be more of that coming down, not just for driver-less cars but creating standards for all kinds of OT that will be understood by the average citizen, that it has security built in and that it will better for them if it has the security".
Brown says he has spoken to governments about establishing a type of "seal of approval" system that will assure citizens that the products and services they buy and access, from both public and private sector entities, have a certain level of security baked in.
So, while many consumers might be tempted to buy a product or service purely on price, by demonstrating what risks might be present in using a product and that those risks have been mitigated, through a standards-based process that is clear to the buyer, then citizens can make more informed choices that will drive the market to produce more secure products and services.
Regulating this across the world will prove challenging said Brown. But he pointed to groups such as the ITU and others that have had success at producing international standards as they have not been governed by a single jurisdiction. This kind of public/private partnership might help establish standards and certification but it will take some time. He noted the US government has been working on this for almost 20 years with little success.
One of the new risks the public sector is facing is the ability of foreign governments to socially engineer elections through the mass and social media.
"Inside the US, at some point before the election, the decision was made by the secretary of DHS [Department of Homeland Security] that the election infrastructure itself is critical infrastructure. That was never thought of before. That brings, inside the US, different capabilities that the government can play. It brings regulation and other requirements when you designate in critical infrastructure".
This is symptomatic of a change that is happening across the world. As more services are being shifted to online platforms in order to increase citizen engagement the risks are changing. While electoral fraud is not new, the way it can be executed is changing. The same applies to other government services. In the past, governments could keep pace with the changes as they had mechanisms in place to control standards and how services were accessed. But as change has gathered pace, governments across the world have struggled to keep up.
This is driving governments reassess how they design, access and deliver services.
Anthony Caruana travelled to the RSA Conference in Singapore as a guest of RSA.