Fortifying Government Entities Against Cyber Threats
A Q&A with Elizabeth Roper
Safeguarding the digital frontiers of government entities against the relentless tide of cyber threats requires a nuanced understanding of the intersection between legal frameworks, governance, and cybersecurity. In this exclusive Q&A session, we delve into the insights of Elizabeth Roper, a partner at Baker McKenzie LLP, drawing from her extensive experience as the former Bureau Chief of the Cybercrime and Identity Theft Bureau at the Manhattan District Attorney's Office.
Roper discusses the intricacies of fortifying government entities in the face of evolving cyber threats, exploring the vulnerabilities faced by public sector legal departments and the imperative for collaboration across public and private sectors.
What factors make U.S. government entities vulnerable to cyberattacks and why are they attractive targets for cybercriminals?
Certainly, and I appreciate the focus on this critical issue. Government agencies are attractive targets for a couple reasons. I would say first, there's inherent newsworthiness; breaches involving government entities capture widespread attention, dominating headlines and fueling collective fears about potential consequences.
Also, these agencies often have a low tolerance for downtime, a vulnerability that threat actors exploit. The fear of reputational damage and the urgency to resume operations quickly provide leverage for cybercriminals to extort victims.
And then finally, I think government offices and agencies tend to just have a lot of valuable data, right? Whether that's PII because they're collecting personal information of their employees…these are often agencies that do really robust background checks. So you have all of that data, you have data about citizens and then you also have sensitive and confidential information a lot of the time. All of which is exactly the type of data that threat actors want to get their hands on because again, it gives them leverage to extract payment. And it also captures a high dollar value on the dark web if they go to leak it or sell it.
How is the cybersecurity landscape evolving, and what strategies can legal professionals and government agencies adopt to stay ahead of cyber threats?
In some ways, the threat landscape is always evolving, yet we are also talking about some of the same principles and concepts. I want to point out one noticeable trend… that being the rise of social engineering as a vector for cyberattacks. Meaning, bad actors leverage the human element to gain someone's trust or trick someone into sharing sensitive information to enable them to launch an attack.
One of the most important things anyone can do for their organization, whether it's a government agency, or a law firm, or a business is just training.
I mean, that's not new, right? That's something that's always been a critical part of cybersecurity programs from the beginning.
But it's critically important now, because these attacks are leveraging the human element. Training people on what to look out for, letting people know that these attacks are on the rise and that they can't rely on some of the old indicators of fraud that used to be, you know, kind of reliable, to spot an attack is really important. And then just keep training your workforce, right as these attacks evolve.
The fear of reputational damage and the urgency to resume operations quickly provide leverage for cybercriminals to extort victims.
The landscape also demands the implementation of zero-trust solutions within networks, mitigating risks associated with relying on trust. Continuous adaptation, along with staying informed about evolving threats, ensures a government agency's workforce is equipped to detect and respond effectively to cyber threats.
What challenges arise in prosecuting cyber-enabled financial crime and network intrusion cases, especially when involving government entities?
It’s definitely very challenging, but I always thought that is what makes these cases fun. There is so much investigative work that has to get done upfront.
It's not like a street crime where there's often an eyewitness and you kind of from the outset, know what happened. The “who did it” is a significant challenge in cybercrime investigations, making it difficult to identify perpetrators, especially with advanced cybercriminals using encryption and operating from overseas.
All of this becomes exponentially more challenging where attacks are on government agencies, because there is this increased sort of belief or likelihood that you're dealing with nation-state actors, right?
It's also just really difficult from the investigator's point of view to differentiate a garden variety cybercrime attack from a nation-state attack, because it's not always explicit.
The “who did it” is a significant challenge in cybercrime investigations.
And the lines can be very blurred, because a lot of times, you'll have a cyber threat group that is very pro-one nation, very anti-U.S and outspoken in that regard. But that might not necessarily mean that it's a nation-state attack, it still could just be kind of a regular cybercrime group.
You won't always know the answer to that until, like months or years into the investigation.
That is one of the things that makes cybercrime investigations really unique, especially cybercrime investigations that involve attacks on the government.
How do government responses to cybersecurity events differ from those of the private sector, and how does this impact overall cybersecurity posture?
Really important question. In some ways, it’s the same. You’re trying to understand what happened and you're trying to rebuild, you’re leveraging an incident response plan, wrapping your head around the data that may have been impacted, and securing your network. In those ways, it’s the same.
Balancing transparency with effective incident response becomes crucial.
For a government agency, there is a layer of transparency, as opposed to a business. Government responses necessitate a higher level of transparency due to the public's trust implications. Agencies must disclose breaches promptly and manage public expectations, balancing transparency with ongoing investigations.
One of the most important things anyone can do for their organization, whether it's a government agency, or a law firm, or a business is just training.
Another point is the limitations on paying ransoms, aligned with public policy, pose challenges, especially for critical infrastructure. The government is always going to take the position that you shouldn't pay a ransom.
Balancing transparency with effective incident response becomes crucial, with considerations of sanctions and regulatory reporting requirements influencing government decisions.
What effective strategies and collaborations can enhance cyber resilience for both government and private entities?
Public-private partnerships play a pivotal role in bolstering cybersecurity. Collaboration can occur through engagement with agencies like CISA [Cyberseurity & Infrastructure Security Agency], participating in public-private partnerships like InfraGard and the NCFTA [National Cyber-Forensics and Training Alliance], and cultivating personal relationships between CISOs and local law enforcement.
Sharing threat intelligence, participating in joint initiatives, and building trust facilitate effective collaboration.
Governments should also develop dedicated strategies for preventative cyber defense, emphasizing vendor management, risk assessment, and compliance with industry best practices.
Any final advice or recommendations for government entities to strengthen their cybersecurity posture and respond effectively to cyber incidents?
Governments should establish a dedicated strategy for cyber defense, even on a smaller scale, setting policies aligned with industry best practices. New York City has done a really great job in this regard. They have an amazing group of people leading Cyber Command and setting strategy and policy for how the city approaches cyber defense.
Obviously not every government is the size of the New York City government, and doesn’t necessarily have the same resources.
But just to think through what your strategy is around preventative cyber defense and devoting resources to preventative measures, vendor management, and risk assessments is crucial. Trained professionals should lead these efforts, ensuring compliance with frameworks like NIST.
The evolving nature of cyber threats necessitates a proactive and dedicated approach to cybersecurity.