The WannaCry ransomware attack in 2017 highlighted the systemic vulnerability of the UK’s government organisations: their networks are open, and their email security protocols are outdated and inconsistent. Two years on, they remain a soft target for cybercriminals looking to extort quick profits and nation state hackers seeking to gain an advantage in the ever-intensifying global cyberwar.
Not only are these organisations soft targets, they are also of high value to cybercrime groups. Once they bypass the typically rudimentary security applications of a government body, adversaries are able to access the much wider bureaucratic network of councils, employees and agencies. With it they can inflict huge damage by charging high ransoms and bringing a halt to the digital infrastructure that manages and controls public services.
One way that criminals try to infiltrate these organisations is through their email networks. Open by default and lacking a consistent set of security standards, many of these networks are highly vulnerable to phishing, BEC scams and other forms of social engineering attacks.
Through an initiative named Active Cyber Defence (ACD), the National Cyber Security Centre (NCSC) is trying to ameliorate these endemic vulnerabilities. Central to its strategy is encouraging and helping government organisations to implement Domain-based Message Authentication, Reporting and Conformance (DMARC), a basic and ultimately flawed protocol which helps users to authenticate inbound emails. Approximately two thirds of government organisations have failed to do so.
So why aren’t government organisations doing more to protect their systems, the services they manage and the citizens they serve?
Soft targets for hard-hitting cybercrime groups
The first problem that these organisations face is being part of a huge bureaucracy of hundreds of disparate governmental departments and thousands of other external groups, which rely on email to communicate with one another. Every new and unauthorised communication between groups and stakeholders presents a new relationship for attackers to hijack and an attack path to exploit.
As well as being soft targets, these organisations possess the kind of desirable data and influence that hackers can leverage to line their pockets, conduct espionage or wreak infrastructural havoc. This makes them a potentially fruitful venture for cybercrime groups which, like any business, seek to minimise costs and maximise efficiency and profits.
Despite the potentially catastrophic consequences, as typified by the WannaCry attack in 2017, government organisations’ email networks remain largely unprotected. Even the NCSC’s warning that social engineering attacks and spear-phishing are the biggest threats currently facing the UK, have fallen on the deaf ears of more than two thirds of government organisations. This is in stark contrast with the 90 per cent of central government departments which have implemented DMARC protocol.
However, those government organisations and departments that have heeded the NCSC’s advice aren’t exactly impregnable. Although it has its advantages, DMARC isn’t a silver bullet for securing email networks. This is because, while it safeguards senders from direct impersonation by attackers, it does little in the way of protecting the recipients on the receiving end of this form of attack. And cybercriminals know it.
By co-opting one of the tens of thousands of employee email addresses that are readily accessible on governmental websites, phishers can circumvent DMARC authentication by sending purportedly legitimate emails containing malicious files or links to unsuspecting recipients. This pitfall has the potential to cause government bodies huge financial and structural damage. By duping an unknowing employee into inadvertently downloading malware via a malicious link, or disclosing a large dataset containing citizen information, attackers can continue to infiltrate, and extract from, fragile email networks.
Following the phaseout of the Government Secure Intranet (GSI) platform in March, government organisations are even more susceptible to these kinds of threats than ever. A network that enabled secure electronic communication for over ten years, GSI was vital in providing low-level protection to all bodies and agencies within its network. In preparation of this change, the UK Government Digital Service (GDS) strongly endorsed the implementation of DMARC protocol. However, without jurisdiction, this advice has fallen on mostly deaf ears. For those organisations that have ignored it, this could prove detrimental.
Targets of high value
By infiltrating one government organisation, cybercriminals might also endeavour to gain access to the much greater network of systems and employees it is part of. Doing so provides them with greater access to proprietary data and infrastructure and the subsequent power to cause detrimental financial, operational or political damage.
The damage caused by the WannaCry ransomware attack was so widespread and severe, hitting more 200,000 computers across the globe including thousands across the NHS, that it is still being felt today. The cause? Organisational negligence of security maintenance and procedure.
What government organisations need to do next
Fundamentally, it is the responsibility of each government organisation to secure its email network, the individuals that comprise it and the information and data that they manage and share through it. While the NCSC can provide advice and guidance on how to do so, it cannot mandate that these changes are actioned within a certain timeframe or to any sort of minimum standard like the Department of Homeland Security has in the US. Without any external pressure, the inherent slowness of governmental bureaucracy and the prioritisation of other more “urgent” tasks, government organisations lack the impetus, and the resources to act. The continuing failure to do so could prove an even greater drain on their resources and continuity in the long-run.
Therefore, rather than waiting to be hit by an attack, government organisations need to adopt a more proactive approach to email security. However, it is evident that, as spear-phishing and other social engineering techniques increase in number and sophistication, DMARC is not capable of holding back the tide. What is required is an advanced threat protection solution that can detect threats as attackers tweak and transform them.
Maor Hizkiev, CTO and Co-Founder, BitDam