Welcome to the cybersecurity leadership and management course. Today we will be discussing cybersecurity strategy alignment framework in government agencies and we will also be discussing lessons learned. My name is Cicero Chimbanda. I am your instructor for this course. Cybersecurity strategy alignment framework in government agencies. Lessons learned. The topics that we will be discussing in this course are regulations in government agencies. We will also talk about government agencies use case with lessons learned and then also apply the lessons learned into frameworks. Let us begin. Cybersecurity regulations in government agencies overview. The ever growing challenge to protect critical data, especially in the era of Internet of Things, mobile and cloud-based work environments is leading to increasing number of federal agencies towards zero trust security models to better address the needs of today's digital, robust world. Cybercrime in the US is increased. Cyberspace is the underlying infrastructure vulnerable in a wide range of risk stemming from physical to cyberthreats to natural disasters. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information, money, and frankly develop capabilities to disrupt, to destroy, and to threaten essential mission critical services. We will look at the seven biggest government cyber attacks in the last seven years for government agencies, not just in the United States but all over the world. These are the seven from a article that was published. In 2011, The Paris G20 summit. An email containing a PDF attachment infected a malware, it was sent out around the French Ministry in Finance. The virus infected around 150 computers with access to confidential G20 data. In 2012, the US Office Personnel Management. Two separate attacks were launched on the US Office of Personnel Management between 2012 and 2015. Hackers stole around 22 million records, including Social Security numbers, addresses, and even fingerprint data. In 2014, Aadhaar. Personal information including email addresses, phone numbers, and even thumbprints and retina scans for over one billion Indian citizens were stolen from the Aadhaar database. The data was reported to have sold online for as little as six pounds. In 2015, Germany parliament offices. Sixteen parliamentary, including the German Chancellor, Angela Merkel, were compromised, with mailboxes copied and internal data uncovered. In 2016, we have the US Clinton campaign. Personal email account of John Podesta, chairman of Hillary Clinton's US presidential campaign was compromised, over 20,000 emails where leaked potentially derailing the campaign which she ultimately lost. The DNC or Democratic National Committee were targeted in the same year. Around 20,000 emails from the key staff were confiscated, and these were confidential. In 2017, Ukraine government officials stated that there were malware planted on popular Ukraine tax update sites spreading across the finance and services sites, and even reaching the US, UK, Germany, France, and other countries. The virus was dubbed as NotPetya infected computers and wrote over files. Lastly, 2018, Northern Ireland department offices. The Northern Irish parliament was hit by a brute force attack which gave hackers access to members' mailboxes. The parliament IT department we're able to disable compromised accounts and staff had been urged to make their passwords longer and greater combination of letters, numbers, and special characters. Again, these are published in the swivel secure website, in government types of cybersecurity attacks. As you can see, it is of the utmost important for nation states, governments to secure their infrastructures because of the type of actors that are trying to compete for some of their resources. In the United States, here are some regulatory laws or bodies or agencies that protect the United States from cybersecurity and natural event. Event. As I mentioned earlier, the Department of Defense which is a government agency, military in nature and security, it's a regulatory agency. It basically focuses on defense of federal acquisition. They have laws, laws that if you breach those penalties can result in debarment of the Department of Defense doing business with the Department of Defense. The Department of Homeland Security, which has a vital mission to secure the nation from the many threats. It has about 240,000 employees of jobs as of 2020. From cybersecurity, it uses wide range of goals to protect and keep Americans safe. The Cybersecurity and Infrastructure Security Agency, which is another arm of the Department of Homeland Security. Its main focus is to defend critical infrastructures against the threats of the day while working with partners across all levels of the government, in private sector, and against the risks for tomorrow. Obviously, all this is from their respective sites. The Federal Drug or the Food Drug Agency, it's a regulatory body that enforces for the regulations for the food, drug, and then they conducts investigations audit. Then we have others like we've talked about previously, Financial Industry Regulatory Authority, and then also the Federal Trade Commission. Again, these are regulatory bodies or agencies that regulate some parts of the United States to protect its citizens from cybersecurity breaches or natural disasters. Let's continue. Cybersecurity, use case in the government agencies, lessons learned. We're going to look at a breach that happened in 2015. This was against the US voter database. It was a breach that actually exfiltrated about 191 million records. It was done to the government agencies. The breach actor was actually an insider threat, if you will. It was an oversight where the database was incorrectly configured and then it was exposed in the open Internet. Some of the technologies that were breached or violated or used were private messenger, also file transfer protocols and then databases, the open Internet, and obviously data that was exfiltrated. The breach was one of the largest government data breaches to date. It says that the type of data that was exfiltrated were personal information, names, date of birth, party affiliations, e-mails, addresses, and more. These were all voted registers in the 50 states, including the District of Columbia. The breach was detected by a white hacker who uncovered database sitting in a web containing various of personal information. This individual, Chris Vickery found the database and then told actually Forbes about it and it was disclosed. They went back and tried to figure out what happened, who did it and it's still unclear specifically who was it that let out that information. They think it was third-party vendors. But nevertheless, there were penalties that were associated to this information. About in 2016, the presidential basically, there were some class action lawsuits against the, they're called the Deep Root Analytics, that was one of the corporate firms that it pointed back to and basically, they were forced to go out of business and they were unable to survive based on legal and bad publicity. Again, the lessons learned from this particular breach is Cloud security. Even if you have a very good Cloud provider, you must take extra precaution to harden your data in a Cloud secure solution. One solution is to encrypt data. The lessons learned was that they basically put unencrypted data in the Cloud and so basically, when Deep Root placed the data on secure server, it was a free game there. The next lessons learned, threat awareness that the US intelligence chief tried to reassure the public that secure in US elections from the US, outside interference is top priority. Continual communications of threat awareness to the public, is one of the lessons learned from this particular breach. The second one is getting the federal government engage the Department of Homeland Security, strengthened its relationship with the state. In fact, in 2018, about $380 million from the federal government was given just to distribute it to states to advocate and to enhance their either states cybersecurity postures. Voting machines. Some state and local elections offices, upgraded voting equipment. It was estimated that 60 million people continue to use the electronic machines, and so it was important that the Senate report urge states to ensure ballots in machines that produce paper records allowing voters to verify their selections. Voting machines was an agenda for hardening, safe guarding campaigns. There was a certain awareness to the threat and higher in Homeland Security, so campaigns were given information intel to help the campaigns with resources to safe guard each campaign. Social media disinformation. Since 2016, social media platforms have been invested in in efforts of combating misinformation. Identifying online imposters, root out any foreign interference in domestic elections. Some examples, Twitter stopped accepting political ads, while Facebook began verifying and identifying ad buyers. Google had made it harder for advertisers to target audience based on specific characteristics, such as their voting record or political affiliation. Again, some of these were lessons learned from the 2000 voter database breach. Another use case that we'll look at and lessons learned is one and the natural disaster event. This particular event happened and there was a hurricane, which was Hurricane Sandy in 2012. This is a report from FEMA, the Federal Emergency Management Agency, where it reported that $70 billion in damage and there was about 250 fatalities. This Hurricane Sandy was Category 3, but it landfalled along the East Coast. It was known to be the second largest Atlantic storm on record, affecting from Florida all the way to Maine. New York, and New Jersey were heavily hit by rains and strong winds and a record storm surges. The breach was basically notified by the European Center called the Medium-Range Weather Forecasts in UK a week before it arrived. But nevertheless, the response was really not up to par as it's still hit the New York City and there weren't a lot of corporations. Some of the penalties that were suffered, basically, the Department of Homeland Security basically spent about $25.5 billion for recovery just to New York, and New Jersey. The overall damage as mentioned here is about $70 billion. Some of the technologies that were affected, were power grids, critical public and private infrastructure, water, sewage, healthcare, banking exchange, the markets. There was a major impact. These were some of the lessons learned, that was published. Better notification and awareness or enhancement. Sandy was actually predicted by the European Center for Medium-Range Weather Forecasts in UK a week before it arrived. But in the wake of the supersonic Sandy, much of the New York City was not ready, it plunged into darkness. The other lesson learned is an evacuation. The New York City was the last city to call for evacuation. They called for evacuation about eight hours before they shut down the subways. The storm was already coming, and people waited as long as possible. They were using the Hurricane Irene model, and there's bad communication. Social media was a basically misinformation, saying that it might have been a tropical storm or a tropical cyclone. There wasn't a lot of clear, centralized, unified communication. In fact, people using Facebook and Twitter to listen to amateur meteorologist, that were basically giving false information about the storm. One of the things they're learned is that the National Hurricane Center basically had to centralize and be more succinct and direct in their communication during storms. Storms can cause power outages. Sandy certainly did and impacted hospitals where they didn't have generators available. Patients had to be evacuated, transported, or transferred and this was a major impact. A lot of hospitals, critical services now have power grid and generators and backup to be able to sustain things like storm. The other one is improving infrastructure to better adapt to heavy storms. Basically, parks, waterfront buffers, basically the infrastructure like electrical grid, emptying lower basements of skyscrapers, parking in basements, basically housing along the waterfront, all these were areas that were looked at to improve and to change some of the infrastructure along the Hudson River. We consider increasing costs to increasing budgets for risk management work. It was found out that in the average, every dollar you spend to make infrastructure more resilient went against four dollar savings in the cost for post of the storm. These were case studies that were done by the organizations in New York and basically they made that case. This is applied framework of NIST to the government agency cyber risks. Let's look at the point of the phases of the NIST. As we know, there's the identify, protect, detect, respond, and recover. We've covered this in other courses, but let's look at the voter data breach. How do you apply the NIST? Cloud security as we talked about, it would apply in protecting, hardening the data, that's encrypting data that's in a Cloud service. The other one is threat awareness, the communication of threat, notifying a threat, identifying threats. That is at the identifying level. Federal engagement where the federal government provided more funding to the state that was post or recovery. Then hardening of voting machines again to protect the safeguarding of campaigns. Basically notifying and detecting any fraudulent or any ill intent to campaigns, detecting any malicious or questionable activity of misinformation. Then lastly, social media disinformation and this was responding to making sure that counter disinformation, deleting or filtering out or even disabling accounts that provided disinformation. In the FEMA, more of a natural disaster, obviously, better notification systems. This was identifying the issues early on. The other one was the evacuation, the response, improving how quickly you respond to disaster, having enhancements in there. Power outages, protecting the grid, having redundancy generators and the like. Infrastructure, building better infrastructure, again, to protect and then lastly, the costs. Putting more budgets, more investments in hardening or preparing the city for storms like the storm that hit in Hurricane Sandy. This concludes our course for today. Thank you and will see you next time.
