In 2014, the office of personnel management of US government was breached and records of about 18 million people were hacked. In India, four government websites were hacked and Aadhaar data (India’s social security scheme), of 130 million people was exposed. In 2015, Australian Department of Immigration was hacked. Japan’s pension system was breached in 2012 and data of about 1.25 million people was exposed. These are just a few examples. It seems government systems all over the world are prone to cyber-attacks and are a favorite with hackers. Despite being the most powerful body of the nation, with brilliant minds and all the country’s money at their disposal, they still cannot defend themselves against cyber attacks. Here are some reasons why cyber criminals target government databases and websites.
1. Lack of understanding: Government agencies are not in the business of IT. Except for defense, other departments usually lag in adoption of technology and aren’t so tech savvy. Technology is often pushed top down in government departments due to which it is challenging for people on the ground to understand the risks that are associated with the systems. They also have very little knowledge about malware, ransomware, data theft techniques, social engineering and other security threats. With such little understanding within a department, it is highly unlikely that the staff can take enough precautions to protect itself.
2. Complacency: Complacency is one of the biggest issues with almost all government departments. With no sense of urgency, government departments are one of the slowest organizations to change. Cyber defense, on the other hand, requires people to be proactive and nimble – constantly looking out for threats. Most departments look at IT or security authority for directions and implement them without thinking. They go through the checklist and absolve themselves of their responsibility. This makes them highly vulnerable to cyber threats.
3. Silos: Like most corporations, government departments also work in silos. There is minimal information sharing, other than what is mandated by authorities. Also, the channels of communication are slow and many times inefficient. It is bad news for cyber defense. For an active defense, the threat information, threat intelligence, and learnings must be shared across the organization at rapid speed. The bureaucratic communication medium is a hindrance to adopting best security practices. (For example, for encryption to work effectively, the encryption key must be changed periodically and communicated to the parties. However, slow communication of the key will stop the information transfer until the key is exchanged, which in bureaucratic mode will take longer than acceptable time).
4. Power structures: The power structures in bureaucracy hinders the adoption of best possible solutions for cybersecurity. The government power structures are a reality that cannot be ignored, but the IT units need to work independently of such structures. Many governments have started realizing this and have begun carving out a separate IT department that will be responsible for overseeing IT in all departments including the IT security.
5. Financial constraints: Governments possess and controls huge money for their respective countries but are starved for cash for their own use. Across the world, governments are perpetually short of money that is required for their operations. Due to this, various essential operational requirements take a back seat. Cybersecurity is one of them. With new threats rising every day, cybersecurity needs a dedicated budget to upgrade the security infrastructure continuously and also to train the employees to combat the new threats. Unfortunately, this rarely happens leaving government IT infrastructure prone to hacks and leaks.
Bureaucracy, lack of funds and lack of initiative are the most common reasons that lead to hacking of government IT systems. Since the government systems hold highly sensitive data, which if breached, can cause havoc, they should focus much more on cybersecurity than any other commercial establishment. Unfortunately, the reality is quite different, and it must change at a fast pace if the governments intend to keep their country and countrymen safe from the demonic cyber threats.