A string of cyber attacks in Europe have amplified concerns about the threats to public sector targets.
Over the last week alone, reports have emerged of hackers disrupting Denmark’s train network, cybercriminals targeting various European ministers, and commercial spyware surveilling Greek politicians. While the variety of methods, targets, and motivations suggest the attacks are isolated events, they’ve further exposed the vulnerabilities of government targets.
The attacks form part of a growing trend. Between 2018 and 2021, the number of serious cybersecurity on EU institutions reportedly increased more than tenfold. Oliver Pinson-Roxburgh, CEO of cybersecurity platform Defense.com, views the recent incidents as part of a broader pattern.
“For a bad actor, 21st-century public sector systems are an attractive prospect,” he said. “This is because they can hold more sensitive data than commercial organizations, and there’s generally a greater reliance on outdated legacy systems that pose far greater risk to security than modern systems.”
Government can be an easier target.
Last week, EU cybersecurity agency ENISA reported that 24% of cyber attacks studied over the previous year had targeted public administration and governments. The strikes ranged from zero-day exploits of software vulnerabilities to AI-enabled disinformation attacks.
Ian McShane, VP of strategy at cyber firm Arctic Wolf, was struck by the variety of attacks exposed in the report.
“While ransomware remains a major risk to European governments and enterprises, the wide range of threats being called out by ENISA show how difficult the challenge is continuing to be for the hard-pressed security teams in businesses up and down Europe,” he said.
Changing threats in a changing world
The risks have been exacerbated by global events. Most notably, the pandemic accelerated our transition to digital public services, while the invasion of Ukraine has intensified the threat of cyber espionage.
“The risk hasn’t changed. It has got worse,” said Jason Steer, CISO at Recorded Future, a threat intelligence firm. “Governments, like businesses, are much more digitally dependent and the vectors for doing this have shifted hugely. As a result, the opportunities for online criminals have increased where the attack surface has massively grown.”
The public sector can also provide alluring targets for attacks. Governments have long been accused of underinvesting in defenses, while the salaries it offers for cybersecurity jobs can’t compete with those available in the private sector.
“Government can be seen as an easier target than the private sector, as businesses have invested heavily in security over recent years,” said Paul Baird, Chief Technical Security Office at Qualys and a fellow of the Chartered Institute of Information Security.
“When the private sector has put so much money in, it has removed a lot of the low-hanging fruit that existed for malware gangs, and so they are looking for other targets.”
The public sector’s vast size and variety of antiquated technologies add further vulnerabilities. The mixture of these systems with modern IT has left a huge range of digital assets that are hard to understand and secure.
Dr Ilia Kolochenko, the founder of security firm ImmuniWeb and a member of Europol’s Data Protection Experts Network, notes that the array of shadow IT and non-interoperable legacy systems is hard to secure.
“A growing number of compromised and backdoored governmental systems are now available for sale on the Dark Web, being occasionally purchased by cyber gangs to be used as proxies in meticulously planned cyber attacks, which are hard to investigate and attribute,” he said.
How does Europe combat the cyber threat?
Experts have called for increased funding to mitigate attacks. They also want public sector organizations to develop more systematic defensive programs, proactively hunt for threats, and collaborate more closely with businesses.
McShane recommends that public sector organizations take a three-pronged approach. Firstly, adopting solutions that reduce the burden on security teams. Secondly, working with outside professionals to improve security. And finally, building on existing information-sharing agreements between governments — such as the EU Cyber Rapid Response Teams’ — and coordinating resources.
Governments need to protect their data.
Governments need to protect their data.
The growing range of attack vectors will also require specific forms of defense. Zac Warren, Chief Security Advisor at endpoint management firm Tanium, wants data protection to be a priority. This is particularly important when it involves national security issues, such as information on military applications.
“Governments need to quickly assess their ability to protect their data,” he said. “They need early warning systems to know quickly if their IT environment has been breached — and the ability to monitor and control any bad actors that do enter the system to ensure they don’t steal data. I expect the cyber aspect of the conflict to intensify and the impact of this will reach far further than Ukraine.”
The attack on the Danish train operator, meanwhile, further highlighted the risks posed by complex supply chains. The incident came just months after another supply chain attack brought down critical services across the UK’s National Health Service.
Pinson-Roxburgh warns that the growing complexity of IT supply chains is increasing the potential vulnerabilities.
“When vetting potential suppliers, procurement teams — particularly at larger organizations — now view due diligence on information security as a fundamental component,” he said. “Businesses should think carefully before using any supplier that fails to follow cyber best practices and risks exposing the businesses to new vulnerabilities.”
Analysts have also pointed to a need for better education. This appears particularly urgent for European politicians, who are now frequently falling victim to hacks. The ignominy caused by these attacks will hopefully convince more lawmakers to ramp up their defenses.