Recent serious incidents demonstrate that public administrations are an increasingly frequent target for cyberattackers, and the trend seems to suggest that this will only increase. To find out what strategies are used by these administrations to mitigate such incidents, as well as what measures can be taken to improve their protection, we spoke to Antonio Grimaltos. Antonio is a technician at the Security Office of the Ministry of Universal and Public Health in the Generalitat Valenciana and is a public sector cybersecurity expert.
We’ve recently seen cases of severe cyberattacks on public administrations, from municipalities such as Baltimore and Jerez, to data leaks affecting the Chilean police force. Generally speaking, are public administrations sufficiently protected?
Antonio Grimaltos: In general, we are not sufficiently protected. There are several reasons for this. Firstly, our administrations are like an elephant, and in order to move this elephant, you need a great deal of force. But the thing is, we don’t have enough cybersecurity positions as such.
Secondly, it is also the case that the law regarding public administrations contracts hinders or delays the adoption and purchase of cybersecurity solutions. Administrations tend to prioritize transparency in operations, which could be detrimental to efficiency and to the level of cybersecurity, since purchase of over €15,000 require a public tender, where economic criteria end up having more weight than technical criteria.
On the other hand, what practical risks would cyberattacks post to critical infrastructure in our environment? Could there be cases when citizens see basic services interrupted?
A.G: The Critical Infrastructure Protection Law defines which infrastructure is considered critical, and a state organization, the CNPIC, determines what is critical based on this law. What’s more, with the European Union’s NIS Directive added some essential services that may not have to be provided by critical infrastructure. These essential services are the ones we need to pay special attention to when it comes to protection. In the case of water services, it is vital to ensure the water supply. In terms of healthcare, this service could be primary and specialized care for patients.
This why there is no doubt that essential services could be affected by a cyberattack. In this sense, it is up to us to provide the solutions. However, it is often the case that these solutions are highly complex, such as when they involve the entire network, because there is not enough backup to keep the whole system operational. At other times, it is very simple; for example, having backup computers and laptops not just in the facilities but also in vehicles such as ambulances.
In this sense, how important is the coordination between different public organizations, authorities, and public-private collaboration to achieve the best possible cybersecurity for public administrations?
A.G: Collaboration between all institutions and organizations is essential, but most important of all is for us to share as much information as possible when incidents occur. Likewise, we must act with regards to other non-public entities, such as private hospitals, for example.
Generally speaking, we should share everything between public institutions, private organizations, and entities such as INCIBE-CERT [Spanish national CERT]. This is why it is so important to have a single incident reporting guide, because we need to encourage information sharing in order to be as productive as possible.
What role do public officials and employees play in public administration cybersecurity? Are they usually sufficiently aware of the issues and prepared to deal with them?
A.G: First, it’s important to distinguish between cybersecurity experts and users, who, in public administrations, are the civil servants themselves. Then, it’s important to remember that we’re at war: war against cyberattackers.
So if we educate our users, inform them, and train them with good cybersecurity practices, we’re creating thousands and thousands of “human firewalls”. If all users can recognize phishing emails, and know how to spot malicious files, it will save experts and public administration a lot of headaches. Without them it is impossible to win this war.
This is why I think the Spanish National Cryptological Center should someday consider giving a collective award to all public employees who work in cybersecurity, from the smallest municipalities and villages to other, larger administrations. They work miracles with what they have. We should thank them, because in our field, if there are no cyberattacks, there is no recognition, but when we suffer a serious cyberincident, all of the responsibility falls on us.
What are the main differences in cybersecurity prevention measures between public bodies and large organizations?
A.G: In the end, the preventive measures have to be the same, since in private organizations, the incidents are very similar. The difference is that in private organizations, CISOs have achieved a certain level of decision making and autonomy, while in our case, we come up against many prior consultations that are subject to politics before a decision can be made. However, this is already changing, and the WannaCry incident, which hit many public administrations, is one of the reasons. That is, the management and politicians must also be aware of cybersecurity so that we can all become more efficient.
Are more proactive cybersecurity strategies, such as threat hunting, relevant in this area?
A.G: I think that right now, we’re not fully prepared to undertake that task. But a time will come when all public administrations will need to have truly proactive strategies, with investigative capacities to be really preventive and to be able to tackle cyberattackers at their level. In fact, I have a theory that, with the recent cyberattacks on city halls, hospitals and other public organizations, cyberattackers are carrying out reverse investigative work: they are measuring our response capabilities.
In light of this, the only advantage we have in this regard is the National Security Scheme (ENS) that, as Javier Candau, head of the Cybersecurity Department at the National Cryptological Center, says, “The ENS turns an easy-to-attack organism into an easy-to-defend organism.”
In terms of prevention, how can public administrations deal with cyberattacks that get around the most common cybersecurity measures, such as Living off the Land attacks, or fileless malware?
A.G: I think that public administrations are still not prepared for the complexity of these attacks, which technologies such as Cytomic’s can detect and block. The fact is that, so far, we’ve been very lucky. However, as it happens, most of the cyberattacks involving Emotet, which hit many public administrations, used an email that seemed to be a legitimate email thread as an attack vector. This is why we need tools that are able to go further, and real endpoint protection, which monitors lateral movements beyond the internet and servers, such as computers from outside the organization and external devices.
Finally, to what extent is it for public administrations to have proactive cybersecurity solutions with measures on the endpoint?
It is vital for us to be able to protect the endpoint at all times and wherever it is. Many public employees, from cybersecurity professionals to doctors, sometimes have to use computers outside our workplaces, and we need to ensure that everything is safe and clean. This way, public administrations will also work much more efficiently.