National digital leaders on the role of governments in cybersecurity
Delegates at the Government Digital Summit in Ottawa in October 2023
Cybercriminals and hostile intelligence agencies present an ever-growing risk to the systems, assets and reputations of both private and public sector organisations. At the Government Digital Summit, national IT chiefs identified the keys to security in a perilous digital world.
Cybersecurity is “a whole-society effort essential for digital transformation”, said Ann Dunkin. In her role as chief information officer of the USA’s Department of Energy, Dunkin oversees the complex ecosystem of public and private bodies managing crucial elements of America’s infrastructure, from nuclear power stations to oil pipelines.
Protecting these dispersed and diverse systems demands close collaboration across organisational boundaries: in this interconnected world of mutual dependencies, any weak point can give hostile actors access to the whole network. When assessing their organisation’s vulnerability to cyber-attack, she comments, IT leaders “used to use the bear in the woods analogy, and say: ‘I’ll just be faster than the other guy’. We can’t operate that way any more.”
For this reason, “when you look at the National Cybersecurity Strategy that the US government put out last year, one of the key points we made is that cybersecurity is a team sport”, Dunkin continued. And she argued that central governments must step up as captains of their national teams: “Government and large corporations have an essential role to play in this process. It’s unreasonable to expect small companies, individuals, and local and municipal governments to protect us,” she said. “We have to work together, and the responsibility has to lie where people are most capable of doing the work.”
Given the global nature of this threat, international relationships are key to combatting it – and the Government Digital Summit, where Dunkin was speaking late last year, was established in part to build those relationships. Bringing more than 50 senior digital leaders from 15 countries to Ottawa for private discussions on the common challenges they face, the event hosted a wide-ranging debate on the growing cyber risks facing public servants everywhere.
No chink in the armour
The National Cyber Threat Assessment 2023-24, produced by the host nation’s Canadian Centre for Cyber Security, makes clear that several factors are combining to magnify the threat presented by cyber-attacks. These include the pandemic-driven shift to remote and home working, the explosion in connected devices via the Internet of Things, and the extension of business processes to include external organisations such as cloud suppliers and managed service providers.
Alongside these growing structural vulnerabilities, the report warns, we are seeing continuing efforts by hostile states to weaken and attack democratic nations’ digital operations. “Nation state-backed cyber actors” are, it says, “developing the ability to disrupt the critical systems of Canada and our allies” – sometimes by implanting weaknesses in national infrastructure. One participant warned about the development of ‘living off the land’ techniques, which create vulnerabilities without relying on the kinds of malware that can be combatted by traditional antivirus technologies.
Meanwhile, the report says, these state-backed actors spread disinformation “to influence international populations and exploit social divisions”. Russia is particularly active in this space, and its techniques will grow more potent with the development of AI technologies able to create highly convincing audio and video in real time.
Read more in this series: Taming the tiger: national digital chiefs on the powers and perils of AI and Practical plans and how to build a digital strategy that gets delivered
“In 2022, unknown actors posing as the mayor of Kyiv secured video calls with several European mayors,” the report notes. “Call participants had no idea that the other caller was a deepfake until the supposed mayor of Kyiv began making suspicious comments.” (For more information, see Global Government Forum’s five-part investigation into foreign interference in elections.)
China too has very active cyber teams – often focusing on the theft of intellectual property from western businesses and public bodies. The US Department of Justice is pursuing “Chinese state-sponsored cyber threat actors” for industrial espionage in fields including maritime technology, life sciences, IT and defence, the report notes, with thefts “intended to support China’s efforts to secure foreign contracts for its state-owned enterprises, in addition to its own research programmes”.
The single biggest threats to western citizens, though, are cybercrime and ransomware: lucrative activities that have developed their own financial networks and supply chains. “Ransomware as a service” has become a thriving industry, noted one participant, while the arrival of generative AI has provided criminals with a new set of tools.
Forewarned is forearmed
As the number, range and capabilities of hostile actors grows ever greater, advanced nations present them with an ever-larger surface to attack. But the defenders do have some growing assets, said Neelam Sandhu, then chief elite customer success officer and chief marketing officer at event knowledge partner Blackberry. “We have seen over the last two or three years a massive shift, across enterprise and government, to everyone being much more aware of the importance of cybersecurity,” she said. Blackberry – which today provides secure software in sensitive environments, such as motoring and telephony – has long put security at the centre of its offer, she added, but “now it’s top of mind for everyone”.
What’s more, said Sandhu, nowadays “there’s a desire to be much more agile in adopting new technologies – including in fighting adversaries in the cybersecurity space”. Blackberry, for example, has been applying AI to develop “predictive cybersecurity” systems, able to spot and combat cyber attacks before new viruses have been identified and suitable patches distributed.
If they are to capitalise on this raised awareness and inventiveness, however, digital leaders will have to recognise some of the tensions in their approach to cybersecurity – and to change behaviours where necessary. For example, said Sandhu, there’s a perception that protecting security creates inconvenience for users, and that as a consequence “people are prioritising user experience over cybersecurity”.
Reconciling convenience and resilience
Security requirements that appear to hamper public servants in their daily duties are likely to fail. As one participant commented: “Folks will circumvent the very best of security practices if they don’t align with allowing them to meet their work objectives.” But there need be no conflict here, responded Sandhu. “Security should be built into any architecture, not bolted on,” she said. “The need for a trade-off shouldn’t exist.”
Alison Pritchard, the UK’s deputy national statistician, had been worrying about this. “We’re at the stage where, technically, I can bring a lot of data together and link it. But that increases risk to a considerable degree,” she said. “Do we have to curtail our ambitions on innovation and the use of data, given the realistic prospect that the risk will continue to grow?”
“If security is going to be at the forefront, then the implementation of some innovations may slow down,” replied Sandhu. “But the problem really is that the cybersecurity issue has moved too far downstream. It’s seen as the responsibility of the IT team, but we need to put more pressure on the manufacturers of the assets – software solutions, endpoints or whatever it is – moving the problem upstream. If they’re delivered to you in a more secure way in the first place, then you can implement innovations more quickly.”
One problem here, noted Dunkin, is that “rewards are not aligned”: commercial incentives reward those first to market with a new technology, rather than the most secure product. “Being a first mover gets you more value than being a secure first mover,” she commented – at least until a vulnerability permits a disastrous cyber-attack.
No matter how carefully manufacturers, developers and IT managers work to build security into their systems, though, improper use by staff can always open the door to threat actors. “There are two kinds of insider threats: the ones that are intentional, malicious, and the accidental ones. And I think we have a greater risk of accidental insider threats,” said Dunkin. This risk applies even among the most senior and digitally savvy staff. Noting that mobile phones provide a “really good target” for foreign intelligence agencies and cybercriminals, one participant urged senior officials to take “burner phones” and use VPNs when travelling to high-risk countries.
This means that high-quality training and careful workforce management are required, or organisations can find themselves erecting impregnable fortresses – only to discover that staff members have accidentally left the back door open. At the other end of the scale, digital leaders must work together across national boundaries to share information and solutions. And in the middle, there’s a need for greater collaboration within both the public and private sectors.
Collaboration confounds conmen
“There’s a very clear understanding of the need for us to partner to address cybersecurity risks,” said Sandhu. “And those partnerships exist within government. But I think the private sector could do better, ensuring that technologies interoperate and that lessons learned are being shared.”
“Government has a lot of influence in the industry,” she added, arguing that public sector leaders should “push back on vendors, encouraging them to build security into their solutions, and promoting the need for the industry to work together”.
The USA’s Department of Energy has found ways to bring public and private actors together, supporting close collaboration on cybersecurity issues, said Dunkin. Its Integrated Joint Cybersecurity Coordination Center gathers and shares information across the energy ecosystem and the intelligence community, provides cybersecurity services, and catalogues ongoing cyber projects.
At a recent symposium focused on cyber-risks in renewable energy, she recalled, researchers and industry practitioners delved into the various challenges and opportunities. She highlighted an intriguing experience where six different laboratories collaborated to demonstrate the vulnerability of a wind turbine, revealing the capabilities that can emerge from collaboration.
The story clearly illustrates the power of partnership working. The symposium “was such a hit that we’ve been asked to put together something similar in the future for quantum computing, and our AI office is planning to replicate it for AI,” said Dunkin. Alongside generative AI, quantum computing seems likely to present the next frontline in the cyber war.
If governments are to win that war, it will be because they’ve recognised “the power of sharing; the power of us all working together”, said Dunkin. The cybercriminals and hostile states have their own advantages, she added. “They’re faster, more nimble. They don’t have boards of directors; they’re just going to go, go, go!” However, they lack the strength that comes from coordination and communication.
“As one of my favourite folks on the radio says: ‘None of us is as smart as all of us’,” concluded Dunkin. “We just need that unity of effort.”
While Government Digital Summit sessions are held in private, GGF produces these reports to reveal to our readers around the world the priorities and preoccupations of national digital leaders – checking before publication that participants are content to be quoted. Our four reports cover the four daytime sessions.
