After SolarWinds experienced a major cyberattack, which spread to its clients including U.S. federal systems, it took nearly nine months for the breach to be discovered, patched, and reported to the public, in December 2020. The source of the hack, which was not confirmed until January 2021, turned out to be the Russian Foreign Intelligence Service interested in gathering information from high-value espionage targets, according to CPO Magazine. Indeed, Reuters reported that the hackers were spying on internal email traffic at the U.S. Treasury and Commerce departments.
In March 2021, Microsoft announced that a vulnerability in its servers had given "long-term access" to hackers, resulting in a massive cybersecurity breach on its Exchange email platform. After exploiting these vulnerabilities to gain initial access, operators deployed web shells on the compromised server, potentially allowing attackers to steal data and perform additional malicious actions that led to further compromise. Even as Microsoft released patches to plug the vulnerability, experts warned that the threat remained active. Affected entities included U.S. think tanks and defense industrial base entities and the European Banking Authority. Microsoft attributed the attack to Hafnium, a group assessed to be state-sponsored and operating out of China.
In the statement "Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation," U.S. Comptroller General Gene Dodaro explained: "[The complexity of federal IT systems] increases the difficulty in identifying, managing, and protecting the numerous operating systems, applications, and devices comprising the systems and networks," he said. "Compounding the risk, federal systems and networks are also often interconnected with other internal and external systems and networks, including the internet. … As systems become more integrated, cyber threats will pose an increasing risk to national security, economic well-being, and public health and safety."
Besides the complexity of IT environments in the public sector, malicious actors operate from anywhere in the world, often as part of state-supported attack groups, which makes them difficult to defend against. At the same time, breaches in the public sector are particularly consequential because physical systems and critical infrastructure that directly affect the health and safety of citizens are inextricably linked to cyberspace. The potential for grave danger goes far beyond financial impact, as was evidenced by the breach of a water treatment plant in Florida in February 2021, when hackers attempted to poison the water supply after gaining control of the system through an employee software program.
Costs of Cybercrime,” a global report produced by McAfee and the Center for
Strategic and International Studies (CSIS) in 2020, estimates that cybercrime
costs the world economy more than $1 trillion in global gross domestic product,
an increase of more than 50% from the estimated nearly $600 billion in global
losses described in the 2018 report. Unplanned downtime, the cost of
investigating breaches, and disruption to productivity represent additional, perhaps
underappreciated, high-impact costs. “However, of the 1,500 company executives
we surveyed from across the world, slightly more than half of those organizations
said they did not have any plans to prevent and respond to a security incident,”
said Zhanna Malekos Smith, senior associate with the Strategic Technologies
Program at CSIS. “Further, of the 951 organizations that did have a response
plan, just 32% said it was actually effective. Overall, we found a lack of
organizationwide understanding of cyber risk.”
Assessing, Mitigating, and Monitoring Risks
Many resources are available within the U.S. public sector to help manage cyber risk. These include agencies, organizations, standards, frameworks, and technology aimed at maintaining effective cybersecurity.
Agencies, Professional Organizations, Standards, and Guidance In the U.S., agencies and organizations that exist to defend a country's cyberspace include the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and law enforcement agencies. As the primary federal government agency involved with cybersecurity, CISA also interfaces with nonfederal entities and civilian cybersecurity activities. The organizations periodically issue advisories and recommendations related to emerging cyber threats. Additionally, federal legislation mandates specific information security measures for federal agencies.
State and local governments face similar threats and often apply federal standards and guidance to inform their cybersecurity programs and cybersecurity legislation. In addition, the National Governors Association established the Resource Center for State Cybersecurity to help craft and implement effective state cybersecurity policies and practices.
Risk Management Framework NIST's Cybersecurity Framework resulted from the issuance of Executive Order 13636, Improving Critical Infrastructure Cybersecurity, which recognized that the national and economic security of the U.S. depends on the reliable function of critical infrastructure. The executive order directed NIST to collaborate with private and public stakeholders to develop a voluntary framework — based on existing standards, guidelines, and practices — for reducing cyber risks to critical infrastructure. Characterized by a language that is common and accessible to many stakeholders, the framework is adaptable to many technologies, life cycle phases, sectors, and uses.
Program to Mitigate Risks Heightened by COVID-19 Public sector organizations had to modernize IT rapidly during the COVID-19 pandemic; for example, setting up teleworking systems for employees to work from home and migrating business processes to the cloud. This situation heightened the risk of phishing, ransomware, and other attacks that targeted gaps in cybersecurity. The pandemic accelerated the adoption of the Federal Risk and Authorization Management Program, one of the most prominent governmentwide programs to securely deploy standardized cloud-based technologies that support agency missions within a virtual environment.
Cybersecurity and Internal Audit
Auditors in public sector organizations should be aware of the risk mitigation tools and techniques available to protect the public-facing technology and IT infrastructure of public sector organizations and their contractors, as well as the controls in place to detect breaches and initiate recovery as quickly as possible.
As with all risks, cybersecurity should be considered when creating the risk-based internal audit plan. Internal auditors can find recommendations for assessing cybersecurity in the Cybersecurity Risk Assessment Framework (see below) from the IIA GTAG "Assessing Cybersecurity Risk: The Three Lines Model." The framework comprises six interdependent components.
Component 1: Cybersecurity Governance Internal auditors should understand and independently assess the organization's cybersecurity governance. When providing assurance, IIA Standard 2110.A2 requires the internal audit activity to assess whether the organization's IT governance processes support its strategies and objectives. Additionally, Standard 2130.A1 requires internal audit to evaluate the adequacy and effectiveness of controls in responding to risks within the organization's governance, operations, and information systems and advises on specific aspects over which assurance must be provided.
Per Standard 2050, the chief audit executive (CAE) should share information, coordinate activities, and consider relying on the work of other internal and external assurance and consulting service providers. The CAE may rely on the work of such providers if he or she is able to establish a consistent basis of reliance.
Component 2: Inventory of Information Assets Internal auditors using the framework should review whether the IT department maintains an up-to-date inventory of all information assets. Auditors should review whether IT management prioritizes the security of the information assets that are most essential to advancing the organization's objectives and sustaining operations. The IT assets of users with privileged access should be checked for problematic websites, malicious software, and data exfiltration.
Component 3: Standard Security Configurations The IIA's framework recommends that internal auditors identify and review the efficiency and effectiveness of the software used to manage standard security configurations for devices, operating systems, and application software as well as the processes for patching software and updating hardware to ensure secure configurations remain current. Auditors may review the standard security configurations for users with privileged access.
Component 4: Information Access Management Identity and access management controls and effective network and domain segmentation should limit users to accessing only that which is necessary to perform the functions for which they have been authorized. Internal auditors may review the IT assets of users with privileged access to ensure controls are designed correctly and operating as intended. Internal auditors also should review the risks and the risk management and control processes related to third parties with authorized access, such as service organizations and suppliers. Those in first and second line roles may be actively involved in such reviews, while internal audit provides an independent assessment.
Component 5: Prompt Response and Remediation Auditors should assess whether cybersecurity risks are effectively and efficiently responded to and remediated. The organization's ability to promptly communicate and manage risks indicates the program's effectiveness and level of maturity.
Component 6: Ongoing Monitoring Management should implement a system to continuously monitor cybersecurity risks, prevent risk occurrences, and detect breaches. The system should allow identified issues to be tracked through resolution, and management should report on key risk indicators periodically. Internal audit independently assesses management's processes and may implement a system of continuous auditing.
Basics of Cybersecurity Auditing
Cybersecurity threats are trending upward, and while legislation and programs at federal, state, and local levels continue to support cybersecurity preparedness, attackers are always looking to exploit new vulnerabilities. Internal auditors in the public sector can help in several ways:
- CAEs should discuss the organization's cybersecurity risks, in alignment with relevant guidance, with senior management and the board.
- CAEs should determine whether resources are allocated to the most significant risks.
- Auditors should study relevant cybersecurity legislation, policies, and standards during engagement planning to ensure that appropriate criteria are identified.
- Auditors should look to cybersecurity frameworks, such as those from NIST and The IIA, for testing and evaluation guidelines.
- Auditors should develop skills in cybersecurity risk assessment, testing, and evaluation, through training and experiential learning.
- Auditors should research and monitor trends in cybersecurity threats and attacks.
Public sector auditors should be aware of all the resources available to them and work with the information security professionals in their organization to help ensure effective cybersecurity measures are in place. A solid, robust approach is essential to managing cyber risk and, ultimately, serving the public good.