Skip to main content Skip to search

Why are Government Agencies So Vulnerable to Hacking?

In network security we talk about “attack surfaces,” the term for the total number of points or vectors through which an attacker could try to enter a computing environment. As government organizations at the federal, state, county, and municipal levels have become increasingly digital, their attack surfaces have vastly increased and consequently they’ve become far more vulnerable to all kinds of cyber attacks.

Federal information security incidents reported

Federal information security incidents reported to the U.S. Computer Emergency Readiness Team, fiscal years 2009 through 2018. Note: Until fiscal year 2016, the number of information security incidents reported by federal agencies to DHS’s United States Computer Emergency Readiness Team (US-CERT) had steadily increased each year. From fiscal year 2009 through fiscal year 2015, reported incidents increased from 29,999 to 77,183, an increase of 157 percent. Changes to federal incident reporting guidelines for 2016 contributed to the decrease in reported incidents in fiscal year 2016. Specifically, updated incident reporting guidelines that became effective in fiscal year 2016 no longer required agencies to report non-cyber incidents or incidents categorized as scans, probes, and attempted access.

Source: GAO

The main reasons for this high level of vulnerability are inadequate IT security expenditure on new equipment and staff training combined with overly bureaucratic processes, which together make it very difficult for these organizations to keep up with the pace of digital evolution. This, in turn, puts mission-critical public services such as court systems, municipal utilities, bill payment services, traffic control, power grids, and voting registration at serious risk of disruption. The 2018 Government Cybersecurity Report by Security Scorecard notes that:

Government organizations remain a primary target given the reams of personally identifiable information (PII) stored and processed by agencies, not to mention top-secret national security details. All the necessary components of critical infrastructure networks such as courts, traffic, public transportation, elections, and public utilities fall under the auspices of regional governments. Even ‘small’ governments can be huge, slow-moving bureaucracies with a mix of emerging technologies and a massive, highly vulnerable entrenched legacy infrastructure, all of which present a perfect storm for the modern hacker.

With the SARS-Cov2 pandemic now affecting just about every aspect of life, many government employees are working from home, which significantly increases the risks from government hacking, and consequently, data breaches and data exfiltration, malware incursions, phishing attacks, and ransomware attempts are on the rise.

Across all sectors, external actors account for a growing percentage of breaches, making up 75 percent in 2019, against 62 percent in 2018.This suggests that organizations are improving their defenses against insider threats and data loss protection, but they face new and potentially more dangerous threat actors. Chief among these are those who are backed by nation states.


Why Has the Government Become a Hot Target?

Hackers love hacking the online service of government agencies because they are often “soft” targets. Often they are weakly defended, inadequately monitored, and poorly maintained (i.e. updates and patches are frequently out of date). But the biggest reason to attack government agencies is that the financial rewards for successful attempts can be huge or, in the case of hostile state actors, very valuable in political cyber warfare. Given how easy and valuable these targets are it’s no surprise that we’re seeing the frequency of attacks escalating.

Federal Information Security Incidents by Threat Vector Category

Federal Information Security Incidents by Threat Vector Category, Fiscal Year 2018. Source: GAO

Phishing Attacks

All sectors of the economy are subject to phishing, a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card. According to Security Scorecard’s 2018 Government Cybersecurity Report:

Attackers will often profile email addresses obtained from data breaches and match them to existing social network profiles to target accounts and execute spear phishing attacks. For example, if an employee creates a Facebook or LinkedIn account with a government email address, it increases the risk of a phishing attack through one of those networks.

These phishing attacks may also involve malware sent as attachments in email, which can lead to data exfiltration and ransomware attacks. The biggest problem with phishing attacks is that the technique works surprisingly well. Verizon’s 2020 Data Breach Investigations Report revealed that an astounding 32 percent of confirmed data breaches involved phishing.

Holding the Government to Ransom

Of all hacking techniques seen “in the wild,” the use of ransomware—malware that encrypts data and demands payment usually in a cryptocurrency such as Bitcoin—has grown incredibly fast particularly in government agencies.

A study by Emsisoft, an anti-malware vendor, found that more than 100 cities across the United States suffered ransomware attacks in 2019 and a key issue in preventing ransomware attacks is staff training. However, a recent IBM-Harris survey found that only 38 percent of state and local government employees had ransomware prevention training. Three recent examples of successful ransomware attacks are:

  • In early May 2019, hacking systems succeeded in executing a ransomware attack on the City of Baltimore talking down the city’s voicemail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations, delaying 1,500 pending home sales. The demand: 13 Bitcoins or $102,000. As of August 2019, it was estimated that the attack had cost the city over $18,200,000.
  • In August 2019, 22 towns in Texas fell victim to ransomware attacks that were believed to be the work of a single actor. The attacker essentially shut down all information technology services in the towns and demanded a $2.5 million ransom.
  • Following a ransomware attack on December 13, 2019, the City of New Orleans declared a state of emergency. The cost to the city was reported to be $4,200,000 although other sources have claimed that the cost was at least $7,000,000.

Government Data Breaches

One thing all government agencies have is huge amounts of data. This includes vast stores of Personally Identifiable Information (PII) on citizens, as well as comprehensive and often highly sensitive commercial company data. Verizon’s 2019/2020 Data Breach Investigations Report found that 16 percent of breaches were in the public sector, excluding healthcare and the average cost of a data breach in 2018 was $2.3 million with an average cost of $75 per record.

Verizon found that espionage was a key driver for government data breaches, with public sector cyber attacks making up 66 percent of all incidents in 2019. In addition, “state affiliated actors” have been the leading cause of external public sector data breaches and data exfiltration each year since 2017. In 2019, they accounted for 79 percent of incidents.

The list of government data breaches over the last couple of decades is long but here are a few examples to give a little perspective on the scale of recent breaches involving data exfiltration executed by hacking or exposed due to poor data security:

  • U.S. Postal Service (DC) – 60,000,000 records – 2018
  • Office of Personnel Management (DC) – 21,500,000 records – 2015
  • California Secretary of State (CA) – 19,200,000 records – 2017
  • Government Payment Service, Inc. (IN) – 14,000,000 records – 2018
  • Georgia Secretary of State (GA) – 6,000,000 records – 2015
  • Office of Child Support Enforcement (WA) – 5,000,000 records – 2016
  • Office of Personnel Management (DC) – 4,200,000 records – 2015
  • U.S. Postal Service (DC) – 3,650,000 records – 2014
  • Los Angeles County 211 (CA) – 3,200,000 records – 2018
  • Washington Department of Fishing and Wildlife (WA) – 2,435,452 – 2016

How Government Agencies Can Defend Themselves

The federal government’s Office of Management and Budget (OMB) Federal Cybersecurity Risk Determination Report and Action Plan concluded that 71 percent of 96 agencies studied were either “at risk” or at “high risk.” The plan outlined four key findings:

  • Limited situational awareness
  • Lack of standardized IT capabilities
  • Limited network visibility
  • Lack of accountability for managing risks

While training, up-to-date patching, and other basic security measures can bolster government agency defenses, removing limited network communications visibility is arguably the most easily and quickly addressed. There are two strategic technologies that vastly improve network visibility: the use of SSL (Secure Sockets Layer)/TLS (Transport Layer Security) encryption to secure all communications and the use of SSL inspection/TLS inspection to detect data exfiltration, as well as phishing, ransomware, and malware payloads.

How A10 Can Help Stop Hidden Threats

Improved network communications visibility to detect and stop hidden threats is easy with A10 Networks Thunder® SSL Insight (SSLi®), available in both hardware and software form factors. Thunder SSLi provides cost-effective deep packet inspection for full network traffic visibility, as well as SSL offloading, content filtering for data loss prevention, load balancing, and traffic steering. Thunder SSLi also includes comprehensive analytics and management providing real-time, actionable insights into traffic statistics, categorization, suspicious activities, and more as well the ability to manage multi-site deployments from a central location.


Babur Khan
October 20, 2020

Babur Nawaz Khan is a Senior Product Marketing Manager at A10 Networks. He is responsible for A10's Enterprise Security and DDoS Protection solutions. Prior to this, he was… Read More