The pressure on government agencies to secure themselves has never been stronger – and yet, even as the world’s networks face a new threat from record-setting distributed denial of service (DDoS) attacks, damning audits of government security policies suggest that actual practice remains well behind best practice.
Facilitated by the memcached traffic-amplification method, a pair of DDoS attacks have this month rapidly boosted the record for DDoS attacks – first with a 1.35Tbps giant against GitHub, and soon afterwards with a 1.7Tbps attack against a US based service provider, which had DDoS specialist NETSCOUT Arbor warning that “the terabit attack era is upon us”.
Given that the second attack nearly tripled the previous 650Gbps record set against a Brazilian target in 2016, the new traffic volumes reflect cybercriminals’ success in finding new ways to better their attacks. Yet this also raises warning flags for government agencies – which are perennial targets of DDoS attacks designed to disrupt key activities such as the 2016 Census fail.
NSW Government agencies are sitting ducks for this type of attack, if the findings of an Audit Office of NSW review are any indication.
The review is an indictment of incident detection and response strategies that “range from good to poor” the auditors found, noting the lack of a whole-of-government capability for detecting and responding to cybersecurity incidents.
“There is a risk that incidents will go undetected longer than they should,” the report notes, “and opportunities to contain and restrict the damage may be lost. Given current weaknesses, the NSW public sector’s ability to detect and respond to incidents needs to improve significantly and quickly.”
The review identified a series of procedural deficiencies ranging from a complete lack of incident response capabilities and “limited evidence” to show agencies reviewing their security effectiveness, to sporadic or ad-hoc monitoring of the security logs necessary to identify security incidents.
Other identified issues included the lack of contractual obligations for service providers to report incidents to agencies – just 2 of 10 reviewed agencies had such arrangements – as well as limited sharing of cybersecurity intelligence, limited training, unclear role requirements and responsibilities, and the lack of a “clear mandate or capability to ensure effective detection and response across the NSW public sector.”
Although a severe DDoS attack is unlikely to go unnoticed, the identification of such extensive and systemic deficiencies in security response is a wakeup call to government and business organisations alike – although it is not the first time a state government has been flagged for poor security.
A 2013 audit of Victorian government agencies identified 58 major information-security issues in the state’s cybersecurity defences, most of which remained unresolved in a damning 2015 follow-up review that suggested agencies simply didn’t have the impetus to resolve the issues.
Despite concerted efforts and Budget allocations to improve and standardise cybersecurity capability at a national level, recent changes such as the removal of cybersecurity capabilities from the Digital Transformation Agency (DTA) have sent mixed messages.
Such procedural uncertainty is likely to be problematic given the growing exposure of government and private-sector organisations to sophisticated attacks.
NETSCOUT Arbor’s recently released Worldwide Infrastructure Security Report, for example, noted that 57 percent of surveyed enterprise government and education respondents had seen their Internet bandwidth saturated due to a DDoS attack – well up from the 42 percent figure a year ago.
Read more: Getting the security / risk balance right in the public sector
Furthermore, 48 percent noted they had experienced multi-vector DDoS attacks – up from 40 percent the year before – while DDoS attacks were the second most commonly-experienced attacks, after ransomware.