CHAPTER TWO - CYBERCRIME IN GOVERNMENTS

CHAPTER TWO: CYBERCRIME IN GOVERNMENTS
Cybersecurity Culture

CHAPTER TWO: CYBERCRIME IN GOVERNMENTS

Cybercrime and Cyber Warfare

Cybercrime is the act of carrying out criminal activities using technological devices, such as computers, as the primary instrument to attack other networks or information systems (Kierkegaard, 2005). Cybercrime is often performed by professionals within the industry, and they spend a lot of time organizing their activities before execution (Latto, 2020). Organized cybercrime involves learning more about the potential victim; what their weaknesses and vulnerabilities are. Gathering this type of information can increase the success of an attack and is a critical step to carry out. Cyber warfare is similar to cybercrime but it involves nation-states or international organizations that attack other nation’s information systems. A term used to describe those who participate in cybercrime is cyber threat actors (CTAs). The following table will be used to define the different types of CTAs and their motivations to conduct cybercrime (Center for Internet Security, n.d.):

Table 1: List and Definitions of Cyber Threat Actors

CTAs use different methods to conduct criminal activities to include malware, hacking, identity theft, and scams (Michael & Sammons, 2017). There are several different categories of cybercrime: economic crimes, content-related offenses, intellectual property (IP) crimes, and privacy offenses (Kierkegaard, 2005). Economic crimes consist of traditional hacking, computer fraud, computer espionage and forgery, and computer destruction; content-related offenses include illegal content of child sexual abuse and racial statements; IP crimes include theft of copyrighted material, trade secrets, and violations of trademarks; and privacy offenses are an illegal collection of people’s personal information to also include storage and distribution without proper consent (Kiener-manu, 2019; Kierkegaard, 2005). For example, the SolarWinds and presidential campaign hacks would be classified as an economic crime and Clinton’s disclosure of classified information would be considered a privacy offense. Research has shown that the government suffers from economic crimes and privacy offenses more than the other types.

The United States Government as a Target

The government is one of the largest organizations in the world with roughly 456 government agencies and departments that employ over two million civilian employees and nearly five hundred thousand active military members (Cancian, 2019; Jennings & Nagel, 2020). The number of employees greatly increases its threat landscape since employees remain one of the highest vulnerabilities and a desirable target for CTAs to exploit. Government agencies are known to have high-value assets, sensitive information, and large budgets that gain the attention of CTAs for obvious reasons given their motivations. For example, the Department of Defense (DoD) is one of the largest government entities possessing high-value assets such as military aircraft and critical infrastructure. According to Armerding (2019), a recent report released by the Government Accountability Office (GAO) determined that DoD weapon systems have critical vulnerabilities allowing adversaries to gain undetected control. Attacks on these assets have the potential to do damage similar to that of a nuclear weapon (Andres, 2017). While there are extreme risks for adversaries to attack the government, they believe the benefits outweigh the potential consequences which is why the government must take action to protect its infrastructure (Andres, 2017).

Michael McCaul said in a congressional hearing that government organizations are being attacked in several ways: cyber warfare, denying service to critical infrastructure, appropriating intellectual property, conducting spy operations, and accessing personally identifiable information (PII) (America is Under Cyber Attack, 2012). Nation-states are trying to advance their developments in an effort to strategically compete with the government’s capabilities since they are behind in the competition (America is Under Cyber Attack, 2012). The government is not just a target for espionage and financial gain. Nation-state actors are not always in the game to steal information and cause damage; they have also been known to compromise systems just to demonstrate and inform the world of their capabilities (Sobers, 2020).

China, for instance, is a nation-state and implicated as one of the government’s top threats as they seek to target their infrastructure for espionage and theft to advance their cyber and technological capabilities (Office of the Director of National Intelligence, 2021). The NSA has publicly announced that Chinese state-sponsored cyber actors are scanning and targeting government networks (Musto, 2020). A group of Chinese hackers were attributed to the cyberattack that was conducted on the Office of Personnel Management government agency (Fruhlinger, 2020). OPM is essentially the government’s human resource agency. As the human resource agency, they have personnel files for every government employee that consist of social security numbers, fingerprints, financial information, and more PII which is a form of sensitive information. The attack on OPM resulted in over twenty-one million records being breached. Such information may provide China with the ability to gain a better understanding of government operations and special programs. The data breach is suggested to place a target on American lives for extortion by the Chinese government to potentially conduct additional espionage missions (Gootman, 2016).

Russia, another nation-state, is considered a top threat to the government (Office of the Director of National Intelligence, 2021). They have highly advanced cyber capabilities that they utilize to collect intelligence from other governments and conduct offensive cyber operations (Bowen, 2021). The goal of Russia’s cyber warfare is thought as a means to avoid war while attempting to affect political and economic outcomes around the world (Connell & Vogler, 2017). Russia has been accused of conducting cyber warfare on government organizations for many years. The 2016 United States presidential election was hacked by Russia to influence the election outcomes and sabotage public trust in the democratic process (Connell & Vogler, 2017). Russia also stole emails and other sensitive documents that can provide intelligence for decision making but they are also known to commit espionage so they can leak the information to the public (Bowen, 2021; Connell & Vogler, 2017).

North Korea is known for attacking government networks in pursuit to steal and launder money to fund their development of nuclear weapons but also for espionage (Sanger & Perlroth, 2020). Since 2017, North Korea has increased their network activity nearly 300% and is known to have 7,000 cyber warriors to aggressively carry out their missions (Office of Information Security, 2021). They commonly use spearphishing attacks directed at DoD and Department of State employees attempting to steal sensitive information (Cluley, 2021; U.S. Department of Justice, 2021). More recently, North Korea has been accused of targeting COVID-19 vaccine developers to steal research data and has sent COVID-19 themed phishing emails to millions of people hoping to steal sensitive information and financial data (Office of Information Security, 2021). Reports indicate that North Korea has been able to steal more than $300 million dollars since from 2019 to late 2020 (Lederer, 2021). Government entities remain a top target for North Korea as well as other targets: aerospace, healthcare, and banking.

The government is becoming increasingly more dependent on technology which inherently creates more vulnerabilities as new technologies become integrated into their systems. Nation-states have demonstrated that they possess the cyber capabilities to hack some of the most secure systems by exploiting vulnerabilities. These exploitations have resulted in millions of dollars in damages and damage the integrity of our national security. Nation-states have proven they are motivated and determined to continue engaging in cyber warfare in their mission to boost military capabilities at the expense of the government. These attacks have the potential to cause serious damage which is why it is imperative that the government seeks new ways to mitigate these threats. National security can be greatly impacted if cyberattacks on government systems continue while not implementing a better solution (Executive Office of the President, 2018).

Current Challenges within the Government

Increasing cybersecurity within the government has been an ongoing challenge since 2008 when the Bush administration created the Comprehensive National Cybersecurity Initiative in an effort to address the cybersecurity gap. However, GAO initially identified cybersecurity as a risk in 1997 but the issue lacked attention for many years (U.S. Government Accountability Office, 2021). The initiatives were designed to increase cyber defense through counterintelligence, research and development, network technologies, sharing of information between entities, education, risk management, and deterrence strategies. In 2010, GAO provided more than 3,000 recommendations to increase cybersecurity but almost 1,000 of those recommendations remain to be addressed as of late 2020 (U.S. Government Accountability Office, 2021). Among the remaining major challenges within the government include (U.S. Government Accountability Office, 2021):

Establish cybersecurity strategies and perform effective oversight.
Securing federal information systems and data.
Protect critical infrastructure within cyberspace.
Protect privacy and sensitive information.

According to the Watchdog Report podcast hosted by GAO, Jennifer Franks (2021) identified three major struggles that still exist within the government: lack of full awareness, poorly designed and implemented controls, and lack of personnel. She believes that the government lacks cybersecurity urgency and needs to find solutions to better manage the protection of their assets. Focusing on these issues provides an opportunity for the government to reduce the human threat as a weakness within cybersecurity programs. To combat these issues, the government has already implemented several solutions to address awareness with training and education programs that are required for all government employees (Office of Personnel Management, n.d.). These training requirements must be completed on an annual basis to keep employees up to date and informed on cybersecurity. Additional training requirements exist depending on employees’ roles and occupations to address more specific needs (Office of Personnel Management, n.d.). Annual training seems to have only addressed a piece of the problem because human error has not been eliminated nor effectively reduced given the recent reports from GAO as previously mentioned.

The amount of time dedicated to cybersecurity training has shown to have a negative relationship towards cyber incidents (Kweon et al., 2019). As employees spend more time with cybersecurity training, there should be a reduction in cyber incidents that are a result of human error. An issue with annual training is that it is only required once a year or every twelve months (Office of Personnel Management, n.d.). A recent study was conducted by The Advanced Computing Systems Association to investigate the effectiveness of phishing awareness and education to determine how employees respond to threats over time. The study concluded that employees remained aware at four months from the initial training however, after six months, employees were no longer able to identify the threats (Reinheimer et al., 2020). The study shows that annual training may not be effective to address the current challenges the government faces with cybersecurity awareness and human error. It is imperative to implement a solution that addresses employee behavior throughout the entire year and not on an annual basis if the government wants to better protect its assets and reduce human error.

Cybersecurity Culture

Cybersecurity culture has been considered an ill-defined problem due to a difference in the understanding of what delimits a cybersecurity culture (Gcaza & Solms, 2017). A review of academia and industry surveys has led to the development of a clearer definition of what a cybersecurity culture is: cybersecurity culture is the human behavior that protects organizational information through compliance with the organization’s security policies and procedures and an understanding of how to execute them as embedded through initiatives such as training, educations, awareness, and communication (Da Veiga et al., 2020). Cybersecurity culture has also been described as a way that things are done; secure behaviors that have become habitual and require less cognitive effort (Gcaza & Solms, 2017; Haith & Krakauer, 2018). It is also known to be an effective tool that helps manage the human factors within cybersecurity because employee behavior is known to either create or reduce vulnerabilities (European Union Agency for Network and Information Security, 2018; Huang & Pearlson, 2019).

According to the Security Culture Report, industries with strong cultures have higher levels of attitudes, secure behaviors, cognition, compliance, and norms whereas those with weaker cultures have lower levels (Petric et al., n.d.). Individuals within a developed a mature culture operate with a cybersecurity mindset that not only protects the organization against cyber threats but also themselves (Donahue, 2011). Employees need to understand that cybersecurity is everyone’s responsibility and not for a specific group, such as the information technology team, but it has been known to require substantial effort from the organization to instil this mindset (Alshaikh, 2020). There is a lack of information within research that offers a framework for building a cybersecurity culture that focuses on changing human behavior to become more secure with their actions (Alshaikh, 2020). Therefore, there is a need to learn about the influences on human behavior and what methods can be used to ensure employees are complying with security policies and engaging in secure behaviors to reduce organizational risk.