In the federal arena, 2019 was a highly eventful year when it comes to cybersecurity. The U.S. Customs and Border Protection’s data breach was the most prominent compromise, FEMA inadvertently leaked the personal data of 2.5 million disaster survivors, and the city of Baltimore was forced to pay $6 million in response to a very high-profile ransomware attack.
As we head into 2020, federal, state and local agencies will continue to be a prime target for cyber attacks. Here are three security trends for government leaders to note in the coming year.
Trend #1: Mobile will become the primary phishing attack vector
In the federal sector, credential phishing attempts targeting mobile devices will become more common than traditional email-based attacks.
A recent poll conducted by the Government Business Council, and sponsored by Lookout, found that 45 percent of government employees accessed work-related data when connected to external networks (i.e. not the agency network). Forty seven percent of respondents had encountered a phishing attack while conducting work via a mobile device.
As mobility comes more into the forefront, government agencies must realize that when it comes to social engineering in a post-perimeter world, email is not the only, or even the primary, attack vector used.
Trend #2: Agencies will need to move from 2FA to MFA
In 2020, agencies will need to move from traditional two-factor authentication (2FA) to multi-factor (MFA), utilizing biometrics and other more advanced forms of identification to grant access to network resources. The use of one-time authorization codes (OTAC) providing 2FA can help with access management, but can also be targeted by advanced phishing attacks. While a bit more common on the enterprise side, we will see government agencies exploring MFA and biometrics specifically on mobile devices. In fact, the U.S. Navy Cybersecurity Readiness Review from March 2019 references multi-factor authentication on company servers and services as a way to reduce exploitable vulnerabilities. This approach provides enhanced authentication and improves the end user experience, but only works if the device itself isn’t compromised.
Trend #3: Machine learning will be targeted as a new attack vector for autonomous campaigns
Attackers will begin to implement machine learning in the execution of phishing campaigns against government agencies. Landing pages and phishing lures will be run through AI algorithms to test success and improve conversion rates. In addition, AI will be used to create and register new domains for phishing sites. These enhancements will lead to faster, shorter-lived attacks most existing processes won’t be able to detect.
With 2020 looking to be another year of prominent cyber breaches, we will continue to see bad cyber actors and nation states being more innovative in their approaches. Agency IT leaders will need to be vigilant in their efforts to protect their networks, especially as critical data needs to be accessible from any device, wherever employees are located.
David Richardson has been building software to help individuals and enterprises secure mobile devices since 2009. He has 45 patents issued related to mobile security. He is a frequent speaker at security conferences on the topic of iOS and Android security.