As the Biden administration’s first year in office moves into the rearview mirror, the political headwinds facing spending plans are mounting. However, while much of the spending inside the “Build Back Better” legislative framework is proving to be politically divisive, one area which gets rare bipartisan support is the need to bolster our nation’s cybersecurity efforts. Based on the commitments outlined within the infrastructure bill and aspects of the Build Back Better Act, federal security...
As the Biden administration’s first year in office moves into the rearview mirror, the political headwinds facing spending plans are mounting. However, while much of the spending inside the “Build Back Better” legislative framework is proving to be politically divisive, one area which gets rare bipartisan support is the need to bolster our nation’s cybersecurity efforts. Based on the commitments outlined within the infrastructure bill and aspects of the Build Back Better Act, federal security spending will see a boost of almost $2.5 billion going forward.
With our nation’s federal agencies facing an increasingly existential threat from cyberattacks, this is fantastic news for Americans, but it does come with an important caveat. More spending does not necessarily equal better security. As they work to secure our nation’s digital infrastructure better, federal organizations must not waste billions of taxpayer dollars on reactive cybersecurity solutions that, in the private sector, have left many organizations with less security and more complex tools to manage.
Instead, spending needs to go towards proactive security measures that stop attacks from happening in the first place. One element of this more challenging but ultimately vital goal involves fighting personalized security threats by securing personally identifiable information belonging to federal agency staff and contractors.
PII exposure is driving security risk
PII is already driving the majority of cyberattacks. The practice of customizing phishing emails to specific individuals using PII, such as their names, job titles, and personal contact details (aka “spear-phishing”), is behind at least 70% of government breaches and upwards of 90% of all cyber attacks. It is also the likely cause of some of the recent past’s most notorious and nationally disruptive attacks, including the Colonial Pipeline hack.
The success of targeted phishing attacks also highlights what’s wrong with the status quo approach to security. Against the advanced, often state-funded, threat actors targeting our federal agencies, security solutions like antivirus and endpoint protection do little to stop attackers after they breach a federal agency’s firewall.
Because malware is often deployed filelessly, meaning that antivirus solutions cannot see it, and is frequently directly operated by threat actors able to systematically bypass security controls, defensive solutions cannot be relied upon. The result of this disparity in the security arms race is that once attackers breach the network perimeter, defenders can often do little besides mitigating the damage already done.
Federal agencies need to respond by putting privacy first
Disrupting this threat landscape means making federal agencies indigestible to attackers relying on targeted social engineering scams. Doing so starts with understanding where the PII that threat actors use to craft convincing social engineering scams is coming from and cutting it off.
While it is widely known that an immense quantity of private information is flowing into the hands of a small number of tech companies, the fact that a similar volume of equally personal information ends up in the hands of third parties, including cybercriminals, through data brokers, is less well recognized. Although there is a groundswell of legislation protecting individuals in some states and jurisdictions, federally speaking, PII receives scant protection. As a result, a multibillion-dollar industry has sprung up, known as data brokerage, to exploit the easy accessibility of Americans’ PII.
Data brokers do not necessarily intend to increase the risk of organizations falling victim to cybercrime. But they do so nonetheless, thanks to the way that their business model works. Data broker firms, namely companies like Experian, Equifax, Acxiom and Epsilon, scrape PII data from sources such as social media pages, voter records databases and other public registries. This information, which typically includes people’s names, marital status, home addresses and work emails, is then collated into profiles that are offered for sale to third parties. Acxiom alone holds information on more than 500 million individuals and conducts more than 50 trillion “transactions” per year.
A data broker’s ideal customer is any organization looking to better target offers to customers, but unfortunately, brokers rarely vet or audit how the information they provide is used. As a result, nothing stops this information from being weaponized within social engineering scams or matched to information obtained on the dark web to crack passwords and gain direct malicious network access.
In response, federal organizations need to bolster data privacy among their staff and contractors, making PII security a priority through training and equipping staff with tools to reduce their PII exposure automatically.
An urgent issue
With Americans inadvertently placing more of their information online than ever, stopping the compounding phishing risk this creates for federal agencies is an urgent task. Between 2019 and 2021, DeleteMe noted that the amount of client PII available on data broker websites grew by 150%. As a result, before federal agencies spend billions of dollars bringing their cybersecurity defenses up to speed, they need to assess whether their staff and contractor PII is putting them at risk.