This is the first of two articles on cyber security and long-term risk. This article discusses the first of two issues that underly the long-term risk. That issue is the need to have a robust Enterprise Risk Management process. It also provides policy recommendations. The second article will discuss the second issue, competition for resources both human and money. It will also present policy recommendations.
Introduction
In July 2018 the U. S. Government Accountability Office conducted an Information Security Audit of 16 agencies. It found deficiencies in the information security program of all 16. A July 16, 2018 California Auditor report on information security, found that of the 33 entities examined most had deficiencies.
These deficiencies can have substantive consequences. Recent Office of Inspector General audits determined that the United States Postal Service, a federal agency positively rated by the public, had multiple information security issues. A vulnerability in their Informed Delivery Service left millions at risk of identity theft. In addition, a bug in their main website exposed personal details on more than 60 million users. (1) In 2018, the regional municipality of Mekinac Canada paid $30,000 in bitcoins to regain access to its data. Their computer systems were shut down for two weeks while negotiations with the attacker were conducted. (2) In May 2019, the city of Naples Florida was the victim of a cyber-attack. In the attack $700,000 was stolen. On June 10, Lake City Florida confirmed it paid a ransom of $490,000 in bitcoins. The attack rendered the city’s e-mail useless. (3) Atlanta GA and Baltimore MD both suffered a ransomware attack. Atlanta’s computer network was shut down for a week. Baltimore’s was shut down for three weeks. It cost both cities at least $17 million each to fix the problem. (4) On August 16, 2019 twenty local governments in Texas were hit with a coordinated ransomware attack. (5)
A 2018 survey of United Kingdom local governments found that 29% had suffered at least one cyber security breach. The Tonbridge and Malling Councils reported 62 incidents over a five-year period. Herefordshire experienced 22, while the City of Edinburgh reported 11. (6) On July 30, 2019 East Northamptonshire and Wellinborough in the United Kingdom had to shut down their computer systems for a day due to a phishing attack. (7)
Cyber-attacks are real. They are global. They are a recognized risk for both the public and private sector. In the North Carolina State University 2019 survey “Executive Perspectives on Top Risks”, cyber-attacks were ranked fifth. Risk number 10 was the in ability of the organization’s culture to identify and raise risk issues.
The GAO report emphasizes the serious nature of a cyber-attack. It also found that most of the agencies examined needed to improve their risk management process.
“Risk management strategies include strategic-level decisions and consideration for how senior leaders and executives are to manage risk to organizational operations and assets, individuals, other organizations, and the nation. GAO and inspectors general reports Identified that 10 of the 16 selected agencies had deficiencies in developing, documenting, or implementing a risk management strategy or process. Another agency had developed an enterprise risk management strategy but had not implemented it consistently across the agency.” (8)
To stress the need for Enterprise Risk Management (ERM) as part of the cyber security process is great, but Northamptonshire and Wellinborough had implemented ERM. Their strategic risk register rated cyber security as a high risk. This raises the basic question: “Does ERM work or not?”
The short answer is yes. It works. The risk of a cyber-attack was rated high. However, giving it a high priority does not necessarily translate into action. In the case of the Northamptonshire and Wellinborough joint computer network, for Northamptonshire to receive a provisional rating on cyber security in their audit, it had to develop a plan and begin implementing it. The motivation for the implementation of a comprehensive cyber security plan was the audit. The phishing occurred before the plan could be implemented. As the adage goes, “You can lead a horse to water, but you can’t make it drink.” So, it is with risk management. You can have the risks correctly identified and prioritized, unless decision makers act on those priorities it is merely a list.
This leads to the two underlying problems with respect to ERM implementation and cyber-security this article will explore. The first is the need to be proactive in risk identification and management. The second is competition for resources. (Is should be noted that additional examples and background can be found in my book “Enterprise Risk Management in Government: Implementing ISO 31000:2018”.)
ERM Implementation
The GAO report noted that around sixty percent of the federal agencies examined did not have an ERM process. This is despite a 2015 mandate. Exploratory examination of ERM implementation at the local government level indicates that in the United States 3% of local governments have some aspect of ERM. In Canada, 17% of local governments have an ERM policy. In the New Zealand it is 33% and Australia it is 32%.
There are two points to be made about this data. First, there are plenty of examples non-ERM implementers can use as a model. Both the Commonwealth of Australia and the Australian state of New South Wales recently conducted ERM implementation audits. (The audit results have been discussed in earlier Insight articles. I also devote a chapter to them in my book.) The results clearly indicate both have been successful in implementing ERM.
The second is that the public administration risk-oriented thought process has not caught up with reality. Sticking with cyber for the moment, the GAO report identified the types of attacks from the outside that have been made on federal systems. They are: 22% phishing, 11% web based, 1% brute force and 1% multiple attack vectors. Thirty-five percent of the cyber-security threats are coming from the outside the organization. In terms of numbers in 2017 there were 35,277 attacks and in 2018 there were 31,107 attacks. The GAO report notes:
“In March 2018, the Department of Justice reported that it had indicted nine Iranians for conducting a massive cybersecurity theft campaign on behalf of the Islamic Revolutionary Guard Corps. According to the department, the Iranians allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 U.S. Companies and five federal government agencies, among other entities.” (9)
The lack of good cyber security opens governments at all level to malicious attacks. These attacks can at best be an annoyance. At worst they can cause infrastructure failures, huge amounts of property damage and even deaths.
Cyber-attacks are but one type of risk governments face. Lloyd’s of London in “Cities at Risk” list 22 risks cities face. These include floods, hurricanes, tornadoes, wildfires, pandemics and civil unrest. Lloyd’s estimates that the 22 risks could cost cities $546.5 billion. (10)
Lloyd’s also estimates that if local governments took mitigative actions, they could reduce the adverse impact by 13.4%. The National Institute of Building Science estimates that for every $1 spent on mitigation, $6 is saved in the long run. (11)
A proactive approach to risk management can protect and conserve government’s scarce resources. There are plenty of ERM examples worldwide. ERM works. However, there are structural impediments to ERM’s implementation.
Policy Recommendations
A 2019 report by the University of Cambridge entitled “Managing Global Catastrophic Risks” lists several of these impediments.
- Governments do not sufficiently understand how to design risk mitigation, preparation and response measures.
- Political leaders tend to focus on the short terms. There is little incentive to think about emerging or long-term risks.
- Bureaucracies are often ill-equipped to understand risk and often suffer from poor agility to new or emerging issues, poor risk management culture and practice, lack of technical expertise and failure of imagination.
While the Cambridge report deals primarily with catastrophic risks like climate change, malicious or accidentally harmful use of artificial intelligence, engineered pandemics and terrorist related attacks using nuclear weapons, several of their policy recommendations are applicable to any level of government. These are:
- Improve risk management practice to better understand existing and emerging risks.
- Enable better decision-making on future risks and ensure that action is taken within a legislative and policy context to mitigate these risks.
- Understand risk in a holistic manner to sufficiently inform decision makers about the implications of risk mitigation efforts. (12)
These three policy recommendations can be implemented by taking two actions.
- Federal agencies need to show that ERM is beneficial by successfully implementing ERM. (The Commonwealth of Australia and the state of New South Wales show this can be done.)
- Federal agencies need to encourage state and local governments to adopt ERM. This can be done by including ERM in guides and manuals and emphasizing the practice in grants and loans.
Summary
Governments around the world are facing multiple risks. The adverse impact of risks can be significant and costly. The United States Postal Service is rated by the public as one of the best governmental agencies, but that rank, and its reputation can be significantly damaged by data leaks which results in significant levels of identity theft. Damage to the organization’s reputation is only one consequence. Cyber-attacks can cost the organization loss of resources and operational capability. Further, cyber-attacks are but one type of risks. Wildfires, hurricanes, tornados, pandemics and civil unrest are other risks which can cause substantive damage and consume scares governmental resources.
Public administrators at all levels of government and public administration academics need to recognize that today’s environment is full of risks and these risks must be managed in a proactive manner. If they are not, then like the governing bodies and management in Northamptonshire and Wellinborough, they will end up with too little to late.
This may sound harsh, but Northamptonshire and Wellinborough had a risk register. It showed that cyber-attacks were a major risk. They failed to take adequate mitigative action. This leads to the second problem, competition for resources. This will be presented in the next article.
End notes
- Corrigan, Jack, 2019, “Postal Service Watchdog Finds New Vulnerability During Security Audit”, Nextgov, August 7, nextgov.com/cybersecurity/2019/08/postal-service-watchdog-finds-new-vulnerabitity-during-security-audit/159015/.
- Valiante, Giuseppe, 2017, “Quebec Region Pays $30,000 Bitcoin Ransom After Servers Hacked”, Novembe3r 18, ctvnews.ca/canada/quebec-region-pays-30-00-bitcoin-ransom-after-servers-hacked-14182012.
- Marchante, Michelle, 2019, “Another Florida City Was hacked. Thousands of Dollars Are Missing Leaders Say”, August 2, htps://www.mianiharald.com/news/states/florida/article2334432632.html.