Governments worldwide are vulnerable to cyberattacks, though the associated risks to their credit quality are limited, according to a new report from Moody’s.
The growing interconnectedness of digital networks and the expanded use of technology to deliver government services have increased governments’ exposure to cyberattacks, both through direct assaults on their own systems and through the impact of attacks on the broader economy. While governments worldwide are vulnerable to cyberattacks, the associated risks to their credit quality are limited, according to a new report from Moody’s.
For bigger governments, including sovereigns and larger regional and local governments (RLGs), the scale and diversification of their economies and sizable financial buffers enhance their ability to withstand cyberattacks. Smaller RLGs typically have fewer protections because of their smaller economies and more limited financial resources.
Digital technologies and e-services have increased the cyberattack exposure of governments.
Sovereigns are more vulnerable than RLGs to attacks that target highly sensitive data, such as confidential national security information, or that disrupt critical infrastructure or services. More sophisticated cyber actors, including state- sponsored groups with geopolitical interests, typically target sovereigns and are often driven by espionage or the intent to disrupt domestic politics, including through election interference. In contrast, RLGs typically are targets of financial opportunity, because their legacy information technology (IT) systems can be vulnerable to ransomware. Socially motivated actors, such as hacktivists, target both sovereigns and RLGs.
Cyber risks vary for governments, but large diversified economies and ample fiscal resources help insulate them to varying degrees.
These qualities highlight the generally lower impact of a cyberattack against governments than against private companies. In addition, unlike businesses, governments do not face the same risks of losing customers or damage to their brands in the aftermath of an attack. For sovereigns, the credit implications of an attack would most likely result from a weakening of institutions and governance strength or from heightened political risk. For RLGs, the main impact would likely be on economic fundamentals and financial performance.
Cyber defense capabilities are often reflected in the strength of government institutions.
Although a well-developed cybersecurity strategy does not necessarily reduce a government’s vulnerability to attack, it can reduce an attack’s severity. Strong cyber defense capabilities can inform how quickly a government can respond to a cyber event, which will help limit the credit impact. These capabilities include ample cybersecurity resources, and cyber-specific incident and crisis management teams. In general, more advanced economies with stronger institutions tend to have the most developed cybersecurity strategies and defense capabilities.
Digital technologies and e-services have increased the cyberattack exposure of governments
Governments are susceptible to cyberattack for a variety of reasons and are vulnerable to attack from multiple types of actors. This vulnerability has increased in recent years, consistent with the rise of digitization, the growing interconnectedness of digital networks and the increased use of technology to store personal information and deliver services to residents (e-services), such as government transfers and the ability to make tax payments online.
Larger government entities, including both sovereigns and bigger RLGs, tend to have high public profiles, substantial resources and revenue bases, and control over confidential information. As a result, these entities are attractive targets for cybercriminals. A sovereign government’s central role in payment and clearing systems, typically through its central bank, also increases vulnerability. Meanwhile, all governments, regardless of size, possess sensitive data to some degree and provide essential services.
The risk factors vary for different governments, as do the types of perpetrators who target them. Sovereigns tend to be vulnerable to attacks that seek access to sensitive or confidential data, such as national security information, often driven by espionage, or that disrupt critical infrastructure or government services. Cyberattacks on sovereigns also generally require a high level of sophistication; the perpetrators will likely be well-organised cybercrime groups or state-sponsored actors with geopolitical interests. For example, the US Department of Homeland Security lists cyberattacks by national governments, for cyberwarfare purposes, and by foreign intelligence services, for information-gathering and espionage activities, to be a major source of cyber threats to the US (Aaa stable). According to the department, the only entities developing capabilities that could cause widespread, long-lasting damage to US critical infrastructure are nation states.1
In contrast, RLGs are generally more vulnerable than sovereigns to financially motivated, opportunistic cyberattacks, particularly those that use ransomware.2 In these types of attacks, cybercriminals seek to block access to an organisation’s critical data or systems unless they receive payment. The number of ransomware attacks has increased significantly over the past two years, particularly in the US (see box on page 6 for details).
Less-sophisticated perpetrators, such as individual hacktivists and smaller-scale cybercrime groups, can carry out successful attacks on RLGs. These types of attacks are more common for smaller RLGs, which are susceptible to cyber breaches as a result of legacy IT systems that have not been adequately updated and have fewer security controls. Hackers may also target a local government for sociopolitical reasons. For instance, cyberattackers in 2016 hit North Carolina’s government website in protest of a controversial state law.
Cyberattacks can take many forms with varying degrees of impact on government systems and information. In the information security community, the confidentiality, integrity and availability (CIA) triad framework provides one approach to defining threats and vulnerabilities based on the potential impact of a cyberattack on government information and critical systems (see Exhibit 3). In this context, each category is defined as follows:
Confidentiality: attacks that give access to unauthorized users such as through espionage, data breaches, theft of intellectual property, and leaks
Integrity: attacks in which data has been tampered with, for example by manipulating election results, changing payment details, and corrupting sensitive data
Availability: attacks in which information can no longer be accessed, including destructive attacks such as WannaCry and NotPetya, ransomware attacks, and distributed denial-of-service (DDoS) attacks