Since November, there have been 15 reported nation state attacks worldwide by hacking organizations inside Russia and China. The Center for Strategic and International Studies (CSIS) has a running list of significant cyber incidents since 2006.
Most recently in January, CSIS said there were reports of Russian hackers going after Italian diplomats and Chinese groups going after Taiwan’s government systems and telecommunications infrastructure, just to name two examples.
Federal agencies and critical infrastructure providers are not immune to these threats either. The Treasury Department’s recent cyber troubles and other similar incidents are forcing these organizations to address this ever increasing and changing threat.
Still, the most often attack vector for agencies remains email phishing, while website or web-based application attacks are the second most often used vector, according to the Government Accountability Office’s report from 2024.
Add to this the increased use of ransomware and the recognition of software and API vulnerabilities, agencies are facing a continuing deluge of threats and challenges.
Michael Riemer, the senior vice president of the network security group and field chief information security officer (CISO) at Ivanti, said over the last two years, the scale and sophistication of cyber threats from countries like China, Russia, Iran, North Korea and others has increased. They are using advanced cyber capabilities to try to infiltrate federal systems, to disrupt critical infrastructure and steal sensitive information, including intellectual property and classified data.
“These actors are often employing tactics such as zero day vulnerabilities, spear phishing campaigns and supply chain compromises to bypass security measures and remain undetected,” Riemer said during the Innovation in Government show, sponsored by Carahsoft. “Compounding these issues is the interconnected nature of government systems, where vulnerabilities in smaller departments can lead to breaches in agencies holding much higher value data.”
He said the addition of these advanced cyber capabilities that use the latest artificial intelligence capabilities and hacker groups with specific skillsets like system penetration or deploying ransomware who are working together, agency cyber defenders are constantly having to do more to protect their data and systems.
Shadow IT remains a challenge
While education and training of the workforce remains a big priority for many agencies — spear phishing and phishing attempts remains the largest attack vector for most organizations — Riemer said there are several considerations agencies must keep in mind as they continue to face increasingly advanced cyber threats.
“You’ve got to know what you have on your network. That’s the first step. What we’re finding is that when you go out with an asset discovery system, there’s usually about 20% of the devices that are discovered that the network and administrators had no idea was on their network,” he said. “This is shadow IT. This is also old legacy devices that they’d thought had been decommissioned and removed from the environment, and they’re still sitting there, and some of them with internet access. And then it’s a lot of what we call internet of things (IoT). These IoT devices can even masquerade themselves as a vending machine because with a vending machine nowadays you can go and slip in a debit card and pay with debit card versus cash. Well, how does it run that debit card transaction? It does it through internet connectivity. So those devices are on the corporate network or on a segment of the corporate network, hopefully secured off from the rest of everything else, but often they’re not, and this is where an asset management system can come into play to let you know exactly what’s on the system, where it’s located at, and also what version of operating system or code is running on that solution, so that you’re looking at what is your overall attack surface from a corporate perspective.”
And then there also are employee’s personal devices connecting to the corporate network that can also create possible vulnerabilities. Reimer said between IoT, operational technology and shadow IT devices, the threat ecosystem always is growing.
“I would say, especially in the last 12 to 18 months, I’m starting to hear a lot more about securing OT and IoT devices, especially in the supply chain. In the loading docks, the trucks and the information, the devices that are used to track shipments coming in and out of buildings, all of those types of devices, which we call supply chain management solutions, have never really had any type of security parameters around them because they were considered to be protected networks or off-network types of solutions,” he said. “But nowadays you have direct communication with the corporate network on that supply information, so as those trucks roll in and product is coming off, that information is going directly into the inventory asset management solution on the corporate network, which means that all of those handheld devices, which used to be hardened single use devices, which are now mobile devices running Android or Apple OS, and they’re out there scanning these codes, and all of that information is being broadcast across open WiFi networks. There’s a lot of inherent risk that has come there, especially with these types of inclusions, as it were, into the modern day of technology.”
Threats against mobile devices increasing
Reimer said Ivanti already is helping some agencies with this challenge. He said the Defense Information Systems Agency has been using a mobile device management (MDM) software to protect about 200,000 devices.
Another key factor agencies need to consider is how vendors are applying the “secure by design” approach to software.
Riemer said while the concept isn’t necessarily new, vendors and agencies alike are focused on these development approaches now more than ever. He said secure by design goes a step further than the traditional way of adding security at the beginning of the development phase.
“It goes into secure by default concepts, which is that when I create a solution and somebody plugs it in for the first time, by default that configuration should be secure. There shouldn’t be any open policies. There shouldn’t be any default passwords. Years ago, you used to go to Best Buy and you’d pick up a WiFi router, and you’d bring it home and plug it in, and 99% of the people would never go in and set it up so you have the default WiFi configuration with the default password, and that’s published out on the internet for support reasons. So anybody and their brother could hack into your WiFi router. This is the what is meant by secure by default, making sure that you’re prompting the user for a one time password, or you’re prompting the user to put in a special type of configuration setting that’s only and unique to them,” he said. “The other big thing is we have eliminated full classes of vulnerabilities. This is especially important to the software vendors that have legacy systems out there that we’re continuing to use on a daily basis. We need to drive through that code and make sure that we’re looking for specific classes of vulnerabilities, whether that’s a SQL injection or remote code executions. We need to go through that and make sure that we’re driving those types of vulnerabilities out of the solutions.”
Riemer said threat actors are getting more sophisticated and intelligent by using AI tools to decompile code to find the possible vulnerabilities.
“They can see every change that I’ve made in my software code between two releases, and then they’re able to take those changes and they can start looking in those changes to see if there’s anything they can attack. So this is where it becomes critical for vendors that are producing software to be transparent and communicate what their vulnerabilities or weaknesses are in their code as they release their new patches because then defenders understand that if you don’t apply this patch, or even if you do apply this patch, here’s the things that threat actors are going to be going after because they’ve been announced by that vendor,” he said. “Part of that comes down to education of the customers so that they have to understand there’s two types of CVEs out there. One CVE is the bad one, which is the zero day exploit. That’s one threat actors found before anybody else did, and they’re using it to get into the systems. The other one is the vendor-announced transparency CVE; these are the ones that come out on a regular basis with the releases.”
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
