The U.S. Department of Defense (DoD) and civilian government agencies are mandated to protect government data in transit and at rest across their networks and IT ecosystems. While current data governance, risk, and compliance (GRC) strategies address common cybersecurity issues, CIOs continue to be challenged by:
- IT ecosystem complexity;
- an evolving threat landscape;
- growing data volume from AI, IoT, and sensors;
- an expanding cyberattack surface; and
- gaps in core-to-tactical edge DevSecOps data and application protection.
Multi-cloud data sprawl, rising costs for legacy VMs, and outdated technology and disaster recovery plans are related challenges that can leave government data vulnerable to everything from simple phishing attacks to global network DDoS attacks, to sophisticated AI-driven ransomware schemes targeting critical infrastructure. Ransomware attacks on defense and civilian government agencies often go unreported. Of the 1,193 total ransomware attacks that were reported to the FBI’s Internet Crime Complaint Center (IC3) in 2023, healthcare/public health, critical manufacturing, government facilities, and information technology sectors were hit hardest.
Based on a survey of 1,200 CISO, senior executive, cybersecurity, and backup professionals, the U.S. Federal version of Veeam’s 2024 Ransomware Report shows 76% of responding organizations recognize a ‘protection gap’ exists between how much data they could afford to lose in a ransomware attack and how their data is currently protected. U.S. federal government survey respondents also indicated a ransomware attack was more than twice as likely to affect all or most of their cloud vs. on-premises data.
While frameworks and regulations like NIST 2.0, CIRCIA, CDM, TIC 3.0, DORA, GDPR, CCPA, PCI, and HIPAA provide minimum baselines for protecting certain classifications of data, data protection strategies, practices, and tooling are long overdue for modernization.
The U.S. Department of Defense and civilian agencies have long trusted Veeam to securely back up, recover, and manage legacy, virtualized (VMs), and containerized data and applications for any technology, in any environment, no matter how complex.
In this guide, we’ll explore in more detail the cybersecurity challenges U.S. government organizations face and strategies being used to enhance data protection throughout the IT ecosystem.
Understanding U.S. Government Data Protection
“Government data protection” encompasses the compliance mandates, regulations, and policies that apply to data stored in and transmitted over U.S. federal, state, and local government networks, data centers, applications, and clouds with DoD authority to operate (ATO). These same protection requirements also apply to contractors who work with the DoD and civilian agencies.
Veeam’s modern data protection measures are designed from the inside out to:
- Protect sensitive information from unauthorized use or damage.
- Ensure data integrity, availability (uptime %), and resilience (RPT/RTO).
- Provide disaster recovery (DR) for continuity of government operations (COOP).
By law, agencies are required to keep certain types of data from being shared, read, altered, or deleted by unauthorized persons. Personally Identifiable Information (PII) and human genomic data are examples of legally protected information. At a minimum, electronic data stored or transmitted by U.S. government agencies or contractors on their behalf, require encryption in motion and at rest. Data should also be backed up, immutable and recoverable in a clean, secure, technologically agnostic environment in the event of a disaster, ransomware, or other cyberthreats.
The Challenges of Government Data Protection
The sheer size and complexity of government IT systems present the biggest data protection challenge for IT leaders. Government applications and data repositories, whether on-premises or in service provider clouds or both, make high-impact targets for cybercriminals. IT staff must protect massive amounts of data, monolithic applications, and newer dynamically provisioned microservices across government departments, agencies, divisions, offices, and locations. Having a highly distributed IT ecosystem and so many stakeholders make agreeing on and implementing a standardized government-wide data protection strategy extremely challenging.
Another data protection challenge is the government’s continued reliance on legacy systems and outdated technologies such as legacy VMs. A “lift and shift” strategy could ideally be used to migrate data and old applications into modern systems or clouds. But this action can be difficult due to vendor lock-in, migration and budget pains, and cultural barriers at individual agencies.
Other data protection challenges include a misconception that cloud data is automatically backed up so no additional data protection is needed. In fact, it is not backed up because there is a shared responsibility model dictating backups of cloud data are the customer’s sole responsibility, not the cloud providers.
A rapidly changing threat landscape, shortages of skilled staff, and siloed IT and cybersecurity operations, along with attackers who use advanced tactics, technology, and practices (TTP) to induce harm, also continue to challenge CXOs. Ransomware and insider cyberattacks are among the most difficult challenges for agency IT leaders to address.
Cyberattacks are Costly
Cyberthreats come in numerous forms, from phishing and social engineering to automated brute force attacks, ransomware attacks, port scans, and zero-day exploits. Perimeter firewalls can stop lots of attacks at the tactical edge, but not all. Intrusion detection systems can alert system administrators to suspicious activities and auto-trigger remediation actions when an incident is detected. But many incidents are difficult to detect with legacy data monitoring and management tools. And unfortunately, malicious actors do not need systems access for very long to do a lot of damage, potentially hindering an agency or warfighter from achieving the mission.
Ransomware has become, and will continue to be, a top cybercrime challenge for IT leaders to solve in 2024 and beyond. It can infect systems, encrypt data on an infected drive and spread to other network-accessible drives within seconds. For U.S. government organizations, ransomware attacks have resulted in significant financial losses. Between 2018 and December 2023, these attacks cost government agencies over $860 million in downtime alone, with the average ransom demand rising to an estimated $1.85 million in 2023.
Even ransomware attacks on privately owned “critical infrastructure” companies impact government agencies like HHS CMS. For example, the Change Healthcare ransomware attack in 2024 was the most damaging incident against the U.S. healthcare system in its history. All-in-all, the total damages are estimated to reach over $1 billion (USD), with only $22 million of that being for the ransomware payment. Numerous downstream healthcare providers were also negatively impacted due to a prolonged systems shut down that delayed patient care and hindered Change’s ability to reimburse providers for Medicare and Medicaid services. This fact put private health practices at risk of closing.
Cyberattacks’ Impact on Government Operations
The approximate time it takes to detect and recover from a ransomware attack is almost one year, per a 2023 IBM study. Sophos News reports the frequency of ransomware attacks on state and local governments increased from 58% to 69% year over year from 2022 to 2023. Nearly 76% of these attacks resulted in data encryption, with 48% also involving data theft, demonstrating the increasing complexity and severity of these attacks.
In January 2024, the U.S. Government Accounting Office (GAO) Report on Critical Infrastructure Protection (GAO-24-106221) recommended enhancing oversight of ransomware practices at agencies that remain vulnerable.
Threat actors come in many forms, as does ransomware. Ransomware attack TTPs are typically bespoke and written to target specific systems. Other attacks are more opportunistic and criminal hackers acting independently can present a major threat to government services such as 911 and emergency response, country’s economic health, and national security. Because of the potential negative impacts of cyberattacks, no federal, state, or local government IT department can afford to be complacent or assume they’re not interesting enough to be targeted for a cyberattack.
Never trust — always verify there are secure, immutable backups. Also regularly test disaster recovery processes to ensure recovery point and time objectives (RPO/RTO) are met.
Insider Threats and Employee Training
Adopting a “Never trust. Always verify” zero trust approach to identity and access management (IAM) will go a long way in reducing attack risks. Insider threats are an issue for any organization, but the sensitive nature of the information that IT and cybersecurity team members have access to makes the potential for damage to national security even greater. Using role-based access controls (RBACs) can limit the damage insiders might do by ensuring each employee has least-privilege access to only the data they need to do their job and nothing more. Agencies running older systems may not have the ability to lock down individual user accounts to a granular access level though, making it easier for a disgruntled employee or malicious insider to delete or damage data backups, mission-critical applications, and systems.
Insider threats, phishing, and social engineering attacks are only a few of numerous reasons to modernize data security, recovery, and management practices. Standardized training of employees at all levels (yes, even execs!) on a regular basis can go a long way in helping employees identify and report insider threats (see something, say something) and malware or phishing emails before damage is done. Every agency’s last line of defense is having and regularly testing a comprehensive, up-to-date backup and disaster recovery plan.
Agency IT Modernization Budgets
As this list of CSIS significant cybersecurity attacks shows, in spite of progress, there is a still a lot of “IT modernization” needed to protect government data from continuous, more sophisticated cyberattacks. Government departments often have limited budgets and must justify to Congress how those budgets will be allocated. Given the increased pace of nation state attacks on defense industrial base (DIB) companies and U.S. critical infrastructure in 2023 and 2024 to date, the Administration plans to allocate $75 billion on strategic data-centric IT modernization efforts in 2025.
Funding will go to federal civilian and DoD agencies to support specific mission outcomes in five key areas: 1) cybersecurity, 2) artificial intelligence (AI), 3) IT modernization, 4) digital-first public experience, and 5) data as a strategic asset. The funding supports implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” the Federal Zero Trust Strategy, and the National Cyber Strategy. OMB and the Office of the National Cyber Director jointly released OMB Memorandum M-23-18, Administration Cybersecurity Priorities for the FY 2025 Budget, to guide agencies in addressing critical vulnerabilities within this budget.
It can be difficult for smaller federal, state, and local government entities to find funds to spend on a major IT upgrade when they’re already struggling to fund basic IT operations. There’s often a stance of “if it isn’t broken, don’t fix it” in smaller shops, with leaders who don’t understand that an agency’s technical debt increases national security risks over time.
Modernize Government Data Protection
Agencies have numerous options for modernizing data protection cost-effectively. Consider that in a recent data protection trends report related to cloud data backup, only 25% of 1,200 survey respondents use a third-party back-up tool for containers. The same report reveals “reliability and consistency” (of protecting IaaS and SaaS alongside datacenter servers) are key drivers for migrating mixed VM workloads to cloud-native container technology in 2024.
For organizations struggling to protect hybrid and multi-cloud data with legacy backup solutions, Veeam Data Cloud (SaaS) or Veeam Data Cloud (IaaS/PaaS) can supplement or replace your current data protection approach with a modern strategy.
Not sure what type of data protection strategy you need? Ask a Veeam team member for a comprehensive Data Protection Assessment (if you don’t already have one) to understand all aspects of your agency’s “as is” data protection state. Once an assessment is complete, a Veeam expert can work with you to craft and implement just the right data security, recovery, and portability strategy for your agency.
Automation should be built into any data protection strategy. By using Veeam automation and Kubernetes container orchestration platforms (VDP/VDC), human processing time and errors can be reduced earlier in the software development lifecycle (SDLC). Threats can also be detected earlier in the process. Use of government or DoD approved “software factories” and image banks ensure the entire DevOps process is secured from the inside out.
See Veeam’s full 2024 Data Protection Trends Report to learn about data protection strategies for federal, state and local government agencies.
Protect Multi-Cloud Data and Applications
Protecting cloud data across providers can be a minefield for government and public sector customers. While Amazon, Google and Microsoft 365 do offer government-focused solutions, there are still additional security considerations when using cloud services for data protection and when it comes to mitigating the risks of ransomware. Government organizations must take care to research cloud service providers carefully to ensure the services they choose are appropriate for their use case.
Encrypt to Protect Data
Veeam Backup & Replication is a FIPS 140-2 compliant solution that uses 256-bit AES for encryption with SHA-256 hashing algorithms. Any Linux-based components and services make use of trusted encryption libraries. Intelligent automation of backup and recovery tasks ensures backups are properly encrypted, and data classifications reduce the risk of unauthorized access to sensitive data.
Veeam Kasten is secure by design. A cloud-native Kubernetes data protection and mobility solution, Kasten offers a fast, easier route to protecting and modernizing legacy VMs and enhancing hybrid and multi-cloud data security, recovery, and portability agency-wide.
Authentication and Access Control
Authentication and access control are supported by default in most modern IT systems, but many legacy systems used by large government organizations lack such features, making security a greater challenge.
Where possible, organizations should use multifactor authentication to secure accounts and role-based access control (RBAC) to limit employees’ access only to what they need to perform their job. For example, a human resources staff member should be able to read and change records in the staffing part of a database but not change the database structure or access other parts of the system.
Veeam Data Platform (VDP) includes Multi-Factor Authentication (MFA) options to reduce the risk of accounts being compromised. VDP v12 supports Kerberos Authentication and Group Managed Service Accounts (gMSA) for improved security and account management.
Regular Auditing and Monitoring
Regular monitoring of log files and audits of backups and transaction histories can help organizations identify security breaches quickly. According to some recent research by IBM, security breaches often go unnoticed for months or years. This gives attackers time to look around a system, install backdoors and find ways to escalate their privileges and move laterally to do more damage.
Cybersecurity Training and Security Certifications
The NIST Cybersecurity Framework provides an easy-to-follow set of best practices for IT security. Additionally, there are many industry-recognized certifications and programs available such as ISC2’s Certified Information Systems Security Professional (CISSP), and the SANS Security Awareness Programs. Formalized training and certification programs help cybersecurity professionals maintain their expertise. With greater awareness and education about the threat landscape, cyberattack risks can be managed better.
Some government organizations are required to use certified products that meet strict security standards. There are several IT security certifications issued by and for different organizations. Veeam Backup & Replication v12 is DODIN APL Certified, meaning it is on the Department of Defense Information Network Approved Product List.
If you couldn’t make it to VeeamON 24, you can get Veeam Certified now. Or learn about the future of resilient government data protection!
The U.S. government’s zero-trust strategy combined with Veeam’s secure by design solutions are already helping the DoD meet evolving data protection challenges with our single simplified, cost-effective VDP solution.
The U.S. Navy’s Consolidated Afloat Networks and Enterprise Services (CANES) program is the critical technology platform that enables the fleet to communicate and share information. Under a five-year, $21 million Program Level Agreement (PLA), Veeam will support PMW 160, the program office responsible for the CANES program. Veeam will support the program with configuration, maintenance, and testing of the Veeam Data Platform and Veeam Kasten (formerly known as Kasten K10) for Kubernetes software solutions.
CANES is the Navy’s next-generation tactical afloat network. As a program of record, it consolidates and replaces existing afloat networks providing the necessary infrastructure for applications, systems, and services required to dominate the cyber warfare tactical domain. CANES represents a key aspect of the Navy’s modernization planning by upgrading cybersecurity, command and control, communications, and intelligence systems afloat, and by replacing unaffordable and obsolete networks.
Veeam is committed to supporting its partners in the Federal Government, including the U.S. Navy. As part of this ongoing commitment, Veeam has achieved some of the highest certifications for security. The Veeam Data Platform has achieved Common Criteria certification, validating alignment with the most stringent international cybersecurity regulatory requirements. Veeam has also attained the Department of Defense Information Network Approved Products List (DoDIN APL) certification for Veeam Backup & Replication v12, validating Veeam’s commitment to meet the DoD’s most stringent security, interoperability, and supportability requirements for complex network environments.
Your organization could become one of those success stories in government data security if it takes a pragmatic approach to backups, security, and incident response. We’ve worked with many organizations over the years, including helping the City of New Orleans recover from a ransomware attack without having to pay the ransom.
For more information on these and other security certifications Veeam has achieved, visit our dedicated page.
Veeam Data Protection Certifications and Compliance
Governments are forced to walk a tightrope of balancing privacy concerns, security, and citizen trust. Many organizations wish to engage in open data initiatives but then find themselves faced with questions about sanitizing data before publishing it, and deciding what data to offer, as well as how to secure the API endpoints they provide.
Exactly how each organization strikes the balance between accessibility and security is a decision for them to make.
At Veeam, our data protection solutions are secure from the inside out. for end-to-end protection of hybrid and multi-cloud workloads. Try Veeam Data Platform or Veeam Data Cloud now.
Future Trends in Government Data Protection
Data security will always be an arms race between hackers and cybersecurity experts. AI and machine learning will benefit both sides, with AI tools helping developers secure the entire SDLC and helping malicious actors increase their chances for successful automated attacks.
Zero trust architecture is secure from the inside out. It is now a key cybersecurity strategy for government agencies, especially when new systems are being implemented. The approach of “Never trust. Always verify” helps maintain security in high-risk environments. Multi-factor authentication can be employed as one of many verification steps in a zero-trust environment.
In the past, government agencies considered using blockchain technology due to the potential benefits of having data permanently recorded in a tamper-proof digital ledger. However, scalability challenges have doomed many blockchain projects in the financial services sector and government data protection strategies are now leaning toward more dynamically scalable cloud-native protection in zero-trust environments.
Veeam aligns and complies with Supply Chain Risk Management (SCRM) security recommendations thanks to its Independent Verification & Validation and Secure Software Development Framework.
The potential impact quantum computing could have on data security and privacy has become a major concern for cybersecurity experts. Quantum computing brings quantum-resistant encryption algorithms. The move to more secure quantum-resistant encryption has already begun.
Conclusion
Cyberattacks on government organizations have already cost tens of billions of dollars in downtime and recovery costs, and the situation is only likely to get worse. Threats come from all angles, including nations state actors, cyber criminals, and opportunistic attacks. Government organizations cannot wait to modernize data protection strategies and practices or be complacent when it comes to moving to a zero-trust cybersecurity environment.
Ask one of Veeam’s data protection experts how you can modernize your data protection strategy to support the agency’s mission. Hint: Start with a Veeam Data Protection Gap Assessment!