The Big Reveal: State Government’s 2013 Cyber Threat Levels Explained

Each year, Symantec releases its Internet Security Threat Report (ISTR), which recounts—in exhaustive detail—a summation of the previous year’s cybersecurity actions, trends, threats, and opportunities.

Each year, Symantec releases its Internet Security Threat Report (ISTR), which recounts—in exhaustive detail—a summation of the previous year’s cybersecurity actions, trends, threats, and opportunities.

(How do we get all this data? By leveraging Symantec’s Global Intelligence Network, which is comprised of more than 69 million attack sensors, and records thousands of events per second.)

Historically, the ISTR’s annual unveiling has always been (as Vice President Biden might say) a “big bleeping deal” for government stakeholders. But this year, it’s even more important, thanks to two additional factors:

1) More than ever, governments this year are treating quantitative data as the key ingredient for making IT projects more efficient and effective. (In fact, Federal Tech Chief Steven VanRoekel essentially promised as much to members of Bethesda’s AFCEA chapter last week—drawing particular attention to the PortfolioStat program, which aims to identify an additional 2.5 billion in IT savings.)


2) This year, for the first time since 2009, Symantec released a government-specific version of the ISTR, focusing entirely on relevant, actionable data for federal, state, and local government audiences.

Point being: If you haven’t yet read the report in full—this is the year to do it. As a preface, I’ll also summarize some of the key findings here from a state government perspective, and in doing so, try to facilitate some threat level setting for 2013.

First, let’s talk about government mobility. In 2012, mobile malware increased by 58 percent, while the number of mobile OS vulnerabilities increased by 30 percent. What we’ve learned, however, is that mobile vulnerabilities had very little correlation to mobile malware. (Apple’s iOS, for example, had the most documented vulnerabilities in 2012, but only one threat created for the platform.) Hence, state governments need to understand that hardening mobile systems from hardware and software vulnerabilities is not—in itself—a complete solution for stopping mobile malware. Rather, today’s threats demand a layered approach that combines intrusion prevention, firewall, real-time threat reputation scoring, file behavior monitoring, application control, and device control protections. For mission-critical systems, even more security may be needed—such as tools for physically locking-down secure hardware and software configurations.

Second, let’s look at data breach numbers. The good news is that there were fewer high-profile attacks in 2012, and the average number of identities exposed went down significantly. The bad news (for us, at least) is that healthcare, education, and government combined for nearly two-thirds of all of those breaches. Hence, state governments should know that the sensitive records and personally identifiable information they hold (such as health records, tax records, etc.) is as enticing to data thieves as ever, and that now is not the time to cut back on measures for protecting sensitive information.

Finally, let’s talk about the increase of zero-day (i.e., custom-created, never-before-seen) vulnerabilities. 14 more were reported in 2012—four of which were attributed to a group dubbed “Elderwood.” Since gaining notoriety in 2009 with Operation Aurora, Elderwood has been conducting a long-term campaign targeting finance, oil and gas, education, and (you guessed it) governments. The scariest part is that Elderwood appears to have a nearly endless supply of zero-day vulnerabilities at its disposal. (The group uses a single zero-day exploit in each attack, using it until that exploit becomes public and then moving on to a new one.) Again, the key answer for state governments here is a layered approach to endpoint security and critical systems protection—one that goes beyond traditional antivirus signatures, which can’t defend against never-before-seen threats.


This is all, of course, just a glimpse into what Symantec discovered in 2012, and what state governments should be acutely aware of in 2013.

For a much more in-depth view of the threat landscape, and to learn how to best defend against these threats, read the full government-specific Symantec Internet Security Threat Report at

Latest Podcasts