Why should governments move towards PKI-based cybersecurity?
The increasing digitalization of government public records and transactions in the past several years have ignited the prying eyes of cybercriminals. Governments are the keepers of huge public funds and cyber crooks have shown to be persistent in trying out various methods that could allow them to get hold of these monetary rewards. States are also holders of vast amounts of classified information which, upon successfully being hacked, have been used for ransomware and blackmailing tactics.
An article from Security Magazine states that “an estimated two million cyber attacks in 2018 resulted in more than $45 billion in losses worldwide as local governments struggled to cope with ransomware and other malicious incidents.”
Year 2018 was also the time when the USA became the country that received the highest financial losses due to cyber attacks, with numbers reaching more than $13.7 billion.
Perhaps one of the central reasons for why states ought to continuously improve their cybersecurity is that they collect a lot of personal information from citizens who entrust their welfare to these public institutions.
Notable Government Cyberattacks
This first example is not a malicious attack but a white hat hack conducted by security researcher Chris Vickery back in 2015. He discovered a misconfigured database that exposed the personal information of 191 million voters all over the country to practically anyone on the internet. Among those unprotected information include the voter’s name, date of birth, address and phone number. A police officer who was interviewed regarding this leak expressed his concern for his safety because criminals were then able to access information about him.
The 2019 SolarWinds attack – considered to be the most alarming internet-based espionage conducted against the US government – left thousands of government networks vulnerable to cyber attacks. The email accounts of 27 US prosecutors were hacked and sensitive information about government investigations and informants were possibly compromised. The email accounts of officials in the Departments of Commerce and Treasury were also breached.
The Alaska Department of Health and Services (DHSS) was hit last May 2021 when its website was found to be vulnerable by hackers who then potentially exposed the private identifying information (PII) of countless individuals, including their telephone numbers, social security numbers, and financial information. One danger with such sensitive information being stolen is that the hackers could use these to employ social engineering tactics like calling up banks and working to deceive bank employees into causing changes in the victims’ bank accounts.
The town officials of Peterborough in New Hampshire were victimized last July by social engineering hackers using a strategy called Business Email Compromise (BEC). The officials belonging to the town’s finance department were sent with disguised emails instructing them to forward public service payments to another bank account. This scam tactic was successfully implemented twice in a single month and a total of $2.3 million were stolen by the cyber thieves.
Governments and PKI Technology
Increasingly, national governments worldwide are actively turning to public key infrastructure (PKI) and digital certificates for the purposes of:
- National ID programs.
- Single sign-on (SSO) for workstations and software applications.
- Signed and encrypted government email.
- Authentication of documents through digital signatures.
- Authentication of citizens’ identities for online services such as taxpaying.
National digital ID programs are a worldwide work-in-progress. According to a 2016 World Bank report, “Most developing countries have some form of digital ID scheme tied to specific functions and serving a subset of the population, but only a few have a multipurpose scheme that covers the entire population.” According to the same report, the reasons for adopting digital ID varies by nation: “In high-income countries, digital ID represents an upgrade from well-established, robust legacy physical ID systems that have worked reasonably well in the past,” while “low-income countries…often lack robust civil registration systems and physical IDs and are building their ID systems on a digital basis, leapfrogging the more traditional physically based system.” In either case, it is clear that the global trend is toward the creation of new national digital ID systems or the expansion of existing systems.
- Estonia’s e-identity program provides all of its citizens with a state-issued digital identity that can be used for digital signatures as well as voting and other government services (99% of which are available online). Estonian citizens can access these services through a smart ID card that has been issued to 98% of Estonians, as well as via smartphones and other mobile devices.
- The United Arab Emirates (UAE) currently issues smart identity cards to all citizens. The electronic chips in these cards include digital certificates for identity authentication and digital signatures, along with biometric fingerprint data. This ID card is used by UAE citizens to access the vast majority of smart government services in that nation.
In many cases, initiatives such as these include legislation to create an agency tasked with developing and enforcing national standards for public key infrastructure (PKI), licensing local certificate authorities (CAs) to provide digital certificates, and/or developing government-run PKI and CAs. These agencies are commonly given the title Information and Communication Technologies Authority (or ICT Authority). This article is intended to supply decision-makers at national ICT Authorities and licensed CAs with the information they need to answer important questions like:
- Should we develop our own internal PKI, or contract the services of existing CAs?
- What is the fastest and most efficient route to offering publicly trusted certificates to our citizens?
PKI, Digital Certificates, and CAs: A Quick Review
In a nutshell, Public Key Infrastructure (PKI) is used to manage pairs of public and private keys and bind them to the identities of entities, such as persons and organizations, through the issuance of electronic documents called digital certificates.The mathematics behind PKI ensure that if a certificate is signed with a given entity’s private key, anyone with the public key from the pair can:
- Verify that the entity presenting the signed certificate is in possession of its corresponding private key (authenticity).
- Trust that the content of the certificate has not been altered since it was initially generated (integrity).
- Use the public key to encrypt a message that can only be decrypted with its associated private key (encryption).
By enabling authenticity, integrity, and encryption, PKI and digital certificates permit secure communication over insecure networks, such as the Internet. An organization that maintains a PKI and manages the issuance and revocation of digital certificates is known as a certificate authority (CA).
Public vs. Private Trust
Although there are many applications for digital certificates, their most well-known use is for secure web browsing, made possible through the SSL/TLS and HTTPS protocols. In order to prevent browser warnings and error messages, digital certificates issued for public-facing websites must be signed by a publicly trusted CA. Public trust is also desirable for certificates to be used with email clients, desktop operating systems, and other software for end-users, so that users or IT staff will not have to manually add privately trusted certificates to OS certificate stores.
Publicly trusted CAs are regularly and rigorously audited for compliance with industry standards, such as WebTrust for CAs, in order to be included in the public trust stores of major operating system and software suppliers such as Microsoft, Apple, Google, and Mozilla. It can take many years for a CA to gain inclusion into all of these programs, and they must undergo regular, rigorous audits in order to maintain that status. In contrast, privately trusted CAs are not subject to these standards, but are not as useful for public-facing applications.
Government PKI Development: Internal vs. Hosted
Once a government decides that it needs a PKI to issue certificates to its citizens (or a local company seeks licensing to offer certificates on behalf of the government), a common first thought is to invest in the development of an independent infrastructure. After all, software for implementing a self-signed CA is available at low or no cost through software such as Windows Server, OpenSSL, and EJBCA. On second glance, however, this option has multiple potentially deal-breaking challenges and costs to overcome:
- Achieving public trust for seamless use with desktop operating systems and software such as web browsers, email clients and office suites is typically a long, arduous process, and successful achievement and maintenance of this status is not guaranteed.
- The costs of finding and employing qualified staff to securely and effectively operate a PKI at a national scale are considerable.
- The hardware and networking costs associated with establishing and maintaining a national PKI may be greater than initially expected. Furthermore, attempts to scale PKI (for example, to cover more citizens and enable additional essential government services) will likely require additional expertise and infrastructure over time.
As digital technology and its associated security needs become more intertwined with government processes and more agencies and citizens make full use of digital certificates, hardware, networking, and personnel costs can all be expected to grow. These expanding costs can be a limiting factor on using PKI to its fullest potential to serve a nation and its citizens.
Advantages of Hosted PKI
Some commercial public CAs, including SSL.com, currently offer hosted publicly and privately trusted PKI as a service, and offer the potential for governments and their licensees to bypass many of the issues detailed above. Furthermore, the industry standards for security and reliability to which these CAs are held are typically already in compliance with the PKI standards and guidelines issued by national ICT Authorities. By choosing a hosted PKI with a reputable public CA, governments can expect to find:
- Effective systems already in place for certificate issuance, lifecycle maintenance, and expiration, along with automated notifications of impending certificate expiry.
- A PKI already operating successfully at a global scale.
- A CA that is subject to frequent, detailed audits that meet or exceed the standards put in place by the nation’s ICT Authority, and is required to stay abreast of evolving industry standards and best practices.
In most cases – and especially for developing nations – the hosted solution will be found to be less expensive, simpler to implement, and more secure than attempting to develop a home-grown PKI.
Hosted PKI from SSL.com
For our government customers globally, SSL.com offers the following world-class benefits:
- Custom Solutions: SSL.com collaborates with governments and licensees worldwide to optimize the generation, installation, and lifecycles of certificates for smart ID cards and other applications.
- Branded Subordinate CA: A hosted subordinate CA (also known as an issuing CA) from SSL.com offers complete control over the issuance and management of publicly or privately trusted certificates, at a fraction of the cost of establishing their own root CA and PKI infrastructure. For example, a local CA licensed to issue certificates on behalf of government can immediately achieve public trust, regulatory compliance, and branded digital certificates.
- Management Tools: SSL.com‘s online management tools allow users to easily issue high volumes of certificates and manage their lifecycle.
- API: Administrators can easily automate certificate issuance and lifecycle with SSL.com‘s SSL Web Services (SWS) API.
What specific services does SSL.com offer that help combat cybersecurity threats faced by government agencies?
Our SSL certificates can secure government websites by encrypting personal and sensitive information uploaded on them by public users, including their home addresses, usernames and passwords, social security numbers, and financial details. We use industry standard public key encryption referred to as 2048+ Bit SHA2 which is very very difficult to breach by hackers. We also offer the Wildcard SSL certificate which is very practical to use for government offices. The Wildcard SSL allows a government agency to protect their main website as well as their branch websites/subdomains with just one certificate. Considering that governmental departments have multiple bureaus under them, having an encompassing protective PKI certificate greatly lessens the probability of attackers being able to execute backdoor attacks. Click here to choose among the multiple types of SSL certificates that we offer, including Wildcard.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
As discussed in the earlier section, emails have been a primary strategy used by cybercriminals in stealing huge amounts of money and sensitive data from government agencies. This is where S/MIME comes in as a strong defensive tool in protecting government email systems and transactions. Using PKI and asymmetric encryption, an S/MIME certificate from SSL.com allows a government agency to ensure the authenticity of emails among its employees and officials. If two or more government departments or bureaus are communicating, the S/MIME certificate also provides the assurance that the emails really come from an authentic source and that the email messages are protected while in transit because they are encrypted. Additionally, S/MIME is also a strong deterrent to government employees and officials from being deceived by hackers or acting careless because it creates a system wherein incoming emails are first evaluated to see if they are encrypted with a cryptographic key which proves that the identity of the email’s source is legitimate. So no matter if a scam email has been socially engineered to look like it’s coming from an authentic source, the absence of an S/MIME certificate will promptly warn even the least tech-savvy employee not to entertain it. Go to this page to see which S/MIME certificate from SSL.com best suits your needs.
eSigner Cloud Signing
Government agencies deal with a lot of documents. Sending fake authoritative documents has been one tactic used by hackers to steal classified information, money, and user data from government agencies. Using PKI encryption and cloud technology, SSL.com’s eSigner Express web application allows public offices to safely sign and authenticate documents from any internet-connected device. This feature is particularly expedient during this Covid-19 pandemic where many offices are implementing some level of remote work for their employees. Cloud technology has been proven to be much cheaper than hardware-bound storage equipment. Because eSigner is a software-based storage system, it also offers protection that is virtually impervious from calamities like fires, earthquakes, and floods, and physical burglary.
SSL.com has all the tools necessary for hosted, branded, publicly or privately trusted PKI that satisfies the guidelines of most countries’ ICT Authorities or other IT regulatory bodies. If you would like to contact us for more information, to let us know your specific needs, or have our staff review and confirm our ability to comply with your national guidelines, please contact us by email at Sales@SSL.com or Support@SSL.com, call +1 877-SSL-SECURE, or just click the chat link at the bottom right of this page.
SSL.com provides a wide variety of SSL/TLS server certificates for HTTPS websites, including: