In today’s digital era, the public sector is undergoing a profound transformation driven by technology. From local councils to central government agencies, the adoption of digital initiatives has become imperative to enhance service delivery and adapt to citizens’ changing expectations. Moreover, the COVID-19 pandemic underscored the criticality of digital resilience, prompting governments worldwide to expedite their digital agendas to ensure uninterrupted services amidst unprecedented disruptions. Take Uganda, for example, where a host of digital initiatives have been deployed to modernize governmental functions. These range from national payment switches to self-service government e-portals enabling citizens to conduct tasks such as online driving permits and passport applications and renewals. Notable open data platforms like the Government Citizen Interaction Centre (GCIC) and the online tax-filing system (EFRIS) have further facilitated citizen engagement and transparency. Additionally, initiatives such as public safety and emergency response alert systems have enhanced the government's ability to ensure the welfare of its citizens.
However, despite the immense potential of digital transformation, this journey is not without its challenges, notably in the realm of cybersecurity. Given the abundance of sensitive data processed, such as citizens' personal information, classified government data, and critical infrastructure details, the sector has become an attractive target for various cyber threats.These threats extend beyond common cybercriminal activities to encompass sophisticated espionage and sabotage schemes orchestrated by nation-states and terrorist groups. Between September 2020 and August 2021, 40% of the threats managed by the National Cyber Security Centre (NCSC) targeted the public sector. A 2023 report by the National Cybersecurity Agency of France (ANSSI) also highlighted a significant increase in cyber threats, particularly ransomware attacks, with 23% affecting the public sector. These statistics underscore the gravity of the danger posed to the public sector by cyber threats.
Yet, despite a growing awareness of the risks, investment in cybersecurity in the public sector remains significantly underfunded. In 2022, only 6.6% of the public sector budget was allocated to cybersecurity, while the level of technological maturity exceeded 36.9% (source: Wavestone, March 2022). This mismatch in budget allocation has over the years reflected a lack of maturity in cybersecurity considerations. To highlight a few, here is a shortage of skilled cybersecurity personnel employed by the public sector. Furthermore, many government agencies operate outdated systems which have reached end of life, are no longer supported and contain common vulnerabilities with known exploits. These legacy technologies lack the robust security features of modern counterparts, providing cybercriminals with numerous entry points. Not only are these legacy systems vulnerable, they are also ill-prepared to leverage emerging technologies and meet evolving public expectations. At the core of the problem lies the challenge of “red tapes” and bureaucracies in responsibility mapping and performance measurement. As such, cyber risks are often poorly identified and owned and lead to sluggish action plans and decision-making challenges. From a broader perspective, it is important to also note that the interconnected nature of government systems and public sector services in a complex value chain amplifies the impact of successful cyberattacks as they can potentially spread across multiple agencies and systems and become a systemic issue.
As the sector steadily advances in digital maturity, the imperative for a robust cybersecurity infrastructure becomes increasingly crucial and is a pivotal cornerstone in the collective defense against the ever-evolving landscape of cyber threats. The alarming frequency of attacks, increasing sophistication of the exploit approach and the impact it leaves on critical public infrastructure calls for urgent action towards cybersecurity policies, programmes and practices which promote the objectives of safeguarding national security, upholding public trust, and guaranteeing the seamless provision of essential services to citizens.
Creating a resilient cybersecurity infrastructure demands a multifaceted strategy. As an initial step, there must be a concerted effort to enhance the appreciation of cybersecurity in the sector. Comprehensive educational programs, workshops and awareness campaigns focused on cybersecurity would need to be curated and implemented to cover all officials relevant and necessary to support the drive for maturity. Secondly, there should also be a concerted effort to prioritize cybersecurity funding and budget allocation within the public sector to mirror digital transformation investments as a key attribute of security and privacy by design. Additionally, collaboration among government agencies and regulatory bodies is essential to establish policies, frameworks and standards mandating security and privacy considerations in all tech projects and ensuring that cybersecurity is integrated from the outset or at worst retrospectively for existing infrastructure. Facilitating collaboration between public and private sectors is equally vital, as a means for information sharing, joint threat intelligence analysis, and coordinated response efforts. To ensure that these programmes are indeed delivering on the target objectives of cybersecurity, resilience and privacy, mechanisms would also need to be designed and implemented for periodic review of the programmes to assess its effectiveness, identify issues and chart a resolution plan for implementation.
In conclusion, as the public sector strides forward into the digital age, the blueprint for cybersecurity in the public sector must adapt—becoming more agile, scalable, elastic, and flexible to safeguard sensitive data, critical systems, and citizen trust.
By Dorothy Nansubuga - Senior Associate Consulting and Risk Assurance Services at PwC Uganda
