Governments at every level run the systems that keep water flowing, emergency calls routed, trains moving, and police and first responders coordinated. That reality has made public agencies a favorite target for both profit-seeking criminal groups and state-sponsored teams. Verizon’s latest public-sector snapshot of its Data Breach Investigations Report underscores the point, with espionage-motivated breaches rising and ransomware remaining a fixture across government environments link.
Public institutions carry outsized risk: when a city hall or a federal bureau goes down, citizens feel it immediately.
What attackers want and how they get in
The public sector holds an unusual volume of sensitive data, from criminal justice records to benefits files and security-clearance dossiers. That concentration of information draws both spies and extortionists. In 2025’s snapshot, Verizon reports that government breaches are dominated by system intrusion, basic web application attacks, and a persistent category of human-driven errors. Ransomware appears in roughly a third of public-sector breaches, and three-quarters of those victims are state, local, tribal, and territorial entities rather than federal ones
The stakes for services
Recent incidents show how a single compromise can cascade into service disruptions. Atlanta’s 2018 SamSam ransomware attack halted routine city operations, wiped key legal and police video files, and forced residents back to paper processes as systems were restored at significant cost. In 2023, exploitation of a file-transfer vulnerability in MOVEit software reached into multiple federal agencies, exposing personal data and prompting an urgent, cross-agency response coordinated by CISA .
City hall outages are not abstractions. They delay utility payments, court operations, and even 911 support functions.
Where agencies still fall short
Federal assessments have long warned that agencies struggle with visibility. In a government-wide risk report, the Office of Management and Budget found that in 38 percent of cyber incidents agencies could not identify the attack vector, a stark indication of limited situational awareness. The structural challenge persists: GAO’s 2025 update highlights billions spent sustaining decades-old, vulnerable systems, with only a fraction of the most critical modernizations completed to date.
Compounding the problem, third-party and cloud-adjacent failures have become recurring sources of risk. CISA’s 2024 Emergency Directive on the nation-state compromise of Microsoft’s corporate email system required agencies to take immediate steps to identify and mitigate exposure, a reminder that supply-chain and platform dependencies can put government data in play even when agency systems are properly configured.
You cannot defend what you cannot see. Visibility into assets, identities, and data flows remains the foundation for progress.
Protecting personal data and public confidence
Few breaches loom larger than the 2015 compromise of the U.S. Office of Personnel Management, which exposed security-clearance files and other records for more than 21 million people. A decade later it stands as an object lesson: adversaries target government data because it is both sensitive and enduring, with long-tail counterintelligence implications.
Keeping vital services running
The operational risk is not hypothetical. From local government outages to federal software supply-chain events, the common thread is that essential services are one exploit away from disruption. Verizon’s public-sector data shows human-initiated mistakes—misdelivery, misconfiguration, and classification errors—still feature prominently in breach patterns, which means resilience planning must account for both malicious actors and routine failures
Standards and the path forward
The policy arc is bending toward uniform controls, continuous monitoring, and zero trust. OMB’s Federal Zero Trust Strategy set agency objectives through FY 2024, while the National Cybersecurity Strategy’s 2024 implementation plan continues to press for stronger identity, software supply-chain security, and incident reporting. link.
In cloud security, the government has moved from guidance to law. The FedRAMP Authorization Act, enacted as part of the FY23 NDAA, codified the program and aimed to speed reuse of authorizations across agencies. OMB followed with 2024 guidance to modernize FedRAMP’s processes and automation. Together, they point agencies toward standardized baselines aligned to NIST SP 800-53 Rev. 5 and toward faster, safer cloud adoption
-- Cloud is not a single risk decision. It is a series of control decisions that must be tested, monitored, and reused across agencies.
What to prioritize now
First, improve discovery and telemetry. Agencies cannot patch edge devices or revoke stolen credentials they do not know exist. Verizon’s data shows a continued rise in vulnerability exploitation against edge infrastructure and VPNs; mean time to remediate those issues still stretches to a month, which is too long against modern exploitation tempos
Second, constrain identity and access everywhere. The emergency directive following the Microsoft incident illustrates how token theft and credential reuse ripple across tenants and partners. Shortening token lifetimes, enforcing phishing-resistant MFA, using hardware-backed keys for admins, and isolating high-risk workloads are no longer best practices; they are table stakes.
Third, treat error as an engineering problem. Misdelivery and misclassification errors are solvable with guardrails: data-loss prevention tied to labeling, default-deny sharing policies, and routine testing of backup and restoration paths for critical services. The goal is continuity—keeping water billing, 911 dispatch, unemployment insurance, and benefits portals functional even when something breaks.
The bottom line
Government remains the biggest, most consequential target in cyberspace because it concentrates the data and the services adversaries value most. The threat is not static, but neither is the response. Agencies have clearer standards, codified cloud rules, and a more candid picture of their legacy debt than they did a few years ago. The job now is consistency: make visibility routine, make zero trust real, make cloud controls reusable, and keep rehearsing how to deliver services under stress. The public will judge cybersecurity not by the policies on paper but by whether the water runs and the ambulances roll when the next headline hits.