Every day, Americans by the millions interact with agencies of their government. They apply for student loans, passports, social security, home mortgages. They send personal information to an alphabet soup of agencies: DOT, HUD, USDA, HHS, SSA, DoED, as well as the Departments of State, Interior, and literally, dozens more. These Americans – all Americans – assume that these agencies are protecting their sensitive financial, medical and other personal data. But according to a recent United States Senate report, that expectation is far from reality. The truth is that when it comes to securing our most valuable personal information, our government is basically a giant piñata. The reality would be almost comical if it wasn’t so serious.
So, what’s going on? What are these agencies doing to mitigate risk and how much risk is involved? The answers are -- not much, and insanely risky.
A Constant Threat of Attack
Our federal agencies are under constant, relentless attack. As the Senate report details, in 2017 alone, government agencies reported 35,277 cyber attacks, an average of nearly 100 a day. But that figure does not include the number of attempted scans or probes of agency networks. If those incidents were included, the number of potential attacks would more than double.
Even more disturbing, the majority of the agencies surveyed could not provide a list of all their information technology (IT) assets. They literally have no idea what they have, where they are, and therefore, all of the applications – good or bad -- running on their networks. As Nick Marino, director, information technology and cyber security, for the U.S. Government Accountability Office (GAO) puts it, “what you don’t know, you don’t know.” Without that basic knowledge, agencies cannot secure their applications. It also means that the officially reported numbers of cyber attacks need to be taken with more than just a grain of salt. They are really no more than very conservative guesstimates. As a recent report by the Office of Management and Budget (OMB) concluded, agencies “do not understand and do not have the resources to combat the current threat environment.”
State of the Security Infrastructure
The Senate report reviewed a decade’s worth of agency Inspectors General (IG) audits of their organization’s compliance with the federal government’s basic cyber security standards. The IG audits disclosed a number of systemic problems common to virtually all of the agencies. In addition to the inability to maintain and supply an accurate list of IT assets, it shows that a majority of the agencies fail to install security patches when notified to secure proven vulnerabilities; did not, or could not certify the security readiness and operations of their systems; and acknowledged that they are using legacy systems no longer supported by their original vendors – making them increasingly costly and more difficult to secure.
It may be hard to believe, but DHS continues to use outdated, unsupported systems, such as Windows XP and Windows 2003.
Perhaps most startling is the fact that the Department of Homeland Security (DHS), the agency responsible under OMB for administering the government’s cyber security policies and practices has failed to address more than a decade of cyber security weaknesses within its own systems. It may be hard to believe, but DHS continues to use outdated, unsupported systems, such as Windows XP and Windows 2003. Then again, this is still light years ahead of agencies like the Social Security Administration which is still running critical programs on COBOL, a computer programming language so old – it was developed in 1959 -- that the SSA is having increasing difficulty finding IT professionals with the expertise to continue to maintain it.
Given all this, it should come as no surprise that the nation’s most secretive organization, the National Security Agency (NSA), was hacked just a few years ago of some of its most powerful cyber weapons. Weapons that since then have been used in a number of recent high-profile ransomware attacks on US cities and other targets of opportunity. Perhaps the only surprise is that it didn’t happen sooner. Or when we’ll discover it’s happened again.
Risk Management the Key
The OMB report identifies the two largest and most substantial risk factors as, first, the legacy systems prevalent across so many agencies, and second, the shortages of experienced and capable personnel to maintain them. A GAO report published in July 2019, echoes that conclusion. It states that the vast majority of government agencies surveyed listed “hiring and retaining key cyber security management personnel” as their biggest challenge to improving their cyber security.
The various government reports issued by the Senate, OMB and the GAO all align on what needs to be done to improve the cyber security of our nation’s federal agencies. They all agree that the first step is to put into place risk management systems that will allow agencies to identify which areas need to be addressed and in what priority. One reason this is so important is because any solutions will likely outlast an agency’s present leadership. As the GAO’s Marino points out, the average tenure of an agency chief information officer (CIO) is just two years. Technology solutions already proposed or in progress, such as the DHS’s National Cyber Security Protection System (NCPS), better known as Einstein, and Continuous Diagnostics and Migration (CDM) program, may have lead times measuring a decade or more.
Identifying their most significant risk factors will allow each agency to make the case for the right budget to address these issues, regardless of leadership turnover, the operations and management (O&M) needs that have for at least a decade taken up 80 percent of every agency’s IT budget and other challenges. When you don’t know what you don’t know, that goal becomes far more difficult. “In cyber security management, it’s always a matter of accepting risk because of a lack of resources,” concludes Marino. “The best one can do is identify what creates the most risk.”