Race Against Time for Federal Agencies to Fix Cyber Woes

For each high-profile data breach of a corporation that hits the front page there are thousands of lesser cyber attacks ongoing against businesses throughout the country. It should come as no surprise that the same is true when it comes to U.S. federal agencies. A recent report by the White House’s Office of Management and Budget (OMB) documents this truth. More critically, however, the OMB report also reveals the cyber security shortfalls at a large majority of our federal agencies.

In fact, the scope and nature of the many security deficiencies identified raises a serious question: Why are federal agencies struggling so much with their data security issues?

Before brushing off that question as alarmist, consider just a few of the OMB report’s findings:

• Of the 96 federal agencies surveyed, 71 (74%) were deemed to have cyber security programs that were either at risk or at high risk.
• During fiscal year 2016, the agencies experienced 30,899 cyber incidents that led to the compromise of information or system functionality, and the agencies couldn’t identify the method of attack of the attack vector in 11,802 (38%) of those instances.
• Only 27% of the agencies have the ability to detect and investigate attempts to access large volumes of data, and even fewer report testing those capabilities annually.
• Only 49% of the agencies have the ability to detect and whitelist software running on their systems.
• Nearly three-quarters (73%) of agencies encrypt data in transit, but just 16% encrypt data at rest.

Although it identified these and many other shortcomings, the OMB study wasn’t designed to explore two of the biggest threats to cyber security: the prevalence of legacy IT systems and software throughout the federal government, and the challenge – shared with the private sector – of finding and hiring security professionals.

Before we jump to the conclusion that the federal cyber security sky is falling, however, it’s important to note that the OMB report also proposes a number of corrective actions and initiatives. If pursued, those recommendations could go a long way to plugging many of the federal agencies’ current security gaps.

Working with the Director of National Intelligence and other departments, for example, the OMB intends to keep pushing the adoption of the Cyber Threat Framework. In part, this framework provides a means to describe cyber threat activity in a standard way that helps facilitate information sharing and threat analysis.

Several of the OMB’s recommendations aim to promote increased standardization of IT infrastructure and cyber security systems. Legacy IT or not, too many agencies have a patchwork of multiple, often redundant, systems, which can be difficult or impossible to secure in a holistic fashion. Consider that one agency evaluated by the OMB had 62 separately managed email systems within its environment!

It has proven difficult to rectify fragmented IT environments, in part, because agency CIOs have often lacked the authority to make needed decisions and acquisitions. (Indeed, some agencies have had multiple CIOs, splintering both IT environments and manager accountability.) The Federal Information Technology Acquisition Reform Act, adopted as part of the National Defense Authorization Act for FY2015, is gradually having a positive impact in correcting this situation as agencies work through its dictates.

Another area of focus in the OMB report is the variable quality of the security operations centers (SOCs) at each federal agency – along with the fact that some agencies operate multiple SOCs. The OMB report suggests consolidating SOCs in some instances, and is exploring the possibility of designating, in cooperation with the Department of Homeland Security, at least one agency as a SOC Center of Excellence. Another option being explored is to have select agencies provide “SOC-as-a-Service” to agencies lacking strong security teams of their own.

Chris Townsend, vice president of federal at Symantec, finds most of the OMB’s recommendations to be on target, although he might quibble with a few particulars. For example, he cautions, there can be a risk in taking SOC consolidation too far, given that each federal agency has specific challenges and needs. “The missions of individual agencies are unique enough that you’ll still want individual SOCs, which can then be federated into one another,” he said.

Broadly speaking, however, “I don’t think the federal government’s cyber security issues are significantly different from those in the private sector,” Townsend said. Both private and government organizations face many of the same threats and are struggling with the same challenges, he added.

One of the most fundamental of these challenges, Townsend says, is the need to improve the interoperability among security tools and platforms from different suppliers. To help facilitate the goal of integrated cyber defense, Symantec recently launched a Technology Integration Partners Program to promote standards adoption and interoperability among providers of different security solutions.

Ultimately, improving the cyber security of federal agencies will require tight cooperation between both government institutions and the cyber security industry. Townsend says that Symantec has “very good” working relationships with many cyber security decision makers at the federal level – including with the former cyber security coordinator Rob Joyce. Townsend expects that strong collaboration to continue, although he agrees it would help if some of the now-vacant cyber security roles were quickly filled. In April, Joyce announced that he was leaving his post to return to the National Security Agency. A week earlier, Tom Bossert, a White House homeland security advisor often identified as the administration’s “cyber security czar,” resigned.

Long story short, the federal government needs to get its cyber security act together. The challenges federal agencies face are daunting, and their current state of security is cause for great concern, but if they adopt the correct approach – and technologies – they will have much more success in the future.

If you found this information useful, you may also enjoy:

• Defense Cyber Security Adapts to a World in Which Data is the New Endpoint
• IT Modernization is Finally Coming to Federal Agencies
• Report to the President on Federal IT Modernization