I suspect that this will surprise no one but a year after the government revealed the Office of Personnel Management (OPM) suffered a massive breach with millions of records compromised (including yours truly), federal agencies continue to struggle with cybersecurity.
According to a new study from (ISC)² and KPMG, 59 percent of government officials admit that they don’t understand how cybercriminals are able to breach their networks, 42 percent said that employees pose the greatest threat to data security, and 40 percent claim they don’t know where key assets are located.
This is shocking and should be unacceptable, but it is also a prime example of what someone told me – the federal government won’t take serious action until there is a catastrophic security event. Apparently, a breach that affected approximately 22 million Americans and put their identity at risk isn’t catastrophic enough.
Immediately after that breach was revealed and in response to the outcry, the White House’s Office of Management and Budget launched a 30-day Cybersecurity Sprint with an improvement focus across all federal information technology (IT) assets and networks, both civilian and military. As Anthony James, vice president of marketing at TrapX Security, explained to me in an email, goals for this effort included patching critical vulnerabilities, increasing protection for high value assets, reviewing and limiting authorized system users, and adding new capabilities to authentication technology sets. James added:
However, it’s likely that the 65 percent of the survey’s respondents understand that simply fine-tuning existing legacy best practices and technologies isn’t enough. While better authentication certainly helps, leveraging it as a primary strategy to defend the perimeter and endpoints has routinely failed to prevent attacks. Subsequently, attackers continue to breach those perimeters and get inside networks.
Tony Hubbard, principal at KPMG, told Government Technology that it all comes down to accountability, and federal agencies are severely lacking when it comes to cybersecurity-related accountability. The article went on:
This is a frustrating time for chief information security officers, Hubbard said, because it’s often not made clear who is accountable when something goes wrong. And if someone will be held accountable, he said they may not be given the resources needed to do their job properly. What’s worse, government organizations as a whole do not fulfill their responsibilities to prevent security incidents.
One of the points made in the study is that cybersecurity has moved beyond the one-size-fits-all model, but compliance regulations haven’t been able to keep up with those changes and don’t allow agencies to customize for their security needs. More concerning is that too many departments within the different agencies don’t think that cybersecurity is their responsibility. That is mind boggling. I thought we had finally reached a point where we all understood that cybersecurity is everyone’s responsibility. I guess not, at least not in government.
However, the study does add that we need to consider that perhaps that idea of a month-long Cybersecurity Sprint was the wrong approach. Good cybersecurity requires a marathon approach. This is a problem that is always evolving and we have to be able to make adjustments over time. Government agencies, the report added, are just beginning to hit their stride in the marathon. I certainly hope so.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.