Despite major spending, federal cybersecurity remains problematic
It's no secret that cybersecurity is a high-level concern for numerous leaders throughout the federal government. Virtually every department and agency is now intensely focused on this area, adopting a wide range of efforts to better protect their sensitive information and other assets from the threat of hackers and cybercriminals. Naturally enough, these initiatives have led federal agencies to invest a significant amount of money in cybersecurity efforts.
However, as NextGov recently highlighted, the federal government seems to have seen a fairly poor return on its investment in this area. For all the money spent on cybersecurity efforts, hackers continue to gain access to federal databases and networks. This suggests that federal decision-makers may need to reconsider how they are spending their cybersecurity funding, and potentially update their policies and strategies.
The source reported that federal agencies have spent nearly $60 billion on data protection efforts since fiscal year 2010. Last year, even after government-wide spending cuts, agencies dedicated more than $10 billion to these efforts. Yet despite these investments, the federal government has seen numerous data breaches and other cybersecurity-related incidents in recent years. Notably, the State Department and White House both recently saw their classified computer networks infiltrated by cybercriminals who were most likely sponsored by foreign states.
Furthermore, the source noted that a significant amount of federal money goes toward protecting the cybersecurity of critical U.S. industry systems. For example, the Pentagon devoted more than $7 billion to Cyber Command, the NSA and other agencies tasked with defending such organizations, including major financial centers and airports. Here as well, though, this spending did not stop a number of major breaches from occurring in these areas.
"[F]ederal information security remains a significant challenge for an overwhelming majority of federal civilian agencies," concluded an exit report from now-retired Sen. Tom Coburn, R-Okla., the source stated.
Considering all of these cybersecurity failures, many experts are starting to wonder if a new approach is needed.
Notably, NextGov pointed out that some cybersecurity professionals believe that the federal government should make its EINSTEIN automated cyberdefense system more widely available. This system has the ability to gather a tremendous of information and then use that data to thwart cyberattacks. Currently, EINSTEIN is only in use among select government agencies, but some believe that critical private sector infrastructure could also benefit from its use.
Beyond this, there is also a case to be made that federal agencies may need to update their policies and overall approach to cybersecurity in order to better protect their sensitive systems. For all the money that agencies now spend in this area, many federal employees continue to engage in risky behavior that can open their departments up to the risk of a data breach.
Perhaps most notable in this regard is the problem of spear-phishing. Countless cyberattackers now rely on these targeted, subtle approaches, tricking federal workers into opening unsafe email attachments or clicking on untrustworthy links. When that happens, the whole agency network can be infiltrated and a huge amount of sensitive information accessed. Worse, it may take months before such a breach is discovered, by which point the damage is already done.
There is no way for an automated defense system to put an end to such attacks. Instead, employees must exercise better judgment. To this end, agencies should consider shifting some of their cybersecurity funding toward worker training and education. By investing in this area, federal departments can make a lot of progress toward shoring up one of the weak spots in any cybersecurity effort: the human element.