Federal cybersecurity efforts struggle to keep pace with attackers
Numerous government leaders now realize that cyberattackers are one of the greatest security threats facing the federal government today. Consequently, they have taken numerous steps to shore up federal cybersecurity efforts. Unfortunately, though, these measures are proving inadequate in the face of evolving, expanding attacks. And a big part of the problem comes from federal employees themselves.
The Associated Press recently conducted a thorough report on federal cybersecurity-related incidents at federal agencies since 2010. According to this analysis, federal workers and contractors were responsible for at least half of these security events
The nature of this responsibility varied from incident to incident. In some cases, federal workers were tricked by cybercriminals into opening links containing malware. In others, personnel failed to follow proper procedures when handling sensitive information, resulting in data breaches.
Phishing was particularly problematic, the AP reported. In numerous cases, federal employees fell victim to requests for information or opened files from untrustworthy sources, opening up their agencies' networks to cybercriminals in the process. Altogether, 21 percent of federal data breaches were due to employees violating official policies, while 16 percent were the result of lost or stolen devices.
As Eric Rosenbach, assistant secretary of Defense for Homeland Defense and Global Security, noted, the government is aware of these problems but struggles to correct them.
"No matter what we do with the technology … we'll always be vulnerable to the phishing attack and … human-factor attacks unless we educate the overall workforce," he said, the AP noted.
This is especially troubling because, as the news source pointed out, the number of cybersecurity-related incidents is growing. According to the U.S. Computer Emergency Readiness Team, there were 26,942 reported breaches on federal computer networks in 2009 and 46,605 in 2013.
The U.S. government will likely spend approximately $65 billion on cybersecurity contracts between 2015 and 2020, the news source reported. However, numerous experts believe that this investment will not be sufficient to protect federal digital assets from state-sponsored cyberterrorists and other hackers. This is especially true if federal employees continue to engage in risky behavior that undermines defensive measures.
Obviously, agency leaders need to take corrective action to reduce the risk that federal employees currently pose in the realm of cybersecurity. Yet as Rosenbach explained, this is easier said than done.
However, it is not impossible. Even with limited budgets, agencies can take significant steps toward encouraging better cybersecurity practices among employees. Training is invaluable in this capacity. While Rosenbach seemed to present this option as difficult to attain, the reality of the situation is that a modest amount of education and guidance can drastically reduce the risk that workers will engage in the most risky practices, such as clicking on links from unknown sources.
Additionally, agency leaders should craft policies that can better guide employee behavior in this area. While no policy can fully stop risky actions, they can encourage better, safer activities.