Federal facilities at risk of cyberattacks
Cybersecurity efforts have become a major focus for the federal government at large. Congress passed a number of cybersecurity-related bills at the tail end of 2014 and President Obama recently called for new legislation in this area. While some of these efforts are consumer-focused, others directly address the issue of data protection within the federal government itself.
These initiatives are a good start and suggest that federal leaders in Congress and beyond are now beginning to appreciate the dire need to secure agency networks and digital assets. Yet the fact remains that current measures are not sufficient to protect the federal government from the evolving, expanding threat posed by cybercriminals and hackers.
The latest evidence of shortcomings in this area is a recent report from the Government Accountability Office. This report found that many of the systems that control federal facilities are insufficiently protected from cyberthreats, putting a wide range of agencies at risk of experiencing a data breach or worse.
A growing threat
The GAO study focused on the myriad high-tech access control systems that regulate federal facilities. These systems control everything from heating to security (including cameras) to electricity usage and beyond. As the GAO noted, a growing number of these systems are connected to the Internet, opening up the possibility that a hacker could gain control of any or all of them.
"The increased connectivity heightens their vulnerability to cyber attacks, which could compromise security measures, hamper agencies' ability to carry out their missions, or cause physical harm to the facilities or their occupants," the GAO explained.
In light of this trend, the GAO sought to determine what steps the Department of Homeland Security and other security-focused agencies are taking to protect federal facilities from cyberattackers. Unfortunately, while the DHS has made some progress, the GAO concluded that efforts in this area are severely lacking.
Specifically, the GAO report pointed to two major shortcomings. First, the DHS simply does not have a robust, coherent strategy that adequately identifies the risks, the resources needed or ideal tactics in the realm of federal facility cybersecurity. Highlighting this problem, the report noted that no DHS personnel are currently responsible for addressing the cyberthreats faced by nearly 9,000 facilities protected by the Federal Protective Service.
Secondly, the report determined that the Interagency Security Committee – the DHS unit focused on developing security standards for nonmilitary federal facilities – has not yet incorporated cyberthreats into its policies and processes.
As GAO noted, these shortcomings and their potential consequences are not purely hypothetical. Recent years have seen a number of cyberattacks aimed at federal, state and local government-run facilities and related systems. Notably, in 2014 an as-yet unidentified federal agency reported a cyberattack involving a wastewater treatment plan. No information has been released about this incident, as the information is considered "law-enforcement sensitive."
This fact alone suggests that the types of vulnerabilities identified by the GAO report have already led to at least one serious cybersecurity incident at a federal facility.
In light of this report, it's clear that federal agencies need to take more of an interest in protecting their facilities from cyberthreats. Unfortunately, it seems that the DHS has neither the resources nor determination to provide wide-ranging protection in this area.
Individual federal agency leaders should therefore begin to take the initiative and develop their own strategies for protecting themselves from such threats. To this end, third-party consulting firms will be an invaluable resource, as the right partner will have robust experience and expertise in this area. Without such professional assistance, federal agencies may struggle to identity the ideal approach to cybersecurity in the context of facility systems.