Multiple factors make cybersecurity challenging for federal agencies
In recent years, countless leaders throughout the federal government have recognized agencies' major shortcomings in the realm of cybersecurity. Unfortunately, this increasing awareness and discussion on the topic have not succeeded in securing federal data. On the contrary, numerous data breaches have demonstrated the federal government's inability to ward off more sophisticated, numerous cyberattacks.
The fact of the matter is that there are a number of inherent factors which make it particularly difficult for federal agencies to adequately protect their networks and data from outside threats. Addressing these challenges is difficult, but it should not be seen as impossible. The first step is recognizing the difficulty.
One of the biggest issues that makes cybersecurity difficult for the federal government is also one of the most straightforward: Federal agencies are among the highest-value targets available to hackers. Often, observers focus their attention on the threat posed by state-sponsored cyberattackers. This is understandable – hackers working for China and Russia are suspected of executing several of the most serious data breaches at federal agencies to occur so far this year. However, the federal government's computers are also major targets for cybercriminals motivated purely by financial rewards and hacktivists who may be eager to make a political point. Consequently, government networks tend to experience a disproportionate number of cyberattacks, and agencies are simply not sufficiently secure to ward off such a massive onslaught.
"Energy Department systems were infiltrated nearly 160 times over a 48-month period."
Examples of the government's shortcomings in this area are plentiful, with the most recent revelations concerning the Department of Energy. As USA Today reported, the Energy Department's computer systems were successfully infiltrated by cyberattackers nearly 160 times over a 48-month period between 2010 and last year. This same report determined that the total number of attacks aimed at these systems was 1,131, which demonstrates how big a target such federal computer systems can be.
"The potential for an adversary to disrupt, shut down [power systems], or worse … is real here," said Scott White, professor of Homeland Security and Security Management and director of the Computing Security and Technology program at Drexel University, USA Today reported. "It's absolutely real."
Cyberattackers recognize this potential and, as this report demonstrated, they can be extremely persistent in their efforts to gain access and control. These hackers realize that agencies, including the Department of Energy, struggle to ward off attack indefinitely.
Another major reason why the federal government struggles in the realm of cybersecurity is due to the difficulty of upgrading agencies' IT systems and capabilities. The complexity of the organizations involved, along with the tremendous number and variety of regulations, makes it more difficult for government agencies to take steps to improve their cybersecurity capabilities. At the same time, cyberattackers are constantly improving and refining their strategies, creating an ever-increasing level of potential danger.
"The Navy's reliance on Windows XP increases its vulnerability to opportunistic cyberattacks."
This issue was recently highlighted by U.S. News and World Report. As the source explained, the U.S. Navy continues to use Windows XP, even though the operating system is no longer supported by Microsoft. This would pose a huge security threat, due to the lack of regular security patches and updates, except that the Navy now pays Microsoft a significant fee to continue to receive such patches on a contractual basis. Even with this abnormal agreement, the Navy's reliance on Windows XP almost certainly increases its vulnerability to opportunistic cyberattacks.
The reason for the continued use of Windows XP, the source explained, is that federal rules and red tape make upgrading IT a slow, difficult process. Notably, the General Services Administration requires the Defense Department and other agencies to only look at products that have been on the market for at least two years when looking to procure new IT solutions. This means that agencies beholden to this standard can never achieve an up-to-date IT infrastructure.
"Products for IT get overlapped by new software within six months, never mind the two-year waiting period," said Erica McCann, director of federal procurement for the Information Technology Alliance for the Public Sector tech trade association, the news source reported. "These problems are pervasive throughout the government."
U.S. News and World Report further noted that Ash Carter, the Secretary of Defense, has made a point of emphasizing the need for the Pentagon to work with Silicon Valley to ensure both its weapon systems and computer networks feature cutting-edge technology. As this and many other examples have demonstrated, though, this is certainly not the case currently.
With that in mind, it's more important than ever for federal agencies to take whatever steps they can to overcome these limitations and shore up their cybersecurity capabilities. This should include a thorough evaluation of the current status quo as well as efforts to improve information assurance throughout every organization.