People, policies both must be addressed to improve federal cybersecurity
There's no denying that cybersecurity is a major problem for the federal government. This year alone has seen a series of serious data breaches at a number of agencies and departments. The biggest of these, the attack on the Office of Personnel Management, led to the exposure of approximately 21 million sensitive records concerning current and former contractors and federal employees. Then, of course, there were the breaches – likely the work of state-sponsored hackers – that occurred at the State Department and White House. All of these incidents make it clear that while the government may stop the majority of cyberattacks directed at its networks, current efforts are simply not sufficient to fully protect the U.S. government's data and operations from cyberattackers.
To rectify this situation, agencies will need to focus on both cybersecurity policies and the personnel entrusted to enact and follow these guidelines. Only by taking both of these areas into account will the government as a whole be able to protect itself from increasingly determined and numerous cyberthreats in the coming months and years.
"Agencies experienced more than 67,000 cybersecurity incidents in FY 2014."
A multi-part approach
To appreciate the importance of evolving efforts in this capacity, it is first necessary to gauge the scope of the threats the U.S. government now faces. Notably, Greg Wilshusen, director of information security issues at the Government Accountability Office, recently issued a report which found that federal agencies experienced more than 67,000 cybersecurity incidents in fiscal year 2014. In 2006, this number stood at only 5,503 – an increase of more than 1,100 percent in less than a decade, as FedScoop reported.
Critically, Wilshusen emphasized that a comprehensive strategy will prove essential as the federal government strives to limit the impact of this rise in cybersecurity issues.
"[N]o single technology or set of practices is sufficient to protect against all these threats," Wilshusen wrote in the report. "A 'defense in depth' strategy is required that includes well-trained personnel, effective and consistently applied processes, and appropriately implemented technologies."
Unfortunately, the federal government is currently coming up short in this capacity. As The Washington Post's Joe Davidson recently highlighted, agencies simply do not have enough cyber experts on their staff to fully modernize and protect their networks.
Tony Scott, the U.S. chief information officer, told the National Council on Federal Labor-Management Relations recently that finding sufficient cybersecurity talent will be among the biggest IT challenges the government will face in the near future.
"It's the hardest recruiting that there is on the planet today for people with those kinds of skills," said Scott, the source reported. "We're going to have to take extraordinary moves to try to develop a broader set of talent and skill base in that area."
"Finding cybersecurity talent will be among the biggest federal IT challenges."
Max Stier, president and chief executive of the Partnership for Public Service, told Davidson that it is actually more important for the government to invest in people than technology in order to upgrade its cybersecurity capabilities.
Cybersecurity for all
However, for agencies to make strides in this area, it's key to focus not only on brining on board cybersecurity experts, but also to improve performance and awareness among existing personnel, as industry expert Michael Daugherty recently explained to Digital Forensic Investigator. He pointed out that virtually any federal employee could potentially become a target for cyberattackers looking for vulnerabilities to exploit. A single weak point can lead to major damage.
Furthermore, Daugherty emphasized that agency leaders cannot assume that personnel will master cybersecurity best practices on their own. Instead, workers should receive thorough training to prepare them for the challenges and risks they will face. Additionally, he told the news source that agencies should establish policies that ensure personnel receive regular updates and reminders in this area, as even knowledgeable workers may become forgetful or lax over time.
Of course, given the federal government's shortcomings in terms of cybersecurity personnel on staff, it may be very challenging to deliver this training to the entire workforce. Likewise, developing and establishing optimized policies will be difficult. However, agencies will likely be able to overcome these obstacles by working closely with third-party cybersecurity consulting firms and service providers that have robust, proven experience in the public sector.