Reports identify shortcomings across federal cybersecurity efforts
It would be difficult to overstate just how important cybersecurity is for the federal government at large. Cyberattacks are becoming increasingly common and severe across both the public and private sectors, and federal agencies are undoubtedly among the most tempting targets for hackers of all stripes. Naturally, that makes cybersecurity not just a top-level priority, but also a tremendous challenge.
A number of recent reports highlighted agencies' successes and failures in this area. These studies make it clear that while the federal government has made significant progress in terms of protecting its digital data and networks for hostile attackers, the crux of the matter is that many agencies remain vulnerable, and more effective cybersecurity is essential.
"There were IT security flaws common to most of the 24 agencies."
One of the most enlightening federal cybersecurity studies came from the Government Accountability Office. The report, entitled "Agencies Need to Correct Weaknesses and Fully Implement Security Programs," found that there were a number of IT security flaws common to many of the 24 agencies examined. Specifically, the GAO noted that agencies continue to struggle to limit access to computer resources to only authorized personnel, and also have difficulties detecting when other users access these assets inappropriately.
Another key flaw seen across federal agencies, according to the GAO, is a tendency to put too much IT control in the hands of a single individual. When this happens, a cyberattacker who successfully steals that person's access information or personal data may be able to cause tremendous damage.
It is also important to note that the GAO report found a lack of agency-wide security management programs among the departments examined. Not only does this put agencies at risk right here and now, but it also makes it difficult for departments to take proactive steps to shore up their defenses going forward.
"These deficiencies place critical information and information systems used to support the operations, assets, and personnel of federal agencies at risk, and can impair agencies' efforts to fully implement effective information security programs," the GAO stated.
Yet while all of these shortcomings were shared by multiple agencies, not every department was equally guilty. Speaking to the Washington Business Journal, Samuel Visner, senior vice president of ICF International, said, "There is an uneven distribution of this capability across the government – some agencies have it, others don't."
"The federal government scored 688 on its 900-point cybersecurity scale."
Government keeping pace
However, a recent report from BitSight Technologies suggested that the federal government's cybersecurity efforts are actually more or less aligned with those of other sectors. According to E-Commerce Times, BitSight rated the federal government at 688 on its 900-point scale, as compared to 684 in the retail sector and 716 for the financial sector, with lower scores for every other industry.
While potentially seen as a defense of agencies' performance, this score could also be interpreted disappointing, considering the incredibly high stakes inherent to federal cybersecurity efforts. What's more, the report identified a number of key cybersecurity areas where the government is falling behind sectors such as education and health care. Notably, BitSight found that federal agencies are particularly weak in terms of SSL-related issues, with 7 percent of agencies still susceptible to the major and widely-covered Heartbleed bug, Nextgov reported. Additionally, more than half of agencies were vulnerable to FREAK, another SSL flaw, and nearly four-fifths of agencies were not protected from POODLE, another vulnerability.
Given these findings, it's unsurprising that federal agencies are now working on strategies to improve their cybersecurity capabilities. A big part of these initiatives will likely be increased spending, as Benzinga's Monica Gerson recently suggested. She noted that industry analyst Daniel Ives expects governments across the board to invest more in next-generation cybersecurity efforts. Such willingness to spend comes about as the result of both increasing threats and a realization that current U.S. cybersecurity efforts are falling behind.
Of course, spending in and of itself will not cure federal agencies' cybersecurity woes. For departments to shore up their defenses, they will need to be very strategic with their investments. Specifically, agency IT decision-makers must look for third-party partners that have demonstrated experience and expertise in the realm of information assurance. Furthermore, agencies need cybersecurity strategies that accommodate users' needs and preferences while providing the necessary degree of protection.