The US government continues to grapple with the same cybersecurity challenges faced by most organizations, but it has a different set of hurdles to overcome than its private-sector counterparts. As a result, federal agencies are experiencing more data breaches than other industry sectors. Despite skyrocketing IT security spending, successful attacks are escalating across the board. Federal agencies in particular are weathering a perfect storm around data that puts agency secrets — and the personal data of over 330 million American citizens — at risk.
According to Thales' 2018 Data Threat Report—Federal Government Edition, 57% of federal respondents reported data breaches, a threefold increase over the 18% recorded back in 2016. As many as 12% experienced multiple breaches in 2017 and in previous years.
Many agencies are in a difficult position. Federal agencies must protect sensitive data and both thwart bad guys hunting for citizens' private data and nation-state hackers with their own agendas — in addition to grappling with perennial underfunding, understaffing, and antiquated systems that commercial enterprises tossed into the dumpster years ago. At the same time, they need to make government more accessible and transparent via digital transformation, which inevitably exposes them to more cyber threats.
But these factors don't completely explain the growing numbers of breaches at federal agencies.
Catching Up with the Private Sector
Despite these troubles, agency IT security professionals are trying to stay positive, partly because spending is sharply increasing this year. "Like most other sectors, data security spending plans in the US federal sector are up compared to last year — way up," says Garrett Bekker, 451 Research's principal analyst for information security, as highlighted in the Thales report. "Perhaps more importantly, for the first time, the US federal government ranks the highest of any US vertical in terms of spending increase plans — more than nine out of 10 (93%) plan to increase security spending in 2018."
In fact, a staggering 73% of federal agencies say their IT security spending will be much higher in 2018, according to the report. This comes after several years of IT security spending well below that of commercial enterprises.
"The bad news is that reports by US federal respondents of successful breaches last year (57%) are far ahead of the global average (36%), and also the global federal sector (26%). Further, 70% of US federal respondents say their agencies were breached at some point in the past," says Bekker.
Digital Transformation Compounds the Problem
As in the private sector, digital transformation is a big cause of the data threats plaguing federal agencies. According to the report, an increasing number of federal agencies are adopting cloud services, with many operating multi-cloud environments at rates that outstrip even those in the private sector. A staggering 45% of federal agencies use five or more infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) providers, as opposed to just 20% in the private sector. Nearly half (48%) of federal agencies use more than 100 software-as-a-service (SaaS) applications, where data is harder to control, versus the global average of 22%.
However, a paltry 23% of federal agencies use encryption in the cloud — and in more than a third of all cases where encryption is applied (34%), the encryption keys are in the hands of the cloud provider. "US and global federal show preference for allowing cloud providers to control encryption keys," says Bekker. "This is a potential problem since they don't really have full control over their data if they don't control the keys."
Strengthening Cyber Resilience
To keep the government's digital initiatives alive and strengthen cyber resilience, agencies report — at rates of 77% or higher — that they will be implementing, or are planning to implement, better encryption technologies to protect sensitive data. This includes data masking (89%), database and file encryption (88%), encryption in the cloud (84%), and application layer encryption (77%).
However, each IaaS and PaaS deployment and environment needs a specific data security plan, enforced by policy, operational methods, and tools. Agencies clearly recognize the need for action, but they must rethink their priorities. Case in point: data-in-motion and data-at-rest defenses are ranked equally at 78% and 77%, respectively, as the most effective tools for protecting data, according to the report. Unfortunately, this isn't where IT security spending is being directed. In fact, data-at-rest defenses — which are the most effective at protecting large data stores — are seeing the lowest spending increases, at only 19%, while endpoint and mobile defenses are garnering the biggest increases (56%).
Says Bekker: "The largest amount of respondents plan to increase spending on endpoint and mobile devices, despite ranking endpoint and mobile devices as least effective at protecting sensitive federal data — a major disconnect."
Governments must rethink their priorities. The adoption of digital technology (cloud, Internet of Things, big data, mobile payments, etc.) requires new approaches to protecting citizen data, government secrets, and other sensitive information. In the digital world, there is no room for breaches, outages, or even service interruptions. Customers expect an instant, seamless, and hassle-free user experience. In times of digitalization, the competition is just one click away, and even reduced availability can cause financial harm.
Besides using encryption technology, firewalls, and intrusion-detection systems, a distributed denial-of-service (DDoS) mitigation solution can help preventing service outages. Especially with the IoT gaining maturity and billions of devices are being connected, the threat landscape is evolving fast. Technologies such as artificial intelligence pose an additional threat for organizations, as they can be used maliciously to boost cyberattacks such as DDoS attacks.
Thus, it's essential for federal agencies to constantly review the cyber capabilities and make further adjustments, if and where necessary. Relying on traditional security solutions such as on-premises solutions is simply not sufficient considering the rapid change of technologies in the course of the digital revolution.
- 8 Nation-State Hacking Groups to Watch in 2018
- New Method Proposed for Secure Government Access to Encrypted Data
- Is Public Sector Cybersecurity Adequate?
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.