Attacks/Breaches

4/13/2018
10:30 AM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Federal Agency Data Under Siege

Seventy-one percent of IT security professionals in US federal agencies have reported breaches in their organizations.

The US government continues to grapple with the same cybersecurity challenges faced by most organizations, but it has a different set of hurdles to overcome than its private-sector counterparts. As a result, federal agencies are experiencing more data breaches than other industry sectors. Despite skyrocketing IT security spending, successful attacks are escalating across the board. Federal agencies in particular are weathering a perfect storm around data that puts agency secrets — and the personal data of over 330 million American citizens — at risk.

According to Thales' 2018 Data Threat Report—Federal Government Edition, 57% of federal respondents reported data breaches, a threefold increase over the 18% recorded back in 2016. As many as 12% experienced multiple breaches in 2017 and in previous years.

Many agencies are in a difficult position. Federal agencies must protect sensitive data and both thwart bad guys hunting for citizens' private data and nation-state hackers with their own agendas — in addition to grappling with perennial underfunding, understaffing, and antiquated systems that commercial enterprises tossed into the dumpster years ago. At the same time, they need to make government more accessible and transparent via digital transformation, which inevitably exposes them to more cyber threats.

But these factors don't completely explain the growing numbers of breaches at federal agencies.

Catching Up with the Private Sector
Despite these troubles, agency IT security professionals are trying to stay positive, partly because spending is sharply increasing this year. "Like most other sectors, data security spending plans in the US federal sector are up compared to last year — way up," says Garrett Bekker, 451 Research's principal analyst for information security, as highlighted in the Thales report. "Perhaps more importantly, for the first time, the US federal government ranks the highest of any US vertical in terms of spending increase plans — more than nine out of 10 (93%) plan to increase security spending in 2018."

In fact, a staggering 73% of federal agencies say their IT security spending will be much higher in 2018, according to the report. This comes after several years of IT security spending well below that of commercial enterprises.

"The bad news is that reports by US federal respondents of successful breaches last year (57%) are far ahead of the global average (36%), and also the global federal sector (26%). Further, 70% of US federal respondents say their agencies were breached at some point in the past," says Bekker.

Digital Transformation Compounds the Problem
As in the private sector, digital transformation is a big cause of the data threats plaguing federal agencies. According to the report, an increasing number of federal agencies are adopting cloud services, with many operating multi-cloud environments at rates that outstrip even those in the private sector. A staggering 45% of federal agencies use five or more infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) providers, as opposed to just 20% in the private sector. Nearly half (48%) of federal agencies use more than 100 software-as-a-service (SaaS) applications, where data is harder to control, versus the global average of 22%.

However, a paltry 23% of federal agencies use encryption in the cloud — and in more than a third of all cases where encryption is applied (34%), the encryption keys are in the hands of the cloud provider. "US and global federal show preference for allowing cloud providers to control encryption keys," says Bekker. "This is a potential problem since they don't really have full control over their data if they don't control the keys."

Strengthening Cyber Resilience
To keep the government's digital initiatives alive and strengthen cyber resilience, agencies report — at rates of 77% or higher — that they will be implementing, or are planning to implement, better encryption technologies to protect sensitive data. This includes data masking (89%), database and file encryption (88%), encryption in the cloud (84%), and application layer encryption (77%).

However, each IaaS and PaaS deployment and environment needs a specific data security plan, enforced by policy, operational methods, and tools. Agencies clearly recognize the need for action, but they must rethink their priorities. Case in point: data-in-motion and data-at-rest defenses are ranked equally at 78% and 77%, respectively, as the most effective tools for protecting data, according to the report. Unfortunately, this isn't where IT security spending is being directed. In fact, data-at-rest defenses — which are the most effective at protecting large data stores — are seeing the lowest spending increases, at only 19%, while endpoint and mobile defenses are garnering the biggest increases (56%). 

Says Bekker: "The largest amount of respondents plan to increase spending on endpoint and mobile devices, despite ranking endpoint and mobile devices as least effective at protecting sensitive federal data — a major disconnect."

Governments must rethink their priorities. The adoption of digital technology (cloud, Internet of Things, big data, mobile payments, etc.) requires new approaches to protecting citizen data, government secrets, and other sensitive information. In the digital world, there is no room for breaches, outages, or even service interruptions. Customers expect an instant, seamless, and hassle-free user experience. In times of digitalization, the competition is just one click away, and even reduced availability can cause financial harm.

Besides using encryption technology, firewalls, and intrusion-detection systems, a distributed denial-of-service (DDoS) mitigation solution can help preventing service outages. Especially with the IoT gaining maturity and billions of devices are being connected, the threat landscape is evolving fast. Technologies such as artificial intelligence pose an additional threat for organizations, as they can be used maliciously to boost cyberattacks such as DDoS attacks.

Thus, it's essential for federal agencies to constantly review the cyber capabilities and make further adjustments, if and where necessary. Relying on traditional security solutions such as on-premises solutions is simply not sufficient considering the rapid change of technologies in the course of the digital revolution.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Diversity: It's About Inclusion
Kelly Jackson Higgins, Executive Editor at Dark Reading,  4/25/2018
Coviello: Modern Security Threats are 'Less About the Techniques'
Kelly Sheridan, Staff Editor, Dark Reading,  4/24/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.