Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/13/2018
10:30 AM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Federal Agency Data Under Siege

Seventy-one percent of IT security professionals in US federal agencies have reported breaches in their organizations.

The US government continues to grapple with the same cybersecurity challenges faced by most organizations, but it has a different set of hurdles to overcome than its private-sector counterparts. As a result, federal agencies are experiencing more data breaches than other industry sectors. Despite skyrocketing IT security spending, successful attacks are escalating across the board. Federal agencies in particular are weathering a perfect storm around data that puts agency secrets — and the personal data of over 330 million American citizens — at risk.

According to Thales' 2018 Data Threat Report—Federal Government Edition, 57% of federal respondents reported data breaches, a threefold increase over the 18% recorded back in 2016. As many as 12% experienced multiple breaches in 2017 and in previous years.

Many agencies are in a difficult position. Federal agencies must protect sensitive data and both thwart bad guys hunting for citizens' private data and nation-state hackers with their own agendas — in addition to grappling with perennial underfunding, understaffing, and antiquated systems that commercial enterprises tossed into the dumpster years ago. At the same time, they need to make government more accessible and transparent via digital transformation, which inevitably exposes them to more cyber threats.

But these factors don't completely explain the growing numbers of breaches at federal agencies.

Catching Up with the Private Sector
Despite these troubles, agency IT security professionals are trying to stay positive, partly because spending is sharply increasing this year. "Like most other sectors, data security spending plans in the US federal sector are up compared to last year — way up," says Garrett Bekker, 451 Research's principal analyst for information security, as highlighted in the Thales report. "Perhaps more importantly, for the first time, the US federal government ranks the highest of any US vertical in terms of spending increase plans — more than nine out of 10 (93%) plan to increase security spending in 2018."

In fact, a staggering 73% of federal agencies say their IT security spending will be much higher in 2018, according to the report. This comes after several years of IT security spending well below that of commercial enterprises.

"The bad news is that reports by US federal respondents of successful breaches last year (57%) are far ahead of the global average (36%), and also the global federal sector (26%). Further, 70% of US federal respondents say their agencies were breached at some point in the past," says Bekker.

Digital Transformation Compounds the Problem
As in the private sector, digital transformation is a big cause of the data threats plaguing federal agencies. According to the report, an increasing number of federal agencies are adopting cloud services, with many operating multi-cloud environments at rates that outstrip even those in the private sector. A staggering 45% of federal agencies use five or more infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) providers, as opposed to just 20% in the private sector. Nearly half (48%) of federal agencies use more than 100 software-as-a-service (SaaS) applications, where data is harder to control, versus the global average of 22%.

However, a paltry 23% of federal agencies use encryption in the cloud — and in more than a third of all cases where encryption is applied (34%), the encryption keys are in the hands of the cloud provider. "US and global federal show preference for allowing cloud providers to control encryption keys," says Bekker. "This is a potential problem since they don't really have full control over their data if they don't control the keys."

Strengthening Cyber Resilience
To keep the government's digital initiatives alive and strengthen cyber resilience, agencies report — at rates of 77% or higher — that they will be implementing, or are planning to implement, better encryption technologies to protect sensitive data. This includes data masking (89%), database and file encryption (88%), encryption in the cloud (84%), and application layer encryption (77%).

However, each IaaS and PaaS deployment and environment needs a specific data security plan, enforced by policy, operational methods, and tools. Agencies clearly recognize the need for action, but they must rethink their priorities. Case in point: data-in-motion and data-at-rest defenses are ranked equally at 78% and 77%, respectively, as the most effective tools for protecting data, according to the report. Unfortunately, this isn't where IT security spending is being directed. In fact, data-at-rest defenses — which are the most effective at protecting large data stores — are seeing the lowest spending increases, at only 19%, while endpoint and mobile defenses are garnering the biggest increases (56%). 

Says Bekker: "The largest amount of respondents plan to increase spending on endpoint and mobile devices, despite ranking endpoint and mobile devices as least effective at protecting sensitive federal data — a major disconnect."

Governments must rethink their priorities. The adoption of digital technology (cloud, Internet of Things, big data, mobile payments, etc.) requires new approaches to protecting citizen data, government secrets, and other sensitive information. In the digital world, there is no room for breaches, outages, or even service interruptions. Customers expect an instant, seamless, and hassle-free user experience. In times of digitalization, the competition is just one click away, and even reduced availability can cause financial harm.

Besides using encryption technology, firewalls, and intrusion-detection systems, a distributed denial-of-service (DDoS) mitigation solution can help preventing service outages. Especially with the IoT gaining maturity and billions of devices are being connected, the threat landscape is evolving fast. Technologies such as artificial intelligence pose an additional threat for organizations, as they can be used maliciously to boost cyberattacks such as DDoS attacks.

Thus, it's essential for federal agencies to constantly review the cyber capabilities and make further adjustments, if and where necessary. Relying on traditional security solutions such as on-premises solutions is simply not sufficient considering the rapid change of technologies in the course of the digital revolution.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.