Federal cybersecurity executives are still struggling to understand how attacks could potentially breach their systems a year after hackers stole the personal information of 22 million people from the Office of Personal Management databases, according to a new (ISC)² report.
An alarming 59% of respondents say that their agency struggles to understand how cyber attackers could potentially breach their systems, with 40% of respondents unaware of where their key assets are located, according to findings in The State of Cybersecurity from the Federal Cyber Executive Perspective, co-authored by the certification organization (ISC)² and consulting firm KPMG LLP.
Knowledge of how agencies’ full arsenal of assets can be affected by cyber threats has become very complex, especially with the introduction of systems migrating to the cloud, the report states. Additionally, sixty-five percent of the 54 cybersecurity executives surveyed don’t think that the federal government as a whole can detect ongoing cyberattacks.
In March 2016, (ISC)² and KPMG LLP surveyed a targeted pool of executive-level government officials and contractors with the goal of reporting the state of cybersecurity from federal cyber experts who have an enterprise-wide perspective. Responses were collected both anonymously online and during individual interviews, covering a range of topical areas that are key to understanding the state of cybersecurity today.
Approximately one year prior to this survey being conducted, (OPM) sustained a widely-reported data breach that impacted personnel records of 21.5 million current, former and retired federal employees and contractors. As a result, U.S. Chief Information Officer Tony Scott launched a 30- day Cybersecurity Sprint in June 2015, instructing agencies to immediately take steps to further protect federal information assets and improve the resilience of federal networks.
However, 52% of respondents disagreed that the Cyber Sprint response improved the overall security of federal information systems. “Some of the folks we talked to said a sprint would be very hard. They said it is not a sprint, it is a marathon,” says Dan Waddell, Managing Director of the North America Region at (ISC)². To make the types of changes the Cyber Sprint proposed takes a lot more time than even a 90-day or six-month sprint, Waddell says.
Following the OPM breach, 35% of the respondents said their agency put more emphasis on preventative measures, like role-based access, multi-factor authentication, and monitoring capabilities. Thirteen percent said they focused on defending against the insider threat with more training, security awareness efforts and improving the security clearance process. However, 25% said their agency didn’t make any changes, which raises concerns that cyberattacks at other agencies are not driving government-wide action, according to the report.
Lack of Funding, Accountability Hinders Progress
The lack of accountability was a consistent theme throughout the survey results, as some respondents were unable to identify a senior leader at their agency whose sole responsibility is cybersecurity. Moreover, leaders are realizing that people can be their organization’s greatest cybersecurity asset or greatest liability, with 42% of respondents indicating that people are currently their agency’s greatest vulnerability to cyberattacks.
There is a perception in many organizations that technology is going to be the silver bullet to combat attacks, notes Tony Hubbard, Principal and Cyber Leader with KPMG’s Federal Advisory Practice. “There is certainly a place for technology. But another significant theme in the survey is the reliance on people,” he says. “Many breaches that have been identified and reported are not highly-technical or sophisticated breaches so it gets back to having the right accountable and empowered people to drive the [cyber] efforts.”
Technology solutions continue to be developed to improve the ability to prevent, detect and respond to cyberattacks. Forty-two percent of the cyber executives identified predictive analytics as the most significant game-changing security technology or solution. “While the promise of predictive analytics is enticing, not enough implementation has taken place in order to accurately measure its effectiveness,” the report states.
Cyber professionals face a number of hurdles in advancing their agencies’ cybersecurity efforts. When asked for the top three factors that hinder their agency’s ability to advance cybersecurity efforts, the top responses were a lack of funding (65%), absence of accountability (48%), lack of understanding (48%) and lack of expertise (44%), according to the report.
Budget sequestration, which sets a cap on what agencies can spend, and Continuing Resolution legislation over the past seven or eight years have really affected the funding of cybersecurity, notes Waddell. “A lot of the time when we go through these budget drills it is only to keep the lights on. So it is very difficult to get funding for new initiatives to combat the types of new threats we are seeing.”
Based on the survey results, the report makes several recommendations to improve cybersecurity in federal agencies:
- Focus on the humanperspective and implement a more balanced and holistic approach as it relates to the people, process, and technology equation.
- Address the dissatisfaction among the federal cyber executive ranksand empower them with more authority to make risk-based decisions.
- Educate the entire workforce, across all departments, in cyber.
- Establish continuous cyber hygiene training and simulation drills.
- Devote resources to retain existing cyber talent.
- Reinforce the National Institute of Standards and Technology’s Cyber Security Framework as a baseline for security assessment.
- Former Director Of NSA And CIA Says US Cybersecurity Policy MIA
- OPM Breach Exposes Agency's Systemic Security Woes
- OPM Breach Scope Widens, Employee Group Blasts Agency For Not Encrypting Data