It is no secret that hostile cyber actors are targeting every organization and institution in the public and private sectors, and the government is no exception. These disruptive activities have plagued the government for several years uncovering security deficiencies that have challenged network defenders protecting large enterprise networks.
Further complicating matters are not only the variety of actors seeking to gain unauthorized access into systems, but their continued overlap of tools and operations. Indeed, the increased convergence of the tactics, techniques, and procedures (TTP) demonstrated by nation state actors, cyber criminals, hacktivists, and non-state “for-hire groups” against federal agencies will continue to prove challenging in identifying who the actors are and in those cases where appropriate, for whom they may be working.
While it is acknowledged that cyberspace has been an immeasurable benefit to improving connectivity and business operations, the reality is that the more connected organizations are, the more opportunity there is for bad guys to find a vulnerability to exploit. What’s more, the federal government is hampered by the fact that many agencies are still utilizing legacy and outdated equipment.
In May 2016, the Government Accounting Office (GAO), an independent non-partisan agency that works for Congress, submitted a report detailing how government spending on new systems or modernizing old ones declined by $7 billion since fiscal year 2010. A House Oversight and Governmental Reform Committee meeting reviewed these findings, calling the outdated equipment a “ticking time bomb.”
Federal agencies receive an annual grade from the Office of Management and Budget (OMB) as to how they are faring in improving their cyber security postures. A March 26 assessment by OMB found that out of the 24 large agencies evaluated, only one earned an “A” grade, whereas the previous year eight received the highest marks. This is disconcerting particularly in the wake of such serious breaches, particularly against the Office of Personnel Management that exposed as many as 18 million records. Such developments indicate that even the government has a difficult time in protecting the most sensitive information of its employees.
Perhaps more worrisome is the belief that even after such a historic breach, there is a sense that little has been done to improve agencies’ cyber security postures. A new survey of federal cyber security executives and government contractors reveals that just over half of these polled individuals did not believe their agency’s response to the OPM breach improved security.
Of those polled, 25 percent said their agencies have yet to implement any new tools or procedures since the OPM breach.While the survey pool was modest in size, the findings are consistent with a larger GAO study published in November 2015 that revealed that federal agencies needed to do a better job in protecting sensitive information.
Among one of the more critical findings by the GAO was that most of the 24 large agencies had weaknesses in the five major categories of information system controls. A September 2015 study by GAO found that agencies needed to correct weaknesses and fully implement security programs.
Many acknowledge the need to invest in cyber security and even the President requested $19 billion across the federal government in his 2017 fiscal year proposal. This represents a 35 percent increase from the 2016 fiscal year, with some calling the increased funding a "make it or break it" year for cyber security.
While proper fiscal budgeting for cyber security is important, it is not sufficient without a viable cyber security strategy and implementation plan in place. Currently, federal agencies are responsible for their own cyber security and management of their own IT systems, and there doesn’t appear to be any strategic guidance to measure the implementation of any security best practices.
Recently, as part of the new budget, the President proposed the creation of a Federal Chief Information Security Officer, a role that remains undefined at this moment. This individual could play that unifying role among agencies and be the impetus for cyber security change that the government desperately needs if given the proper authorities.
It will be disappointing if the federal government doesn’t markedly improve its cyber security preparedness after all of this effort. While there has been a lot of attention drawn to hacking back the attackers, implementing cyber sanctions, and bolstering U.S. Cyber Command’s capabilities to deter the bad guys, security runs the risk of being overshadowed by these sensationalized alternatives.
In a domain where attacks occur and will keep occurring regardless of what active measures are taken, it is protecting sensitive information and maintaining network resiliency that remain essential for organizations, including federal agencies. And that starts with implementing risk management strategies that focus on safeguarding integral data and network resources and exercising contingency plans. They may not be as sexy as striking back, but when tit-for-tat is over, these are the efforts that ensure operations are maintained and will continue.