In fact, the scope and nature of the many security deficiencies identified raises a serious question: Why are federal agencies struggling so much with their data security issues?
Before brushing off that question as alarmist, consider just a few of the OMB report’s findings:
- Of the 96 federal agencies surveyed, 71 (74%) were deemed to have cyber security programs that were either at risk or at high risk.
- During fiscal year 2016, the agencies experienced 30,899 cyber incidents that led to the compromise of information or system functionality, and the agencies couldn’t identify the method of attack of the attack vector in 11,802 (38%) of those instances.
- Only 27% of the agencies have the ability to detect and investigate attempts to access large volumes of data, and even fewer report testing those capabilities annually.
- Only 49% of the agencies have the ability to detect and whitelist software running on their systems.
- Nearly three-quarters (73%) of agencies encrypt data in transit, but just 16% encrypt data at rest.
Before we jump to the conclusion that the federal cyber security sky is falling, however, it’s important to note that the OMB report also proposes a number of corrective actions and initiatives. If pursued, those recommendations could go a long way to plugging many of the federal agencies’ current security gaps.
Working with the Director of National Intelligence and other departments, for example, the OMB intends to keep pushing the adoption of the Cyber Threat Framework. In part, this framework provides a means to describe cyber threat activity in a standard way that helps facilitate information sharing and threat analysis.
Several of the OMB’s recommendations aim to promote increased standardization of IT infrastructure and cyber security systems. Legacy IT or not, too many agencies have a patchwork of multiple, often redundant, systems, which can be difficult or impossible to secure in a holistic fashion. Consider that one agency evaluated by the OMB had 62 separately managed email systems within its environment!
Another area of focus in the OMB report is the variable quality of the security operations centers (SOCs) at each federal agency – along with the fact that some agencies operate multiple SOCs. The OMB report suggests consolidating SOCs in some instances, and is exploring the possibility of designating, in cooperation with the Department of Homeland Security, at least one agency as a SOC Center of Excellence. Another option being explored is to have select agencies provide “SOC-as-a-Service” to agencies lacking strong security teams of their own.
Legacy IT or not, too many agencies have a patchwork of multiple, often redundant, systems, which can be difficult or impossible to secure in a holistic fashion.
One of the most fundamental of these challenges, Townsend says, is the need to improve the interoperability among security tools and platforms from different suppliers. To help facilitate the goal of integrated cyber defense, Symantec recently launched a Technology Integration Partners Program to promote standards adoption and interoperability among providers of different security solutions.
Ultimately, improving the cyber security of federal agencies will require tight cooperation between both government institutions and the cyber security industry. Townsend says that Symantec has “very good” working relationships with many cyber security decision makers at the federal level – including with the former cyber security coordinator Rob Joyce. Townsend expects that strong collaboration to continue, although he agrees it would help if some of the now-vacant cyber security roles were quickly filled. In April, Joyce announced that he was leaving his post to return to the National Security Agency. A week earlier, Tom Bossert, a White House homeland security advisor often identified as the administration’s “cyber security czar,” resigned.
Long story short, the federal government needs to get its cyber security act together. The challenges federal agencies face are daunting, and their current state of security is cause for great concern, but if they adopt the correct approach – and technologies – they will have much more success in the future.