Federal cybersecurity report says nearly 75% of agencies at risk
The 'Federal Cybersecurity Risk Determination Report and Action Plan' shows the majority of federal agencies are at risk, and DHS suggests a lack of leadership may be to blame.
The latest federal cybersecurity report holds little good news regarding the security posture of government agencies, and experts are not surprised by the findings.
The Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) developed the report in accordance with President Donald Trump's cybersecurity executive order issued last year. The report acknowledged the difficulties agencies face in terms of budgeting, maintaining legacy systems and hiring in the face of the cybersecurity skills gap, and it identified 71 of 96 agencies as being either "at risk or high risk."
"OMB and DHS also found that federal agencies are not equipped to determine how threat actors seek to gain access to their information. The risk assessments show that the lack of threat information results in ineffective allocations of agencies' limited cyber resources," OMB and DHS wrote in the report. "This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact federal cybersecurity."
The federal cybersecurity report tested the agencies involved under 76 metrics and identified four major areas of improvement: increasing threat awareness, standardizing IT capabilities, consolidating security operations centers (SOCs), and improving leadership and accountability.
Greg Touhill, president of Cyxtera Federal Group, based in Coral Gables, Fla., and former CISO for the United States, said the report was an "accurate characterization of the current state of cyber risk and a reflection of the improvements made over the last five years in treating cybersecurity as a risk management issue, rather than just a technology problem."
"I am concerned that the deletions of and vacancies in key senior cyber leadership positions [are] sending the wrong message about how important cybersecurity is to the government workforce, commercial and international partners, and potential cyber adversaries," Touhill wrote via email. "As national prosperity and national security are dependent on a strong cybersecurity program that delivers results that are effective, efficient and secure, I believe cybersecurity ought to be at the top of the agenda, and we need experienced cyber leaders sitting at the table to help guide the right decisions."
Agencies at risk
The federal cybersecurity report said many agencies lack situational awareness and noted this has been a long-standing issue in the U.S. government.
I am concerned that the deletions of and vacancies in key senior cyber leadership positions [are] sending the wrong message about how important cybersecurity is to the government workforce, commercial and international partners, and potential cyber adversaries.
Greg Touhillpresident of Cyxtera Federal Group and former CISO for the United States
"For the better part of the past decade, OMB, the Government Accountability Office, and agency [inspectors general] have found that agencies' enterprise risk management programs do not effectively identify, assess, and prioritize actions to mitigate cybersecurity risks in the context of other enterprise risks," OMB wrote. "In fact, situational awareness is so limited that federal agencies could not identify the method of attack, or attack vector, in 11,802 of the 30,899 cyber incidents (38%) that led to the compromise of information or system functionality in [fiscal year] 2016."
Sherban Naum, senior vice president of corporate strategy and technology at Bromium, based in Cupertino, Calif., said improving information sharing might not "address the protection component."
"Sharing information in real time of an active and fully identified attack is critical. However, more information alone won't help if there is no contextual basis to understand what was attacked, what vulnerability was leveraged, the attacker's intent and impact to the enterprise," Naum said. "I wonder what systems are in place or are needed to process the real-time threat data to then automatically protect the rest of the federal space."
Not all of the news was bad. OMB noted that 93% of users in the agencies studied use multifactor authentication in the form of personal identity verification cards. However, the report said this was only the beginning, as "agencies have not matured their access management capabilities" for modern mobile use.
"One of the most significant security concerns that results from the current decentralized and fragmented IT landscape is ineffective identity, credential, and access management processes," OMB wrote. "Fundamentally, any organization must have a clear understanding of the people, assets, and data on its networks."
The federal cybersecurity report acknowledged the number of high-profile data leaks and breaches across government systems in recent years and said the situation there is not improving.
"Federal agencies do not have the visibility into their networks to effectively detect data exfiltration attempts and respond to cybersecurity incidents. The risk assessment process revealed that 73 percent of agency programs are either at risk or high risk in this critical area," OMB wrote. "Specific metrics related to data loss prevention and exfiltration demonstrate even greater problems, with only 40 percent of agencies reporting the ability to detect the encrypted exfiltration of information at government-wide target levels. Only 27 percent of agencies report that they have the ability to detect and investigate attempts to access large volumes of data, and even fewer agencies report testing these capabilities annually."
Additionally, only 16% of agencies have properly implemented encryption on data at rest.
Suggested improvements
The federal cybersecurity report had suggestions for improving many of the poor security findings, including consolidating email systems, creating standard software configurations and a shared marketplace for software, and improving threat intelligence sharing across SOCs. However, many of the suggestions related directly to following National Institute of Standards and Technology (NIST) Cybersecurity Framework guidelines, the Cyber Threat Framework developed by the Office of the Director of National Intelligence, or DHS' Continuous Diagnostics and Mitigation (CDM) program.
Katherine Gronberg, vice president of government affairs at ForeScout Technologies, based in San Jose, Calif., said the focus of CDM is on real-time visibility.
"For example, knowing you have 238 deployed surveillance cameras found to have a particular vulnerability is a good example of visibility. Knowing that one or more of those cameras is communicating with high-value IT assets outside of its segment is further visibility, and then seeing that a camera is communicating externally with a known, malicious command-and-control IP address is the type of visibility that helps decision-making," Gronberg wrote via email. "CDM intends to give agencies this level of real-time domain awareness in addition to securing data. It's worth noting that many agencies are now moving to Phase 3 of CDM, which is about taking action on the problems that are discovered."
Katie Lewin, federal director for the Cloud Security Alliance, said "standardization is an effective tool to get the best value from resources," especially given that many risks faced by government agencies are due to the continued use of legacy systems.
"Standardized, professionally managed cloud systems will significantly help reduce risks and eliminate several threat vectors," Lewis wrote via email. "If agencies adopt DHS's Continuous Diagnostics and Mitigation process, they will not have to develop and reinvent custom programs. However, as with all standards, there needs to be some flexibility. Agencies should be able to modify a standard approach within defined limits. Failure to involve agencies in developing a common approach and in defining the boundaries of flexibility will result in limited acceptance and adoption of the common approach."
Gary McGraw, vice president of security technology at Synopsys Inc., based in Mountain View, Calif., said focusing on standards may not hold much improvement.
"The NIST Framework has lots of very basic advice and is very useful. It would be a step in the right direction. However, it is important to keep in mind that standards generally reflect the bare minimum," McGraw said. "Organizations that view security solely as a compliance requirement generally fall short, compared to others that treat it as a core or enabling component of their operations."
Michael Magrath, director of global regulations and standards at OneSpan, said, "Improving resource allocations is a crucial to improving our federal cyberdefenses."
"With $5.7 billion in projected spending across federal civilian agencies, some agencies may cry poor. The report notes that email consolidation can save millions of dollars each year, and unless agencies have improved efficiencies like email consolidation, have implemented electronic signatures and migrated to the cloud, there remains an opportunity to reallocate funds to better protect their systems," Magrath said. "The report also notes that agencies are operating multiple versions of the same software. This adds unnecessary expense, and as more and more agencies migrate to the cloud, efficiencies and cost reductions should follow enabling agencies to reallocate budget and IT resources to other areas."
