The Bleak State of Federal Government Cybersecurity
Credit to Author: Lily Hay Newman| Date: Wed, 30 May 2018 20:16:17 +0000
It's a truism by now that the federal government struggles with cybersecurity, but a recent report by the White House's Office of Management and Budget reinforces the dire need for change across dozens of agencies. Of the 96 federal agencies it assessed, it deemed 74 percent either "At Risk" or "High Risk," meaning that they need crucial and immediate improvements.
While the OMB findings shouldn't come as a complete shock, given previous bleak assessments—not to mention devastating government data breaches—the stats are jarring nonetheless. Not only are so many agencies vulnerable, but over half lack even the ability to determine what software runs on their systems. And only one in four agencies could confirm that they have the capability to detect and investigate signs of a data breach, meaning that the vast majority are essentially flying blind. "Federal agencies do not have the visibility into their networks to effectively detect data exfiltration attempts and respond to cybersecurity incidents," the report states bluntly.
Perhaps most troubling of all: In 38 percent of government cybersecurity incidents, the relevant agency never identifies the "attack vector," meaning it never learns how a hacker perpetrated an attack. "That’s definitely problematic," says Chris Wysopal, CTO of the software auditing firm Veracode. "The whole key of incident response is understanding what happened. If you can’t plug the hole the attacker is just going to come back in again."
Producing the "Risk Determination Report and Action Plan" was a requirement of the Trump administration's May cybersecurity Executive Order, and while passing the EO was a positive step in terms of prioritizing digital defense, progress overall has been mixed. The report also comes at a time when the White House has been sending conflicting messages about its focus on cybersecurity—last month the Trump administration eliminated its top two cybersecurity policy and management leadership roles including one that specifically oversaw federal government cybersecurity.
'If you can’t plug the hole the attacker is just going to come back in again.'
Chris Wysopal
In a letter on Wednesday, a group of 12 Democratic senators asked national security adviser John Bolton to reconsider cutting the positions. "The Cybersecurity Coordinator historically has worked with agencies to develop a harmonized strategy," the senators wrote. "While we recognize the importance of streamlining positions, we are concerned the decision to eliminate this role will lead to a lack of unified focus against cyber threats."
Security analysts worry that without that specific oversight, discussion about current deficiencies and recommendations for fixing them will go nowhere.
"My initial gut feeling about the report was 'oh good they’re paying attention and starting to address these issues,'" says Alex Heid, chief research officer at the risk management firm SecurityScorecard, which tracks cybersecurity preparedness across the government and other sectors. "But the findings really highlight the blind spots. There's still a long way to go, because it’s such a massive problem and there has not been any real accountability."
Creating that accountability is one of the report's four recommendations, along with increasing awareness, implementing existing government guidelines and frameworks, and consolidating and standardizing defense to use resources more efficiently. Some argue, though, that the document is too vague about both the problems and the fixes. For example, it doesn't name the agencies it surveyed or where they fall in the assessment. As a result, it's difficult to tell whether the agencies at risk are relatively benign, or huge institutions that manage an array of deeply sensitive data. Similarly, the report gives aggregate information about security incidents, but doesn't offer any granularity for minor blips versus major catastrophes.
"The government CISOs and CIOs I've talked to know what their issues are and they’re on a path of fixing what they can with what they’ve got and asking for more budget," says Michael Chung, head of government solutions at the bug bounty facilitator Bugcrowd, who recently left the Pentagon's Defense Digital Services. "But with the top cyber positions gone there is a gap in leadership, so I take this report with a grain of salt."
Safety concerns likely limit exactly how much OMB can disclose, but after years of increased awareness about the shortcomings of federal cybersecurity defenses, analysts worry that the report is simply perfunctory. "One thing they seem to have kind of punted on is the whole legacy tech modernization issue," Veracode's Wysopal notes. "And to me that’s probably the biggest and most important issue. Agencies are using five different versions of Windows going back 10 years, running multiple versions of things like Java and Flash, and their email is a huge mess. You’re never going to be able to hire enough personnel to manage all that risk without simplifying and standardizing."
The OMB says that the report represents a plan for implementing defense improvements and reducing risk over the next 12 months, but it's unclear how such generalized recommendations translate to tailored one-year programs across dozens of organizations. And even if it did, the report itself notes the barriers to effecting positive change. "The assessments show that CIOs and CISOs often lack the authority necessary to make organization-wide decisions," it notes, calling the finding "concerning." Without leadership at the very top of each organization and from the White House, some observers doubt that it will actually be possible to make big changes in the near future.