With all the talk about cyber security risks in the news, you would think that the U.S. federal government would be doing a better job of protecting its data from cyber attacks, including the very real threat of state-sponsored hackers. Yet, as a new Office of the Management and Budget (OMB) report points out, nearly 75 percent of federal agencies are still woefully unprepared to handle cyber security risks of any kind. This all comes on the heels of the United States government eliminating the position of federal cybersecurity czar earlier this year.
Report finds major cyber security risks
While the report, which was prepared in collaboration of the Department of Homeland Security (DHS), did not specifically call out which agencies were failing to respond to global cyber threats, it did suggest that the failures, gaps and inadequacies were relatively evenly distributed across the entire federal government. In fact, 71 of the 96 federal agencies reviewed were deemed to be “at risk” or “at high risk” of a cyber attack. The report defined “at risk” to mean that there were significant gaps in security preparedness, while “at high risk” means that fundamental processes were not even in place to deal with cyber security risks.
The final conclusion of the report was that the situation surrounding cyber security risks was “untenable” and needed to be addressed immediately. Federal agencies had little situational awareness, had few standardized processes in place for managing (or even reporting) attacks, and failed particularly when it came to encrypting data. It all paints a picture of federal agencies being unable to respond in the event of a major cyber attack.
Federal agencies need to improve in several key areas
Perhaps most damaging was the assessment that federal agencies don’t even know where cyber security risks are coming from, or how to respond to these security risks. The OMB report looked at more than 30,000 cyber attacks that took place in 2016 and found that in 38 percent of the cases, federal agencies could not even identify the threat vector. So how can you respond if you don’t even realize the full scope of the cyber security risks? This is what the OMB meant by a low level of situational awareness – the first step in any defense is simply being to recognize the scope and scale of the event so that a proper response can be planned.
Moreover, federal agencies have no standardized processes or IT capabilities in place. According to the OMB report, only one-half of federal agencies have the ability to detect and whitelist software on their systems. And only 59 percent of federal agencies have some standardized process in place to communicate cyber threats to users. So, combined with the low level of situational awareness, this means that even if the threat is identified, federal agencies have no standardized way to reach out to users and tell them what is happening.
And, wait, it gets worse than that. The OMB report specifically notes that most federal agencies lack real-time visibility into what’s happening inside their networks in terms of cybersecurity risks. For example, only 27 percent of federal agencies are able to detect and investigate attempts to access large amounts of data at one time. In other words, if cyber criminals or ransomware attackers were inside a network, slurping up user data, many federal agencies would be none the wiser. A major data breach might be in progress, and the federal government would have no way to know about these cyber risks.
The security system in place obviously needs to change, but as the OMB report points out, top-level executives are not actively involved in understanding, monitoring or responding to cyber risks. This would seem to be at odds with the original rationale for getting rid of the federal cybersecurity czar post. At the time, the Trump administration noted that the position was no longer necessary because all core functions – such as threat intelligence and management of cyber threats – was already a core function of federal agencies.
Implications for upcoming midterm elections
Clearly, threat intelligence is not a core function of federal agencies. And the topic is all the more relevant ahead of upcoming high profile midterm elections in the U.S. later this year. Despite concerns of state-sponsored actors hacking into the electoral process, there seems to be little urgency on the part of the government to protect and guarantee the validity and credibility of election results.
For example, consider that the U.S. Election Assistance Commission has still only disbursed approximately one-half of the $380 million earmarked for cybersecurity risk projects at the state level. While Texas ($23 million), New York ($19.5 million) and Florida ($19.2) have all received significant disbursements thus far, what about the other 47 states? If hackers are able to probe sensitive information at the federal level, isn’t it equally likely that they are able to challenge the information security of state electoral authorities?
Next steps for federal agencies as they counter cyber security risks
Clearly, the U.S. government needs to overhaul its risk management processes when it comes to dealing with cyber security risks. And, indeed, the report is expected to give momentum to a three-phase program initiated by the Department of Homeland Security that will upgrade the tools and insights need to deal with top security risks and increasingly sophisticated cyber attacks.
But is this a case of too little, too late? After all, this DHS upgrade to the cyber capabilities of federal agencies is only expected to go into effect later this year. Most likely, this would happen only after the midterm elections have already taken place.
Thus, coming up with a comprehensive approach to cyber security risks needs to be an immediate concern of the Trump administration, not something that can be pushed to the side for further review or handed over to elaborate blue ribbon panels to come up with new suggestions. Simple, fundamental steps – such as encrypting data within networks – need to happen immediately. Then, after those fundamental steps have been taken, it might be possible to layer in sophisticated tools that can limit the potential of cyber security risks to pose a real threat to federal agencies.