The Office of Management and Budget reports that the federal government is a shambles — cybersecurity-wise, anyway. Finding little situational awareness, few standard processes for reporting or managing attacks, and almost no agencies adequately performing even basic encryption, the OMB concluded that “the current situation is untenable.”
All told, nearly three quarters of federal agencies have cybersecurity programs that qualified as either “at risk” (significant gaps in security) or “high risk” (fundamental processes not in place).
The report, which you can read here, lists four major findings, each of which with its own pitiful statistics and recommendations that occasionally amount to a complete about-face or overhaul of existing policies.
1. “Agencies do not understand and do not have the resources to combat the current threat environment.”
The simple truth and perhaps origin of all these problems is that the federal government is a slow-moving beast that can’t keep up with the nimble threat of state-sponsored hackers and the rapid pace of technology. The simplest indicator of this problem is perhaps this: of the 30,899 (!) known successful compromises of federal systems in FY 2016, 11,802 of them never even had their threat vector identified.
38 percent of attacks had no identified method or attacker.
So for 38 percent of successful attacks, they don’t have a clue who did it or how!
This lack of situational awareness means that even if they have budgets in the billions, these agencies don’t have the capability to deploy them effectively.
While cyber spending increases year-over-year, OMB found that agencies are not effectively using available information, such as threat intelligence, incident data, and network traffic flow data to determine the extent that assets are at risk, or inform how they to prioritize resource allocations.
To this end, the OMB will be working with agencies on a threat-based budget model, looking at what is actually possible to affect the agency, what is in place to prevent it, and what specifically needs to be improved.
2. “Agencies do not have standardized cybersecurity processes and IT capabilities.”
There’s immense variety in the tasks and capabilities of our many federal agencies, but you would think that some basics would have be established along the lines of best practices for reporting, standard security measures to lock down secure systems, and so on. Nope!
For example, one agency lists no fewer than 62 separately managed email services in its environment, making it virtually impossible to track and inspect inbound and outbound communications across the agency.
51 percent of agencies can’t detect or whitelist software running on their systems
Only half of the agencies the OMB looked at said they have the ability to detect and whitelist software running on their systems. Now, while it may only be needed on a case by case basis for IT to manage users’ apps and watch for troubling processes, well, the capability should at least be there!
When something happens, things are little better: 59 percent of agencies have some kind of standard process for communicating cyber-threats to their users. So, for example, if one of their 62 email systems has been compromised, the agency as likely as not has no good way to notify everyone about it.
And only 30 percent have “predictable, enterprise-wide incident response processes in place,” meaning once the threat has been detected, only one in three has some kind of standard procedure for who to tell and what to tell them.
Establishing standard processes for cybersecurity and general harmony in computing resources is something the OMB has been working on for a long time. Too bad the position of cyber coordinator just got eliminated.
3. “Agencies lack visibility into what is occurring on their networks, and especially lack the ability to detect data exfiltration.”
Monitoring your organization’s data and traffic, both internal and external, is a critical part of any cybersecurity plan. Time and again federal agencies have proven susceptible to all kinds of exfiltration schemes, from USB keys to phishing for login details.
73 percent can’t detect attempts to access large volumes of data.
Turns out that only 27 percent of the agencies even “have the ability to detect and investigate attempts to access large volumes of data.”
Simply put, agencies cannot detect when large amounts of information leave their networks, which is particularly alarming in the wake of some of the high-profile incidents across government and industry in recent years.
Hard to secure your data if you can’t see where it’s going. After the “high-profile incidents” to which the OMB report alludes, one would think that detection and lockdown of data repositories would be one of the first efforts these agencies would make.
Perhaps it’s the total lack of insight into how and why these things occur. Only 17 percent of agencies analyzed incident response data after the fact, so maybe they just filed the incidents away, never to be looked at again.
The OMB has a smart way to start addressing this: one agency that has its act together will be designated a “SOC [Secure Operations Center] Center of Excellence.” (Yes, “Center” is there twice.) This SOC will offer secure storage and access as a service to other agencies while the latter improve or establish their own facilities.
4. “Agencies lack standardized and enterprise-wide processes for managing cybersecurity risks”
There’s a bit of overlap with 2 here, but redundancy is the name of the game when it comes to the U.S. government. This one is a bit more focused on the leadership itself.
While most agencies noted… that their leadership was actively engaged in cybersecurity risk management, many did not, or could not, elaborate in detail on leadership engagement above the CIO level.
Federal agencies possess neither robust risk management programs nor consistent methods for notifying leadership of cybersecurity risks across the agency.
84 percent of agencies failed to meet goals for encrypting data at rest.
In other words, cyber is being left to the cyber-guys, with little guidance or clout offered by the higher-ups at the agencies. That’s important because, as the OMB notes, many decisions or requests can only be made by those higher-ups. For example, budgetary concerns.
Despite “repeated calls from industry leaders, GAO [the Government Accountability Office], and privacy advocates” to utilize encryption wherever possible, less than 16 percent of agencies achieved their targets for encrypting data at rest. 16 percent! Encrypting at rest isn’t even that hard!
Turns out this is an example of under-investment by the powers that be. Non-defense agencies budgeted a total between them of under $51 million on encrypting data in FY 2017, which is extremely little even before you consider that half of that came from two agencies. How are even motivated IT departments supposed to migrate to encrypted storage when they have no money to hire the experts or get the equipment necessary to do so?
“Agencies have demonstrated that this is a low priority…it is easy to see government’s priorities must be realigned,” the OMB remarked.
While the conclusion of the report isn’t as gloomy as the body, it’s clear that the OMB’s researchers are deeply disappointed by what they found. This is hardly a new issue, despite the current President’s designation of it as a key issue — the previous Presidents did as well, but movement has been slow and halting, punctuated by disastrous breaches and embarrassing leaks.
The report declines to name and shame the offending agencies, perhaps because their failings and successes were diverse and no one deserved worse treatment than another, but it seems highly likely that in less public channels those agencies are not being spared. Hopefully this damning report will put spurs to the efforts that have been limping along for the last decade.