Government Cybersecurity Report Commissioned by President Trump Finds Much to Be Fixed
The Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) released a report this week that finds 71 of 96 agencies (74%) participating in the risk assessment process have cybersecurity programs that are either at risk or high risk. The report is the outcome of an executive order signed by President Trump when he first took office.
The Federal Cybersecurity Risk Determination Report and Action Plan concludes that due to ineffective allocations of limited cyber resources the agencies have enterprise-wide gaps impacting network visibility, IT tool and capability standardization, and common operating procedures.
The four core recommendations the report makes to address these issues are:
- Increase cybersecurity threat awareness among Federal agencies by implementing the Cyber Threat Framework to prioritize efforts and manage cybersecurity risks;
- Standardize IT and cybersecurity capabilities to control costs and improve asset management;
- Consolidate agency security operation centers to improve incident detection and response capabilities and share threat information more effectively;
- Drive accountability across agencies through improved governance processes, recurring risk assessments, and more OMB cybersecurity engagements involving agency leadership.
The Cyber Threat Framework was developed by the US Government to enable consistent characterization and categorization of cyber threat events to better identify trends or changes in the activities of cyber adversaries. Despite the existence of that framework, the report concludes that individuals charged with defending agency networks often lack timely information regarding the tactics, techniques, and procedures that threat actors use to exploit government information systems. In fact, the report says situational awareness is so limited that Federal agencies could not identify the method of attack, or attack vector, in 11,802 of the 30,899 cyber incidents (38 percent) that led to the compromise of information or system functionality in fiscal 2016.
Furthermore, OMB found that only 59 percent of agencies reported having processes in place to communicate cyber risks across their enterprises. The OMB concludes that agencies are not effectively using available information, such as threat intelligence, incident data, and network traffic flow data to determine the extent that assets are at risk, or make informed decisions concerning how to prioritize resource allocations.
The report also goes on to note agencies continue to allocate their limited cyber funding to acquire single-point solutions to provide capabilities for perceived security gaps, rather than allocating funds to address gaps that threat actors are exploiting. Federal civilian agencies project FY 2017 spending of $5.7 billion on cyber defenses across the security functions defined by the National Institute for Standards and Technology (NIST), versus $5.0 billion in FY 2016, without a sense of prioritization or actual return on investment.
Other areas in need of improvement as identified by OMB include:
- Only 55 percent of agencies limit access based on user attributes and roles
- Only 57 percent review and track administrative privileges.
- Only 49 percent of agencies can detect and allow-list the software running on their systems.
- Only 40 percent of agencies have the ability to detect the encrypted exfiltration of information at governmentwide target levels.
- Only 27 percent of agencies report that they have the ability to detect and investigate attempts to access large volumes of data, and even fewer agencies report testing these capabilities annually
- Only 52 percent of agencies reported having validated incident response roles during testing over the past year
- Only 17 percent of agencies analyze incident response data after an incident has occurred
- Less than 16 percent of agencies can encrypt data at rest, but 73 percent of agencies report being able to encrypt data in transit.
The OMB is making recommendations to address all these issues. But in truth, the cybersecurity issues that government agencies are being asked to address are not all that different than what most enterprise IT organizations are trying to resolve. Because of the nature of the data that Federal and local government agencies collect they are obviously more likely to be the focus on concerted cybersecurity attacks. When it comes to defending those assets many government agencies around the world simply don’t have the funds or processes expertise required to mount an effective defense.
None of these issues are going to be fixed overnight. They have been decades in the making and consequently will take years to address. But as is often the case with any meaningful change, the first step is always accepting the fact that there is a problem big enough to be worth fixing.