When it comes to cybersecurity, is our government strong or do red flags remain?
Last month, the Commission on Enhancing National Cybersecurity – a working group established by President Barack Obama to help identify ways to improve the nation’s cybersecurity posture – held their first three hour meeting.
The first meeting appears to have been productive. According to an article in the FederalTimes:
The commissioners spent most of the meeting getting on the same page — identifying the problem at hand and defining the scope of their work. Per their charter, the group plans to look at issues like government operations and acquisition, public awareness and education, critical infrastructure, using cyber insurance as an incentive and securing the Internet of Things.
Following this initial meeting, the commission will hold a handful of private and public meetings in various, disparate locations across the country to elicit feedback from citizens and – ultimately – draft a document of recommendations for review at a final meeting in Washington, D.C. in the fall.
But the fall is a long time away, and a lot can happen in just a few months. Especially considering the nation’s current cybersecurity situation.
The time for recommendations and speculation has most likely passed. The government needs to act now. The federal government is already a favorite target for a large number of different types of malicious actors. In addition to those that would hack government networks for information on government employees and constituents, there’s also the threat of state-sponsored attacks, hacktivists and other malicious actors that are constant threats.
What’s worse – despite this large ecosystem of potential threats – the government’s networks are often cited among some of the most vulnerable in studies and reports by members of the cybersecurity industry. One such report was just released by a company called SecurityScorecard, which has built a platform that analyzes an organization’s security risk indicators to identify just what their risk profile looks like.
The study by SecurityScorecard, “analyzed and graded the current security postures of 600 local, state, and federal government organizations, each with more than 1,000 public-facing IP addresses, to determine the strongest and weakest security standards based on security hygiene and security reaction time compared to their peers.” And the results weren’t good.
In addition to giving the government the worst scores of any industry, including cybersecurity targets such as critical infrastructure, retail and finance, the report identified the following key takeaways:
- Government organizations struggled the most with three categories of security measurements: malware infections, network security and software patching cadence.
- 90 percent of state organizations with a SecurityScorecard grade below a “B” scored an “F” in software patching cadence and 80 percent scored an ‘F’ in network security.
- 60 percent of low performers on the municipal level received an “F” in network security, 50 percent received an “F” in software patching cadence and 30 percent received an “F” in IP reputation (malware).
- NASA scored the worst among all 600 government organizations. Other bottom-performers included the US Department of State and the IT systems of Connecticut, Pennsylvania, and Washington.
To say that this report is concerning is a gross understatement. The federal government houses an incredible amount of information on its employees and its constituents. It also has access to classified information and data that could put American lives at risk. And, since everything the government purchases is bought with taxpayer dollars, the financial fallout of breaches falls firmly on the shoulders of the American people.
What do those costs look like? They can range into the hundreds of millions.
Just look at one of the highest profile and most recent government data breaches – the cyberattack against the Office of Personnel Management (OPM). An article in Federal Computer Week from last September attempted to assign a dollar figure to that cyber breach, and could only really speculate that the number could be as much as three times higher than the $133 million figure shared by OPM. And that’s not including the updates to security systems and infrastructure that were accurately predicted to follow the breach.
The government simply can’t afford to have another breach of the scope of OPM.
For the rest of this month, we’ll be analyzing the government’s security posture, discussing the technologies that can help protect government networks, and speaking with government IT decision makers from both defense and civilian agencies about their security priorities in the coming fiscal year.
In the meantime, if you’d like to learn more about the OPM breach reference above, listen to the recording of our recent Webinar, “Anatomy of a Breach,” where we discuss the OPM breach, and other high-profile cyberattacks.