Modern field guide to security and privacy

Survey: Federal agencies woefully unprepared to stop data breaches

Nine in 10 federal information technology officials say their agencies still aren't doing enough to prevent data breaches despite increased spending on cybersecurity efforts.

|
Jonathan Ernst/Reuters
The IRS.

Despite the US government's increased spending on cybersecurity protections, a survey released Friday found that 90 percent of federal technology officials say their agencies remain dangerously vulnerable to breaches. 

In fact, some 60 percent of tech officials surveyed said their organizations have suffered some kind of breach in the past year. 

As Washington has been rocked by computer attacks over the past year such as the massive Office of Personnel Management hacks that exposed millions of sensitive documents, tech workers remain pessimistic about Washington's ability to improve its defenses against malicious hackers.  

The tech analysis firm 451 Research recently polled more than 100 officials who work at federal government agencies as part of a much larger survey that canvassed more than 1,000 tech executives worldwide. Vormetric, the cybersecurity firm that commissioned the research, said that the responses about US government cybersecurity preparedness were drawn just from participants working at federal agencies.

The survey comes on the heels of a government report showing that cybersecurity incidents at government agencies were up 10 percent compared to last year. The Office of Management and Budget reported to Congress last week that the US-Computer Emergency Response Team received notice of 77,183 incidents over the past year.

The OMB figures and those from Vormetric and other recent surveys paint a familiar picture of the federal government’s continuing struggle to bolster cybersecurity amid fast evolving threats and increasingly sophisticated adversaries.

Over the past few years, billions of dollars have been spent on ramping up federal information security technologies and skills. For 2017, the Obama administration has proposed a cybersecurity budget of $19 billion, up 35 percent from this year’s budget. The current budget of $14 billion is itself 10 percent higher than 2015’s budget.

The spending and numerous cybersecurity initiatives by government have resulted in some positive change. There's broader use of new monitoring and threat detection tools. Most importantly, over the past 12 months, federal agencies have also sharply increased the use of two-factor authentication technologies for accessing computer systems.

That does not appear to be enough. Many federal agencies are stuck with antiquated systems that are ill equipped to handle modern security challenges and budget constraints limit their ability to modernize.

There’s also a disconnect between what agencies spend their budgets on and what’s needed to really ensure data security, said Sol Cates, chief security officer at Vormetric.

For example, many agencies appear to be placing a higher emphasis on breach detection while paying less attention to actually preventing breaches, Mr. Cates said.

There’s also an enormous amount of money being spent on wasteful activities, said Alan Paller, research director at the SANS Institute. "You don’t and won’t see commercial companies spending on security the way the government does," Mr. Paller says.

“Commercial companies know better than to spend 20 to 40 percent of their budget paying consultants to interview people and write reports," on cybersecurity, said Paller, whose organization offers security training and certification programs for government and industry.

A Cybersecurity National Action Plan (CNAP) announced by the White House in February proposes $3.1 billion to replace old systems that have become too complex and expensive to maintain. The plan also invests $62 million in scholarships and establishing national centers for excellence for those interested in cybersecurity careers in government.

But with just months left in the Obama administration, stopping breaches will depend on implementing CNAP proposals quickly. Inertia and an inherent resistance to change continue to be huge factors within government, said Ben Johnson, a former National Security Agency analyst and chief security strategist for security vendor Carbon Black.

"Historically people or technology that get into government stay there a long time," he said.

CORRECTION: This story was updated to correctly state the number of federal IT workers who say the government isn’t prepared to defend against cyberattacks.

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Survey: Federal agencies woefully unprepared to stop data breaches
Read this article in
https://www.csmonitor.com/World/Passcode/2016/0325/Survey-Federal-agencies-woefully-unprepared-to-stop-data-breaches
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe