Most federal agencies have no way of effectively detecting when data is stolen, found a new, 22-page report published by the White House Office of Management and Budget last week.
But cybersecurity experts aren’t exactly surprised by the dismal findings. The Federal Cybersecurity Risk Determination Report and Action Plan is an Executive Order-mandated annual assessment of the federal government’s cyber defenses. This year, it concluded that 73 percent of federal agency programs simply can’t detect when large amounts of information leave their networks.
“DHS and agencies acknowledge that more work and collaboration must be done to better protect federal networks,” a Department of Homeland Security official said in a statement sent to Mashable. “Cyber threats to government networks and other critical infrastructure are one of our Nation’s most pressing security challenges.”
The official said the department is working with federal enterprises to protect their information systems and will first focus on securing “the highest impact systems, assets, and capabilities.”
The report says there were more than 30,000 cyber attacks on the federal government in 2016 that resulted in lost information and compromised systems, but in 38 percent of those attacks (nearly 12,000 of the incidents), the government had no idea where the attacks came from or how they got into the systems.
“What they’re saying is that they don’t have the resources to trace back and go probe through the logs — the network log of traffic — to identify exactly what happened or how the attack was structured,” John Williams, a professor at MIT who teaches about cybersecurity, told Mashable. “We’re not in a great situation at the moment. The attackers are probably learning faster than the cybersecurity community in the U.S., at the moment. We realize we’re up against attackers with significant resources.”
And what’s even scarier about this statistic, he said, is that attackers “will usually be in the company or the agency — and certainly with corporations — for almost a year before they launch an attack.” In other words, they familiarize themselves with how the computer systems function before deploying their cyber attack.
Although Williams said the report’s findings have been common knowledge among cybersecurity professionals, he said the low rate of cyber awareness from federal agencies was abnormal.
University of Maryland, Baltimore County’s cybersecurity graduate program director Richard Forno echoed Williams’ analysis and said even a simple Google search could cull results that warned about our dire state of federal cybersecurity decades earlier.
“Government reports like this just literally say the same thing year after year: ‘here are a couple of recommendations on how we can fix things’ and a year goes by, and it says the exact same thing,” Forno said.
“Looking at the recommendations — I mean, it’s nice that they have recommendations — but again, why in 2018 are they still finding there’s limited situational awareness? The federal government has been on the internet for 20-ish years, and they still don’t know what’s going on on their networks. I mean, 20 years is a long time, even by government standards,” he added.
The report was released on the heels of the Trump administration eradicating the top cybersecurity position in the National Security Council last week. The new National Security advisor John Bolton deemed the position unnecessary, which prompted a bevy of senators to voice their opposition on social media.
“Here’s the point: we should be investing in our nation’s cyber defense, not rolling it back. We also need to articulate a clear cyber doctrine,” tweeted Mark Warner of Virginia, an outspoken cybersecurity advocate. “I don’t see how getting rid of the top cyber-official in the White House does anything to make our country safer from cyber-threats.”
Warner cofounded the bipartisan Cybersecurity Caucus in 2016, which focused on helping the Senate stay updated on cybersecurity developments, and he is currently working on a bill that would require devices purchased by the U.S. government to meet certain minimum security requirements.
“Agencies don’t have the ability to understand how vulnerable they are, and where vulnerabilities exist. And because they’re not equipped to make those determinations, they are making poor and inefficient allocation decisions with their limited IT resources,” Sen. Warner told Mashable. “This is a further indication that the existing model for cybersecurity isn’t working.”
And it hasn’t for a long time.
Williams said the decentralized nature of the federal agencies feeds into the high security risks, since it, like other bureaucratic systems, is hard to control and makes broad-sweeping change difficult.
He basically summed it up with his one-sentence takeaway from the report: “It’s pretty clear that the government agencies are not in the greatest of shape in respect to cybersecurity.”