Federal agencies are facing a tall order in cleaning up their cybersecurity practices in the wake of some tough love dished out by the Office of Management and Budget (OMB) in a risk assessment and action plan released May 30. Agencies need to streamline processes, better share information, and finds ways of getting a better return on their cyber investments, all of which can be harder than it sounds.
OMB and the Department of Homeland Security examined the cybersecurity programs of 96 agencies and rated 71 of them-or 74 percent-either “at risk” (revealing “significant gaps” in cyber policies, processes, or tools), or at “high risk” (where essential policies, processes, or tools are either not sufficiently in place or not there at all). Of the 96 programs, 12 were deemed “high risk,” 59 “at risk,” and 25 “managing risk.”
Among the most damning of the report’s findings are what could be called, in the parlance of asymmetrical warfare, the known unknowns. That is, OMB and DHS found that in 38 percent (11,802 of 30,899) of the cyber incidents that led to compromise of information or systems in fiscal 2016, agencies could not identify the method of attack or the attack vector. Many agencies also are unaware when a breach is in progress, with only 40 percent saying they can “detect the encrypted exfiltration of information at government-wide target levels,” and 27 percent saying they are able to detect and investigate attacks on large data stores.
“Simply put, agencies cannot detect when large amounts of information leave their networks, which is particularly alarming in the wake of some of the high-profile incidents across government and industry in recent years,” the report says. The most glaring example in the 2015 hack of the Office of Personnel Management (OPM) itself, in which hackers—reportedly from China-camped out for months on OPM’s systems before stealing sensitive personal data on more than 20 million people.
Although weaknesses in Federal systems aren’t new, the OMB report provides the most comprehensive view yet of where agencies stand, and it’s not a particularly impressive posture. With that in mind, the report, which was mandated last year by a White House executive order, calls for “bold approaches” to shore up Federal networks.
First on the list is implementing the government’s Cyber Threat Framework, which employs common terminology and consistent practices to better identify threats and share information. It aligns with the National Institute of Standards and Technology’s similarly named Cybersecurity Framework, which recently was released in Version 1.1, and also has been adopted by the Department of Defense and the National Security Agency. (Although DoD isn’t covered by OMB’s report, it faces the same threats and many of its announced cyber programs dovetail with what OMB recommends.)
The report also recommends:
- Standardizing IT and cyber operations as a way of controlling costs and making better use of IT assets.
- Consolidating Security Operation Centers (SOCs) to improve detection and response (an approach DoD is similarly taking with its Joint Regional Security Stacks). OMB notes that many agencies are short on employees that can properly run a SOC, and that others have multiple SOCs that don’t communicate with each other, hoarding rather than sharing threat intelligence.
- Improving governance of cybersecurity processes, including opening up lines of communication with OMB and agency leaders, and instituting recurring risk assessments.
Underlying many of the report’s findings and recommendations is how agencies spend their cybersecurity money. A lack of standardization, limited consolidation, and poor information sharing have contributed to a scattered cybersecurity environment where agencies aren’t getting the most out of their investments.
In a blog post that appeared the same day as the report, Federal CIO Suzette Kent and acting Chief Information Security Officer Grant Schneider pointed out the discrepancies between what the Federal government spends ($5.7 billion in fiscal 2017) and what it gets in terms of valuable data. “This overall lack of timely threat information means agencies are spending billions of dollars on security capabilities without fully understanding the dangers [they are] facing in the digital wild,” they wrote.
Kent and Schneider said that getting a greater return on cyber spending is part of the focus, and that OMB’s report will inform the upcoming budget process, which will seek “to drive strategic investments designed to buy down the Federal Government’s overall level of risk.”