Research published by SecurityScorecard found that though Federal and state governments have improved their cybersecurity since the rating system’s last report, they still fall behind the rankings of most industries in the U.S.
“Compared to last year, government has moved from the lowest performing industry, past telecommunications and education,” the report said. “However, this relative improvement still leaves government agencies as the third-lowest performing industry when compared to the cybersecurity of 17 other major industries.”
“Since our last report in 2016, U.S. state and federal government cybersecurity issues have gained national attention,” said Sam Kassoumeh, COO and co-founder at SecurityScorecard. “On an almost daily basis, the institutions that underpin the nation’s election system, military, finances, emergency response, transportation, and many more, are under constant attack from nation-states, criminal organizations, and hacktivists. Government agencies provide mission-critical services that, until they are compromised, most people take for granted. This report is designed to educate elected officials, agency leadership, as well as government security professionals about the state of security in the government sector.”
However, not all government organizations performed poorly, as the U.S. Secret Service, National Highway Traffic Safety Administration, Internal Revenue Service, and the Federal Reserve all achieved relatively high scores overall.
The scorecard found that network security was one of the weakest cybersecurity areas within government.
“The core principle of network security is to close off and secure external access to all internal systems, with an exception for critical systems that need to stay exposed to the Internet,” the report said. “Over the years, network security has evolved rapidly with firewalls, intrusion detection systems (IDSs), packet filtering routers, and advanced network threat detection systems becoming available, giving organizations the flexibility and tools necessary to keep their network safe. Stronger scores in this category can indicate use of these tools to safeguard against new threats and methods of attack.”
Government organizations also ranked poorly in hacker chatter, meaning they were mentioned often in underground hacker forums, though this does not necessarily indicate a failing on the government’s part.
“In this case, a low score in hacker chatter for government is not surprising and is not necessarily indicative of as big of a security weakness as it may appear,” the report said. “Often times hackers are mentioning government websites, because they are talking about these agencies sanctioning hackers or cracking down on enforcement.”
Government scored well in areas like social engineering, where spammers often trick employees into disclosing information; Cubit scores, which grade how accessible administrative portals are to the public; and Domain Name System health, which protects against hackers using that system to perform reconnaissance on an organization.
The report evaluated government organizations of all sizes, and found that small, medium, and large organizations fell all along the spectrum of scores.
According to the report, smaller organizations have a smaller attack surface, but also fewer IT resources to devote to cybersecurity. Conversely, larger organizations tend to have more resources but a larger attack surface to defend.
“However, many large government organizations have not developed sufficient cybersecurity capabilities yet,” the report said. “Historically, it’s exactly these sorts of large government agencies that put significant investments into technology, dating back to the start of the Internet. So if they’ve invested in technology and made efforts to harden their defenses in recent years, why are these large government organizations still coming up short? The problem is those old technology investments are still sitting there. A museum-worthy collection of technology investments through the ’80s, ’90s, and mid-2000s full of vulnerabilities sit alongside new emerging (and often misconfigured) technology, creating a horrible hodgepodge of cybersecurity risks.”