Study: Federal agencies still lack strong cyber hygiene practices
The OPM's latest cybersecurity troubles underscore the themes presented in a new study that reveals a lack of strong cyber hygiene practices among federal government agencies.
A new survey study showing how federal agencies and their IT contractors still do not have a firm grasp of proper cybersecurity practices was ironically released just days after the third-party contractor hired to fortify the U.S. Office of Personnel Management's (OPM) systems suddenly quit partway through the job.
The joint study, conducted in March by cybersecurity education and certification institution (ISC)2 and the professional services firm KPMG, sought the opinions of 54 cyber executives in the U.S. federal government, either working as agency employees or contractors. “The State of Cybersecurity from the Federal Cyber Executive Perspective” research report found that 40 percent of respondents said that their agency's incident response plan was not effective in responding to cyberattacks, even after the OPM data breach in June 2015 that exposed 21.5 million records and prompted calls for sweeping IT security reforms.
Moreover, 52 percent of respondents opined that that the Cyber Sprint mechanisms put in place by federal CIO Tony Scott – intended to rapidly implement several high-priority cybersecurity procedures in the wake of the OPM breach – did not improve the overall security of federal information systems. Perhaps worse, 25 percent of respondents said their agency made no changes following the breach (although 35 percent said the breach resulted in a greater emphasis on various preventative measures, such as multi-factor authentication).
The findings appear to jibe with reports earlier this month that Arlington, Virginia-based Imperatis Corporation, a third-party contractor hired to harden OPM's cyber defenses, abandoned the project. According to a report by Nextgov, the OPM claims that Imperatis employees stopped showing up to work in May, effectively ceasing operations on the company's $20 million contract due to “financial distress.” OPM spokesman Sam Schumach also said in the article that the setback would have “very little impact on current OPM operations,” considering the contract was slated to end in June anyway.
In an update to the story, Imperatis responded to Nextgov, issuing a statement that read: “The company is confident that as and when the full facts are publicly available, they will completely contradict the mischaracterization of the company's performance being reported at this time.”
Other findings from (ISC)2 report that looked beyond just the OPM breach were similarly discouraging. For instance, 59 percent of respondents agreed that their particular agency struggles to understand how attackers could potentially breach their systems, while 40 percent said their agencies were not fully aware of the location of key assets that hackers might steal, corrupt or hijack. And 60 percent disagreed with the notion that the federal government as a whole currently has the capability to detect ongoing cyberattacks.
Dan Waddell, CISSP and managing director of (ISC2)'s North American region, told SCMagazine.com that government cyber executives are clearly worried that “adversaries are moving at light speed, and because the government is still very bureaucratic, and filled with processes and red tape… a lot of times they just can't keep up with the attacks.”
Chief among the causes that respondents blamed for government agencies' lack of advancement in cybersecurity was insufficient funding (65 percent), followed by a lack of accountability (48 percent) and lack of understanding (48 percent). Regarding the dearth of funding, Waddell was cautiously optimistic that after the presidential election, Congress will “give security folks some authority to make [cybersecurity] decisions and divert resources toward that.”
Non-IT employees also present a threat because they don't necessarily see cybersecurity compliance and best practices as their personal responsibility. Indeed, 42 percent of respondents said that people are currently the biggest vulnerability to cyberattacks. And while 91 percent of survey takers said their IT departments considered cybersecurity to be an important or very important priority, the numbers were far less optimistic when addressing other departments (56 percent for HR, 56 percent for purchasing and procurement, and 41 percent for public relations).
“There needs to be fundamental shift in how they [agencies] train all users within the agency that cybersecurity is part of everyone's job. Until we do that, we're still going to see agencies struggle to cope,” said Waddell. “Breaches are going to happen, but if everyone is on board, we're going to minimize a lot of damage and a lot of that risk.”
In addition to better training, the report also recommends that agencies upgrade their malware detection software from traditional signature-based solutions to predictive, behavior-based solutions.
Waddell said that moving forward, the key is practicing sound cyber hygiene, all year round, as opposed to reacting after the fact, like with the OPM breach. “If you're only going to the doc when something goes wrong, you're not practicing basic hygiene,” said Waddell. And that doctor visit “is going to be very painful.”