INSUBCONTINENT EXCLUSIVE:
The Office of Management and Budget reports that the federal government is a shambles — cybersecurity-wise, anyway
Finding little situational awareness, few standard processes for reporting or managing attacks and almost no agencies adequately performing
even basic encryption, the OMB concluded that ''the current situation is untenable.
All told, nearly three quarters of federal agencies have
cybersecurity programs that qualified as either &at risk& (significant gaps in security) or &high risk& (fundamental processes not in
place).
The report, which you can read here, lists four major findings, each of which with its own pitiful statistics and recommendations
that occasionally amount to a complete about-face or overhaul of existing policies.
1
&Agencies do not understand and do not have the resources to combat the current threat environment.
The simple truth and perhaps origin of
all these problems is that the federal government is a slow-moving beast that can''t keep up with the nimble threat of state-sponsored
hackers and the rapid pace of technology
The simplest indicator of this problem is perhaps this: of the 30,899 (!) known successful compromises of federal systems in FY 2016, 11,802
of them never even had their threat vector identified.
DHS and FBI detail how Russia is hacking into United States nuclear facilities and
other critical infrastructure
38 percent of attacks had no identified method or attacker.
So for 38 percent of successful
attacks, they don''t have a clue who did it or how!
This lack of situational awareness means that even if they have budgets in the billions,
these agencies don''t have the capability to deploy them effectively.
While cyber spending increases year-over-year, OMB found that agencies
are not effectively using available information, such as threat intelligence, incident data, and network traffic flow data to determine the
extent that assets are at risk, or inform how they to prioritize resource allocations.
To this end, the OMB will be working with agencies on
a threat-based budget model, looking at what is actually possible to affect the agency, what is in place to prevent it and what specifically
&Agencies do not have standardized cybersecurity processes and IT capabilities.
There immense variety in the tasks and capabilities of our
many federal agencies, but you would think that some basics would have been established along the lines of best practices for reporting,
standard security measures to lock down secure systems and so on
Nope!
For example, one agency lists no fewer than 62 separately managed email services in its environment, making it virtually impossible to
track and inspect inbound and outbound communications across the agency.
51 percent of agencies can''t detect or whitelist software
running on their systems
Only half of the agencies the OMB looked at said they have the ability to detect and whitelist software
Now, while it may only be needed on a case by case basis for IT to manage users& apps and watch for troubling processes, well, the
capability should at least be there!
When something happens, things are little better: 59 percent of agencies have some kind of standard
process for communicating cyber threats to their users
So, for example, if one of their 62 email systems has been compromised, the agency as likely as not has no good way to notify everyone about
it.
And only 30 percent have &predictable, enterprise-wide incident response processes in place,& meaning once the threat has been detected,
only one in three has some kind of standard procedure for who to tell and what to tell them.
Establishing standard processes for
cybersecurity and general harmony in computing resources is something the OMB has been working on for a long time
Too bad the position of cyber coordinator just got eliminated.
White House sheds cyber coordinator role
3
&Agencies lack visibility into what is occurring on their networks, and especially lack the ability to detect data exfiltration.
Monitoring
your organization data and traffic, both internal and external, is a critical part of any cybersecurity plan
Time and again federal agencies have proven susceptible to all kinds of exfiltration schemes, from USB keys to phishing for login
details.
73 percent can''t detect attempts to access large volumes of data.
Turns out that only 27 percent of the agencies
even &have the ability to detect and investigate attempts to access large volumes of data.&
Simply put, agencies cannot detect when large
amounts of information leave their networks, which is particularly alarming in the wake of some of the high-profile incidents across
government and industry in recent years.
Hard to secure your data if you can''t see where it going
After the &high-profile incidents& to which the OMB report alludes, one would think that detection and lockdown of data repositories would
be one of the first efforts these agencies would make.
Perhaps it the total lack of insight into how and why these things occur
Only 17 percent of agencies analyzed incident response data after the fact, so maybe they just filed the incidents away, never to be looked
at again.
The OMB has a smart way to start addressing this: one agency that has its act together will be designated a &SOC [Secure
Operations Center] Center of Excellence.& (Yes, &Center& is there twice.) This SOC will offer secure storage and access as a service to
other agencies while the latter improve or establish their own facilities.
4
&Agencies lack standardized and enterprise-wide processes for managing cybersecurity risks
There a bit of overlap with 2 here, but
redundancy is the name of the game when it comes to the United States government
This one is a bit more focused on the leadership itself.
While most agencies noted… that their leadership was actively engaged in
cybersecurity risk management, many did not, or could not, elaborate in detail on leadership engagement above the CIO level.
Federal
agencies possess neither robust risk management programs nor consistent methods for notifying leadership of cybersecurity risks across the
agency.
84 percent of agencies failed to meet goals for encrypting data at rest.
In other words, cyber is being left to the
cyber-guys, with little guidance or clout offered by the higher-ups at the agencies
That important because, as the OMB notes, many decisions or requests can only be made by those higher-ups
For example, budgetary concerns.
Despite &repeated calls from industry leaders, GAO [the Government Accountability Office], and privacy
advocates& to utilize encryption wherever possible, less than 16 percent of agencies achieved their targets for encrypting data at rest
Sixteen percent! Encrypting at rest isn''t even that hard!
Turns out this is an example of under-investment by the powers that be
Non-defense agencies budgeted a total between them of under $51 million on encrypting data in FY 2017, which is extremely little even before
you consider that half of that came from two agencies
How are even motivated IT departments supposed to migrate to encrypted storage when they have no money to hire the experts or get the
equipment necessary to do so
Agencies have demonstrated that this is a low priority…it is easy to see government priorities must be
realigned,& the OMB remarked.
While the conclusion of the report isn''t as gloomy as the body, it clear that the OMB researchers are deeply
disappointed by what they found
This is hardly a new issue, despite the current president designation of it as a key issue — the previous presidents did as well, but
movement has been slow and halting, punctuated by disastrous breaches and embarrassing leaks.
The report declines to name and shame the
offending agencies, perhaps because their failings and successes were diverse and no one deserved worse treatment than another, but it seems
highly likely that in less public channels those agencies are not being spared
Hopefully this damning report will put spurs to the efforts that have been limping along for the last decade.
