Emerging cyber threats demand new thinking
Government agencies need a better approach to dealing with cybersecurity threats, and they know it.
A recent survey by the 1105 Government Information Group found that a broad range of potential threats worry agency officials and they’re aware of several weaknesses in responding to those threats.
The top threat, according to the survey, is information loss from data leakage or systems attacks, with 48 percent of respondents saying their agencies were very concerned about it. But at least 40 percent of respondents indicated their agencies were similarly concerned about four other threats. (See chart.)
All told, 61 percent of respondents agreed that the advance of cybersecurity threats was outpacing their agencies’ efforts to keep up, while only 13 percent disagreed.
These findings align with the conclusions of a report the Obama administration released earlier this year.
“The federal information security defensive posture is a constantly moving target, shifting due to a relentless, dynamic-threat environment, emerging technologies and new vulnerabilities,” administration officials wrote in the fiscal 2012 report to Congress on the implementation of the Federal Information Security Management Act of 2002.
Malware and spyware, which can infiltrate a user via e-mail or public websites, continue to be a pressing concern. The Obama administration reports that such malicious code is one of the most widely reported types of incidents across the government – and that agencies are actively taking measures to counter it.
But such measures must encompass more than technology. The administration is encouraging agencies to focus on improving their employees’ cybersecurity competencies to combat social engineering, phishing and insider threat attacks, the report states.
In a February report, auditors at the Government Accountability Office urged agencies to take an even broader view of cybersecurity. “Technologies do not work in isolation,” they wrote. “Cybersecurity solutions make use of people, process and technology.”
Despite those recommendations, government officials are not confident in agencies’ ability to execute holistic approaches to security, the 1105 Government Information Group survey found.
Although most respondents gave their own and other agencies good marks on developing security policies, by and large they gave low marks all around for implementing security solutions that incorporate people, processes and technology. (See chart.)
The survey also found that respondents were not confident about the quality of risk assessments being performed across government. That sentiment is echoed in the GAO report. Although agencies continue to make progress in many aspects of cybersecurity, they are regressing in the area of risk assessments, the study found.
In fiscal 2010, 13 of 24 inspectors general reported that their agencies were in compliance with risk management requirements. Only eight of 22 could do so in 2011.
But help is on the way. In late 2012, the Homeland Security Department announced plans to award blanket purchase agreements for continuous-monitoring tools in addition to a continuous-monitoring-as-a-service solution.
The Continuous Diagnostics and Mitigation program is intended to provide federal, state and local agencies with the ability to “improve their existing continuous network monitoring capabilities, correlate and analyze critical security-related information, and enhance risk-based decision-making at the agency and federal enterprise levels,” according to the request for quotes.
However, some experts say more needs to be done.
In March, SafeGov, a forum of information technology industry experts focused on promoting the use of trusted cloud solutions, proposed a new approach to assessing cybersecurity risks at federal agencies. The Organizational Cyber Risk Indicator was developed by aggregating the results of evaluations by FISMA’s inspector general from across government.
The report also recommends looking at the risk associated with specific information assets, rather than with the information systems themselves. The problem with the traditional system-centric model is that it does not account for security as information moves from one system to another.
“By shifting from a ‘systems’ approach to a more integrated and holistic ‘information’ perspective, agency leaders can better emphasize ‘data protection’ and address multiple policies and statutes including the Privacy Act and FISMA, among others,” the SafeGov report states.
Additionally, the report encourages agencies to look at risk in terms of an agency’s broader organizational priorities. Once they understand those priorities, cybersecurity officials can determine which information assets are associated with them. That will ensure that they invest their resources where they’re most needed.