Cybersecurity concerns trouble feds

Federal workers don’t believe cybersecurity legislation will be effective, don’t want the Homeland Security Department to regulate information security and are more likely to be concerned about compliance than any particular security threat, a new report reveals.

According to an nCircle survey that included more than 100 federal employees and a few members of the general public, government programs designed to improve cybersecurity and ease the burden of compliance at agencies haven’t been successful.

Asked to choose from a list of top security concerns for 2012, 29 percent of survey respondents put compliance with federal standards at the top of the list. That was followed by cloud computing (20 percent), advanced persistent threat (17 percent), mobile devices/BYOD (14 percent) and virtualized infrastructure (9 percent).

“One of the most interesting things about the findings is in the biggest security concerns for 2012. In a list of challenging areas in terms of advanced persistent threat, securing mobile devices and virtual infrastructure, for almost three in 10 compliance was the biggest challenge,” said Keren Cummins, director of federal markets for nCircle. “To me that suggests something has gotten out of balance.”

People who responded to the survey, both federal workers and in the general public, overwhelmingly believe that data breaches are on the rise. Some 93 percent said they expect data breaches to increase, but what should be done about it was much less clear.

When asked if DHS or the National Security Agency should regulate cybersecurity in the private sector, 66 percent of general public respondents and 58 percent of feds said neither. Sixty-five percent of the general public and 70 percent of federal employees who answered the survey said current legislation would not improve cybersecurity in the private sector.

“I think the programs in DHS suffer from peoples’ day-to-day experiences with homeland security – which involves things like going through airport security. That’s the first thing people think of, and it’s not the most positive impression to build on in giving DHS regulation authority,” Cummins said.

The vast majority of federal respondents – 82 percent – said that CyberScope, an automated tool agencies must use to report on their cybersecurity efforts and statuses, did not ease the burden of complying with Federal Information Security Management Act requirements as it was intended to. Implemented by the Office of Management and Budget, CyberScope is designed to digest the information that agencies gather from ongoing continuous monitoring.

“In principle this information would be a byproduct of existing scanning programs. But if you don’t have a scanning program, you have to scramble to generate something for OMB. Something that was intended to facilitate getting rid of a lot of the labor associated with FISMA reporting and give a more continuous view should have made things easier, but clearly they aren’t finding that,” Cummins said. “It’s probably because agencies weren’t able to create that information as a byproduct of what they were already doing and had to go out and create something new.”

What’s preventing agencies from instituting continuous monitoring programs, which are known to reduce cyber risk? According to the survey, 52 percent say it’s a lack of budget and/or funding.

“This isn’t surprising in this budget environment,” Cummins said. “The funding is the first thing people see because they don’t always understand that continuous monitoring can save money over the long term, or they [struggle to] come up with the funding in the short term to implement continuous monitoring.”

In the commercial sector, companies have established benchmarks around cybersecurity performance, and the concept is increasingly being employed in government as well. It’s key to agencies to understand their performance, especially in comparison with other agencies, Cummins noted.

“It’s a combination of having metrics everyone understands, putting it in context of how they’re performing relative to peers and information on how to improve – that information can be extremely powerful,” she said. “But information that’s all rolled up in, ‘You get a C and need to improve’ – it doesn’t give them a lot to work with. Agencies don’t necessarily know exactly what the problem is or where they need to improve.”

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Thu, Sep 20, 2012 Jim

What I /really/ need is the same idiots who man the security checkpoints at the airport telling me how to do my job as a computer security professional: Can DHS, collectively, as a department, spell the word security??!!!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group