Cybersecurity concerns trouble feds

Federal workers don’t believe cybersecurity legislation will be effective, don’t want the Homeland Security Department to regulate information security and are more likely to be concerned about compliance than any particular security threat, a new report reveals.

According to an nCircle survey that included more than 100 federal employees and a few members of the general public, government programs designed to improve cybersecurity and ease the burden of compliance at agencies haven’t been successful.

Asked to choose from a list of top security concerns for 2012, 29 percent of survey respondents put compliance with federal standards at the top of the list. That was followed by cloud computing (20 percent), advanced persistent threat (17 percent), mobile devices/BYOD (14 percent) and virtualized infrastructure (9 percent).

“One of the most interesting things about the findings is in the biggest security concerns for 2012. In a list of challenging areas in terms of advanced persistent threat, securing mobile devices and virtual infrastructure, for almost three in 10 compliance was the biggest challenge,” said Keren Cummins, director of federal markets for nCircle. “To me that suggests something has gotten out of balance.”

People who responded to the survey, both federal workers and in the general public, overwhelmingly believe that data breaches are on the rise. Some 93 percent said they expect data breaches to increase, but what should be done about it was much less clear.

When asked if DHS or the National Security Agency should regulate cybersecurity in the private sector, 66 percent of general public respondents and 58 percent of feds said neither. Sixty-five percent of the general public and 70 percent of federal employees who answered the survey said current legislation would not improve cybersecurity in the private sector.

“I think the programs in DHS suffer from peoples’ day-to-day experiences with homeland security – which involves things like going through airport security. That’s the first thing people think of, and it’s not the most positive impression to build on in giving DHS regulation authority,” Cummins said.

The vast majority of federal respondents – 82 percent – said that CyberScope, an automated tool agencies must use to report on their cybersecurity efforts and statuses, did not ease the burden of complying with Federal Information Security Management Act requirements as it was intended to. Implemented by the Office of Management and Budget, CyberScope is designed to digest the information that agencies gather from ongoing continuous monitoring.

“In principle this information would be a byproduct of existing scanning programs. But if you don’t have a scanning program, you have to scramble to generate something for OMB. Something that was intended to facilitate getting rid of a lot of the labor associated with FISMA reporting and give a more continuous view should have made things easier, but clearly they aren’t finding that,” Cummins said. “It’s probably because agencies weren’t able to create that information as a byproduct of what they were already doing and had to go out and create something new.”

What’s preventing agencies from instituting continuous monitoring programs, which are known to reduce cyber risk? According to the survey, 52 percent say it’s a lack of budget and/or funding.

“This isn’t surprising in this budget environment,” Cummins said. “The funding is the first thing people see because they don’t always understand that continuous monitoring can save money over the long term, or they [struggle to] come up with the funding in the short term to implement continuous monitoring.”

In the commercial sector, companies have established benchmarks around cybersecurity performance, and the concept is increasingly being employed in government as well. It’s key to agencies to understand their performance, especially in comparison with other agencies, Cummins noted.

“It’s a combination of having metrics everyone understands, putting it in context of how they’re performing relative to peers and information on how to improve – that information can be extremely powerful,” she said. “But information that’s all rolled up in, ‘You get a C and need to improve’ – it doesn’t give them a lot to work with. Agencies don’t necessarily know exactly what the problem is or where they need to improve.”

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Shutterstock image (by wk1003mike): cloud system fracture.

    Does the IRS have a cloud strategy?

    Congress and watchdog agencies have dinged the IRS for lacking an enterprise cloud strategy seven years after it became the official policy of the U.S. government.

  • Shutterstock image: illuminated connections between devices.

    Who won what in EIS

    The General Services Administration posted detailed data on how the $50 billion Enterprise Infrastructure Solutions contract might be divvied up.

  • Wikimedia Image: U.S. Cyber Command logo.

    Trump elevates CyberCom to combatant command status

    The White House announced a long-planned move to elevate Cyber Command to the status of a full combatant command.

  • Photo credit: John Roman Images / Shutterstock.com

    Verizon plans FirstNet rival

    Verizon says it will carve a dedicated network out of its extensive national 4G LTE network for first responders, in competition with FirstNet.

  • AI concept art

    Can AI tools replace feds?

    The Heritage Foundation is recommending that hundreds of thousands of federal jobs be replaced by automation as part of a larger government reorganization strategy.

  • DOD Common Access Cards

    DOD pushes toward CAC replacement

    Defense officials hope the Common Access Card's days are numbered as they continue to test new identity management solutions.

Reader comments

Thu, Sep 20, 2012 Jim

What I /really/ need is the same idiots who man the security checkpoints at the airport telling me how to do my job as a computer security professional: Can DHS, collectively, as a department, spell the word security??!!!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group