Cybersecurity concerns trouble feds

Federal workers don’t believe cybersecurity legislation will be effective, don’t want the Homeland Security Department to regulate information security and are more likely to be concerned about compliance than any particular security threat, a new report reveals.

According to an nCircle survey that included more than 100 federal employees and a few members of the general public, government programs designed to improve cybersecurity and ease the burden of compliance at agencies haven’t been successful.

Asked to choose from a list of top security concerns for 2012, 29 percent of survey respondents put compliance with federal standards at the top of the list. That was followed by cloud computing (20 percent), advanced persistent threat (17 percent), mobile devices/BYOD (14 percent) and virtualized infrastructure (9 percent).

“One of the most interesting things about the findings is in the biggest security concerns for 2012. In a list of challenging areas in terms of advanced persistent threat, securing mobile devices and virtual infrastructure, for almost three in 10 compliance was the biggest challenge,” said Keren Cummins, director of federal markets for nCircle. “To me that suggests something has gotten out of balance.”

People who responded to the survey, both federal workers and in the general public, overwhelmingly believe that data breaches are on the rise. Some 93 percent said they expect data breaches to increase, but what should be done about it was much less clear.

When asked if DHS or the National Security Agency should regulate cybersecurity in the private sector, 66 percent of general public respondents and 58 percent of feds said neither. Sixty-five percent of the general public and 70 percent of federal employees who answered the survey said current legislation would not improve cybersecurity in the private sector.

“I think the programs in DHS suffer from peoples’ day-to-day experiences with homeland security – which involves things like going through airport security. That’s the first thing people think of, and it’s not the most positive impression to build on in giving DHS regulation authority,” Cummins said.

The vast majority of federal respondents – 82 percent – said that CyberScope, an automated tool agencies must use to report on their cybersecurity efforts and statuses, did not ease the burden of complying with Federal Information Security Management Act requirements as it was intended to. Implemented by the Office of Management and Budget, CyberScope is designed to digest the information that agencies gather from ongoing continuous monitoring.

“In principle this information would be a byproduct of existing scanning programs. But if you don’t have a scanning program, you have to scramble to generate something for OMB. Something that was intended to facilitate getting rid of a lot of the labor associated with FISMA reporting and give a more continuous view should have made things easier, but clearly they aren’t finding that,” Cummins said. “It’s probably because agencies weren’t able to create that information as a byproduct of what they were already doing and had to go out and create something new.”

What’s preventing agencies from instituting continuous monitoring programs, which are known to reduce cyber risk? According to the survey, 52 percent say it’s a lack of budget and/or funding.

“This isn’t surprising in this budget environment,” Cummins said. “The funding is the first thing people see because they don’t always understand that continuous monitoring can save money over the long term, or they [struggle to] come up with the funding in the short term to implement continuous monitoring.”

In the commercial sector, companies have established benchmarks around cybersecurity performance, and the concept is increasingly being employed in government as well. It’s key to agencies to understand their performance, especially in comparison with other agencies, Cummins noted.

“It’s a combination of having metrics everyone understands, putting it in context of how they’re performing relative to peers and information on how to improve – that information can be extremely powerful,” she said. “But information that’s all rolled up in, ‘You get a C and need to improve’ – it doesn’t give them a lot to work with. Agencies don’t necessarily know exactly what the problem is or where they need to improve.”