Cyber sprint laggards tell their stories (anonymously)

Some agencies started at zero but rocketed upward during the federal governments sprint to improve two-factor authentication levels.

Some agencies started and stayed high.

And some agencies, somehow, saw their two-factor authentication levels actually drop during the sprint.

By the numbers, the departments of Education, Justice and Energy were three of the sprint’s biggest losers. Those departments, though, argue that they’re not failing – they’re setting the stage for future improvements.

Dismal digits

According to the July 31 cyber sprint results, overall two-factor authentication implementation levels dropped at all three:

• Education’s total implementation fell from 71 percent in April, before the sprint, to 57 percent in July; for privileged users, the figure dropped from 14 percent to 11; for unprivileged users, the figure ticked up from 76 to 77 percent.
• Justice’s total implementation fell from 36 percent to 31 percent; privileged user implementation shot from 26 to 83 percent, but unprivileged implementation dropped 6 percentage points.
• Energy’s total implementation plunged from 32 percent to 12 percent; while privileged user implementation jumped from 8 percent to 13 percent, unprivileged user implementation fell 23 percentage points.

Those figures stand in contrast to most of the other agencies that reported in, with several reaching 100 percent two-factor authentication for privileged users and 14 surpassing federal CIO Tony Scott’s 75 percent overall target. (The Defense Department saw a small drop in overall two-factor authentication, but unlike Education, Justice and Energy, total DOD two-factor levels were above the 75 percent target.)

What happened?

Complicated stories

“[T]he numbers fail to tell the whole story,” an Energy Department spokesperson told FCW. (At each of the three agencies in question, officials asked that their names not be attached to their responses.)

“The actual number of users using PIV [personal identity verification card] multifactor authentication went up during this period, but the drop in percentage reported to [the Office of Management and Budget] was a result of DOE expanding the scope of users held accountable to this standard to capture DOE’s entire enterprise, including contractor accounts, laboratories, sites and plants,” the Energy spokesperson explained.

The spokesperson said Energy’s “enterprise-wide cyber strategy” should produce a rapid rise over the coming weeks and months in two-factor authentication levels.

An OMB official echoed the Energy spokesperson’s assertion that a new understanding of the underlying numbers, not two-factor authentication implementation, affected some agencies’ performance.

“Every CFO Act agency made progress towards the goals of the 30-day sprint,” the OMB official said. “Where some agencies appear to decrease in their implementing strong authentication … agencies may have realized a larger universe of users.”

The official noted the value of such realizations, saying, “The sprint allowed OMB and federal agencies to gain a clearer understanding of challenges – from limited resources, institutional challenges, cyber proficiency, and complex legacy networks and systems – facing an agency’s ability to enhance its cyber security.”

An Education Department official offered the same “larger universe” explanation, and said Education made “progress” during the sprint.

Justice, on the other hand, said it did not uncover previously uncounted users.

“DOJ has approximately 3,000 privileged and 160,000 general users, of which 83 percent and 30 percent respectively are enabled for PIV two-factor authentication,” a Justice Department official said. “While the numbers fluctuated some during the cyber sprint, the changes were not material and they were the result of normal staff turnover.”

Instead, the Justice Department official said, Justice merely prioritized privileged-user two-factor authentication.

“With an enterprise of our size and geographical dispersion, we have made tremendous progress with our general-user community in enforcing two-factor authentication,” the official said. “We expect to improve significantly by the fall of 2015.”

Numbers too simplified?

“Generally speaking, there’s too much focus on these numbers and percentages, which can be misleading,” commented Monzy Merza, chief security evangelist for operational intelligence software firm Splunk. “These problems are a little more complex than might appear.”

Merza noted that every agency is different, with some having existing security initiatives they could leverage going into the sprint.

It’s a point that’s been made before: How can you effectively aggregate such diverse data from 24 different agencies?

It would be “naïve” to rely on just these numbers, Merza said, to applaud or condemn agencies.

Besides, he noted, merely implementing PIV two-factor authentication is no panacea.

The emphasis on beefing up security for privileged users is good, he said, but other considerations, including improving remote-access security, should also take precedence.

The Energy Department spokesperson also noted the variety of multifactor authentication options.

“DOE is at around 70 percent adoption for privileged and 20 percent for standard user accounts when we account for all forms of multifactor authentication,” the spokesperson said.

Merza noted that the sprint likely revealed deeper issues that agencies can begin to improve.

Smartphone apps as a form of authentication, he noted, are extremely useful and exceedingly challenging.

“What if your employees don’t have smartphones?” he asked. “Or what if you work for an agency that doesn’t allow smartphones for security reasons?”

The whole issue of legacy systems being incompatible with new technologies is another stumbling block, he noted.

All told, Merza said, even the lackluster results of Education, Justice and Energy could be the start of real security improvements. It all depends on what those agencies do next.