Aug 12 2013

The State of information Security in the Federal Government

An increasing dependence on technology is putting sensitive data and critical systems at risk.

Government agencies have become increasingly dependent on data — creating, collecting and making sense of it. At the same time, the “bad guys,” whether joyriding hackers, hacktivists, cybercriminals or unfriendly nations, are equally interested in this data, from passwords and financial records to Social Security numbers and classified files.

In February 2013, President Obama issued an executive order that read in part, “Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.

Government organizations need to better understand the threats they face and improve information security, and they must do so in a time of reduced or flat IT budgets. Greater efficiencies are needed to offset reduced staffing and services that are a result of budgetary curtailing. But it can be accomplished, provided the IT and security teams plan accordingly and invest in solutions that address the most pertinent threats.

In a report issued the same month as the president’s executive order, the U.S. Government Accountability Office (GAO) reported that only eight out of 22 major federal agencies (down from 13 a year earlier) were in compliance with risk-management requirements under the Federal Information Security Management Act (FISMA) – a foreboding sign.

When it comes to effective investment in IT security, assessing risk is critical. If a government organization doesn’t know what to protect, why and from whom, then it can’t know if it has the proper security solutions in place. And if that’s the case, it’s just a matter of time before an agency suffers another security breach.

Over a period of six years, the number of security incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team (US-CERT) jumped to 48,562 in 2012. That’s up from 5,503 in 2006.

Of the security incidents reported to US-CERT in fiscal year 2012:

  • 37% were under investigation

  • 20% involved violating agency IT policies

  • 18% involved malicious code

  • 17% were for unauthorized access
  • 8% were the result of scans, probes or attempted access

And vulnerabilities permeate all levels of government. In a 2012 cybersecurity study coproduced with Deloitte, the National Association of State CIOs (NASCIO) found that 70 percent of state CISOs had reported an IT security breach. In the same study, only 24 percent of state CISOs said they were very confident about protecting their state’s assets from external threats.

None of this should come as a surprise. More people are trying to break into government IT systems for more reasons than ever before. The once-stereotypical young hacker has been supplanted by shadowy players, such as organized crime syndicates, nation states bent on espionage and hacktivists, who attack networks and expose data as a political statement. Even government workers or contractors may be responsible for security breaches (such as the recent National Security Agency-PRISM scandal), whether deliberate or inadvertent.

The rise of a mobile workforce has ushered in a commensurate rise in unintended security breaches. On one end of the spectrum are incidents in which otherwise well-meaning employees load sensitive data onto devices and then lose those devices.

In 2012, for example, the NASA inspector general told Congress that the agency had lost 48 mobile devices between April 2009 and April 2011, some of which held sensitive data. On the other end of the spectrum is a tide of malware aimed specifically at mobile devices (notebooks, tablets and smartphones) that are inherently less secure than desktops and servers. According to the GAO, mobile malware grew 185 percent between July 2011 and May 2012.

In the face of this onslaught, it’s no longer enough for government agencies to strive to keep threats out of their networks. New security solutions are required to protect data wherever and however it’s made available. Organizations today must erect defenses, assume they will eventually be breached, and ensure that they have systems in place to respond quickly, mitigate or eliminate the threat, and then minimize the damage.

Why is this especially important now? Because even as government agencies acknowledge new and dynamic IT security threats, they plan to rely even more on IT and enterprise data to carry out modern missions:

  • In 2012, the Obama Administration announced its Big Data Research and Development Initiative to encourage new ways of collecting, storing, analyzing and sharing large quantities of data — all of which must be handled securely.
  • The Digital Government Strategy, issued in May 2012, became the latest in a line of federal initiatives aimed at harnessing technology so citizens and government workers can securely access data and services from any device.
  • The Federal Information Security Amendments Act of 2013, which recently passed the House of Representatives, would update FISMA by requiring agencies to adopt continuous monitoring and other solutions to improve real-time security awareness. (The Congressional Budget Office estimates it will cost $620 million between 2014 and 2018 to implement.)

Read more about the state of information security in the government in our free white paper.