Jan 19 2016

Cisco: Government Upgrades Cybersecurity Protections Less Frequently Than Industry

Government agencies tend to upgrade security infrastructure less frequently than the financial services and pharmaceutical sectors, Cisco report says.

Government agencies, especially in the federal government, generally have more resources to devote to cybersecurity than the private sector, according to a security expert at Cisco.

Peter Romness, Cisco’s cybersecurity solutions program lead for the U.S. public sector, says that government agencies tend to use more technologies to enhance cybersecurity, and the federal government typically has more tools than state and local governments. “The federal government has a little bit more budget and has been focusing on this a little bit longer,” Romness told FedTech.

Romness spoke to FedTech ahead of the release of the Cisco 2016 Annual Security Report. One of the report’s key conclusions is that cyberthreats to companies are multiplying and becoming more complex.

“Adversaries and defenders are both developing technologies and tactics that are growing in sophistication,” the report notes. “For their part, bad actors are building strong back-end infrastructures with which to launch and support their campaigns. Online criminals are refining their techniques for extracting money from victims and for evading detection even as they continue to steal data and intellectual property.”

Responding to New Vulnerabilities

Despite the federal government’s investment in cybersecurity defenses, including within the Defense Department and the Department of Homeland Security, Cisco’s report found that government in general is behind many private sector industries in terms of security infrastructure and maturity levels.

Compared to the financials services, pharmaceutical and transportation industries, for example, the report found that government tends to regular upgrade its security infrastructure as opposed to constantly doing so.

This isn’t to say the federal government is doing nothing on the cybersecurity front. Romness says that even before the data breach last year at the Office of Personnel Management (OPM), President Barack Obama had directed federal agencies to aid in enhancing cybersecurity for critical infrastructure.

However, Romness says that the 30-day “cybersecurity sprint” that occurred after the OPM breach to repair vulnerabilities exposed holes in federal IT systems.

“The latest and greatest superbots is not what you need because the threat can be anywhere in your environment,” Romness says about how federal agencies should respond to cyberthreats. “A coordinated response is what’s important. That means that all of your security devices are working together and helping rather than creating a bunch of information that’s hard to use.”

One positive result of breaches like the one at OPM is that they push affected organizations to get more aggressive in improving security, Romness says.

“They have a sore point, and they’re trying to address it,” he says. “After an attack, they are much more open and willing to look at new ways of doing things.”

Threats From Unpatched Software

The Cisco report notes that a “major geopolitical issue that organizations should monitor relates to vulnerabilities and exploits.” The report says “some governments are expressing great concern about the rise of a market for unpatched vulnerabilities — so-called weaponized software.”

While security researchers use software with unpatched vulnerabilities to better protect networks, other more nefarious actors could exploit such software. Cisco says that “in the wrong hands, particularly those of repressive regimes, this technology, intended for good, could be used for financial crime, to steal national and commercial secrets, suppress political dissent, or disrupt critical infrastructure.”

It’s unclear how governments will restrict access to such software without also undermining security researchers, the report says.

“As governments attempt to tackle this thorny problem, they need to carefully assess how their policymaking decisions affect security,” the report adds. “For example, the uncertainty about laws that govern the transmission of information about unpublished vulnerabilities could chill the advancement of security threat research, or encourage the publication of vulnerabilities before vendors have an opportunity to patch them. Any approach to resolving this uncertainty should be compatible across the globe.”