The federal government needs to take “bold” appraoches to increasing the cybersecurity of agencies, according to a report the White House released a report last week, which found serious deficiencies in the government’s risk management abilities.
In the “Federal Cybersecurity Risk Determination Report and Action Plan,” the Office of Management and Budget and Department of Homeland Security determined that 71 of 96 agencies (74 percent) participating in a federal risk assessment process “have cybersecurity programs that are either at risk or high risk.” OMB and DHS also found that agencies are “not equipped to determine how threat actors seek to gain access to their information.”
The report recommended specific actions agencies need to take to enhance their IT security posture:
- Increase cybersecurity threat awareness among agencies by implementing the Director of National Intelligence’s Cyber Threat Framework to prioritize efforts and manage cybersecurity risks.
- Standardize IT and cybersecurity capabilities to control costs and improve asset management.
- Consolidate agency Security Operations Centers to improve incident detection and response capabilities.
- Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB’s engagements with agency leadership.
Clearly, there is a great deal for agencies to do. However, there has been some clear progress. Recent investments in cybersecurity by federal agencies have been driven by the rapidly changing threat environment. Attackers are increasing their focus on government targets; technology environments are becoming more complex and prone to vulnerabilities; and attack tools are becoming more sophisticated and difficult to detect.
Agencies manage most modern threats with a holistic, enterprise approach to cybersecurity, but legacy technology and slow adoption of modern IT solutions — some because of funding and acquisition considerations — complicate the effort to secure data and systems. Malware, advanced persistent threats, the Internet of Things and legacy technology are just some of the dangers agencies must protect against.
Malware Remains a Threat to Federal Agencies
Malicious software, or malware, is perhaps the oldest cybersecurity threat, with viruses and worms tracing their roots back to the 1980s. The authors of malware keep pace with improvements in security technologies, and in an ongoing cat-and-mouse game, go to great lengths to keep a foothold in upgraded operating systems and applications by developing stealthier and more effective malware.
Some malware authors focus on compromising numerous systems, regardless of their owner or purpose. For example, CoinMiner malware infects systems via malicious code embedded in online advertising and then uses the purloined computing capacity to mine bitcoin or other cryptocurrencies. Similarly, the Kovter Trojan infects systems via malicious email attachments and then generates advertising revenue via click fraud schemes. These unfocused malware attacks are a nuisance to agency IT staff who must rebuild infected systems.
Other malware, however, has more focused purposes and can be dangerous on government computer systems. NanoCore, for example, is a remote access Trojan that allows hackers to gain complete control of infected systems, where they can then either steal sensitive information or use the system as a jumping-off point for attacks on the rest of the network.
Ransomware is a specific type of malware that poses a significant threat. After ransomware infects a target system, it uses strong cryptography to encrypt the contents with a secret key. If the victim wishes to decrypt the information and regain access, he or she must pay a ransom to the attacker. Recent ransomware outbreaks, such as WannaCry and Petya, found victims at all levels of government, ranging from Britain’s National Health Service to local law enforcement agencies across the United States.
Agencies Are Targets for Sophisticated Attackers
Government agencies are often the targets of extremely talented attackers and well-funded attacks known as advanced persistent threats. These attackers, typically sponsored by nation-states, are quite patient and focus on very specific targets. Once they gain access, they operate with stealthy techniques, placing a high priority on avoiding detection. During the 2015 Office of Personnel Management breach, attackers believed to be associated with the Chinese government operated within the agency’s network undetected for more than a year, stealing massive quantities of sensitive personnel information.
In 2018, the U.S. government accused Iran’s Mabna Institute of conducting a four-year-long attack in at least 20 countries against hundreds of universities and dozens of government agencies, including the U.S. Labor Department, the Federal Energy Regulatory Commission and the states of Hawaii and Indiana.
The intelligence community believes that during the 2016 U.S. election cycle, APT attackers associated with the Russian government gained access to computer servers belonging to the Democratic National Committee and used the information gained to discredit the Hillary Clinton presidential campaign. Researchers also believe that Russian operatives successfully targeted and scanned voting systems used by many states.
Legacy Federal IT Poses a Security Risk
One often-overlooked threat to cybersecurity comes in the form of legacy systems, which were designed to operate in a completely different threat and technical environment. Their lack of modern cybersecurity controls provides hackers with an easy path into government networks. Agency technology staff should search all systems for outdated hardware and software that may require upgrading or replacement.
As agencies seek to replace legacy technology, they also often undertake digital transformation initiatives that upgrade and enhance technologies. Recent examples of these initiatives include the Next Generation 911 and FirstNet programs, which are designed to enhance public safety communications efforts nationwide.
Learn how federal agencies can address the growing threats they face in the CDW white paper, “Managing Cyber Risks in a Public Sector Environment.”