DHS: Three-Quarters of Federal Agencies’ Security Programs are at Risk of Cyberattack
Digital threats facing federal entities are at an all-time high. This revelation was readily apparent in the findings of SolarWinds’ fifth annual Federal Cybersecurity Survey. Of the 200 IT security professionals in U.S. federal civilian and defense agencies surveyed, more than half (56 percent) of respondents pointed to careless untrained insiders as a significant IT security threat, whereas 52 percent attributed the greatest threat level to foreign governments. By comparison, just 42 percent of federal IT security workers felt insiders were a primary threat five years ago; just 34 percent felt foreign governments were a chief concern at the time.
These findings highlight how bad actors continue to deem U.S. federal agencies as worthwhile targets. As Lastline wrote in a recent report, malefactors have an incentive to continue targeting federal agencies, as they can leverage successful attacks to embarrass the U.S. federal government more broadly. These nefarious individuals feel that a fruitful digital offensive creates the impression that the U.S. government can’t protect itself and thereby undermines the government’s position in the eyes of the American people. Even more tangibly, these individuals recognize that federal agencies interact with a lot of users’ data, so a successful attack would expose details about a large group of people.
Such a perception among digital attackers underlines the importance of Executive Order 13800. Signed on 11 May 2017, this executive action requires all federal agency heads to use NIST’s Framework for Improving Critical Infrastructure Cybersecurity to conduct a risk management report. The Department of Homeland Security (DHS) and the Office of Management and Budget (OMB), in turn, used those reports to conduct a government-wide security assessment.
Federal Agencies’ Security Programs
The findings of this evaluation weren’t good. DHS and OMB found that nearly three-quarters (74 percent) of federal agencies’ security programs were at risk or at high-risk. They also found that agencies overall lacked the necessary capacity to determine how threat actors seek to gain access to their information, thereby creating gaps in network visibility, tool standardization, and common operating procedures.
To better understand this overview, let’s look at the four main findings of the assessment.
Finding 1: Agencies Aren’t Prepared to Combat Today’s Digital Threats
First and foremost, DHS and OMB found that agencies are not prepared to combat today’s digital threats. This lack of preparedness comes in part from federal organizations’ inadequate understanding concerning attackers’ motivations and methods. It also partly originates from the dearth of timely information pertaining to bad actors.
As a result of these shortfalls, federal agencies’ incident response capabilities suffered. These organizations weren’t able to identify the method of attack or attack vector in 38 percent of incidents that led to the compromise of information or a system’s functionality. Not only that, but just 59 percent of agencies confirmed that they have processes in place to communicate digital security risks across the organization.
OMB and DHS said in their assessment that they would partner with the National Security Agency (NSA) and the Office for the Director of National Intelligence (ODNI) to help agencies implement the Cyber Threat Framework. They also revealed that they would distribute a risk-based budgeting process to help agency heads budget more strategically for their organizations’ digital security capabilities.
Finding 2: A Lack of Standardization Hurts Agencies’ Security Posture
The joint assessment also revealed that agencies don’t have standardized digital security processes and IT capabilities in place. This lack of uniformity means that agencies can’t apply a single process or set of processes to address their digital security challenges. In particular, OMB and DHS uncovered that agencies can improve their processes in the following key areas:
- Identity, Credential and Access Management (ICAM): Federal agencies have made some progress in enforcing multi-factor authentication through its use of Personal Identity Verification cards. But many of these organizations still need to improve their ICAM architecture through the centralization of these solutions. In support of this fact, just 55 percent of agencies limit access based on user attributes, while only 57 percent review and track admin privileges. At the same time, only half of the agencies restrict users’ access to data.
- Email security: Federal organizations should standardize their email security measures by enhancing their ability to provide phishing protection.
- Software whitelisting: Just 49 percent of agencies implement software whitelisting. As a result, many organizations end up having several versions of the same software in place.
In response to these challenges, DHS and OMB said in their assessment that they will work with agencies to apply standard configurations across their IT environments.
Finding 3: Agencies Don’t Know What’s Going on in Their Networks
Third, the government-wide evaluation determined that federal agencies lack visibility into what is occurring on their networks. This visibility is especially lacking when it comes to spotting data exfiltration. In the assessment, DHS and OMB found that only 40 percent of federal agencies can detect exfiltration of encrypted data at government-wide target levels, while 27 percent of federal organizations can detect and investigate data exfiltration attempts. Even fewer of these federal entities test these capabilities annually.
Consequently, many federal agencies lack maturity when it comes to incident response. DHS and OMB found in their assessment that 52 percent of federal agencies have valid incident response roles. Meanwhile, just 17 percent of agencies actually analyze incident response data after an incident has occurred.
DHS and OMB realize that federal agencies lack both visibility into their networks as well as the ability to minimize the impact of an incident. So they’ve committed themselves to work with agencies to improve their individual SOCs, even if that’s through the use of a SOC-as-a-service.
Finding 4: Agencies Lack Standardized Processes for Managing Risk
Finally, OMB and DHS found that agencies lack standardized and organization-wide processes for managing digital security risks. One of the problems is the fact that many agencies did not elaborate on their leadership’s involvement in digital security risk management above the CIO level. In fact, CIOs and CISOs often lack the necessary authority to make organization-wide decisions pertaining to digital security.
This lack of leadership trickles down throughout the organization. With uneven accountability and awareness for managing risk, federal agencies possess neither robust risk management programs nor consistent methods for notifying leadership about digital security risks.
Acknowledging these shortcomings, OMB said in the assessment that it will work to enhance the involvement of every agency’s leadership in digital security programs. Towards this end, OMB said that it will make sure spending is fueling the right digital security programs.
Increasingly Adept Digital Adversaries
The digital adversaries facing the nation are growing more adept. DHS and OMB found as much in their assessment. In response, these entities will help agencies implement the Cybersecurity Threat Framework, standardize their IT capabilities and tools, consolidate or migrate their SOC operations, and drive accountability for digital security risk management across the organization.
Meanwhile, federal agencies can implement additional measures designed to bolster their digital security. As an example of the stepped-up security, I encourage readers to review the National Aerospace Standard (NAS) 9933, developed by the Aerospace Industrial Association, summarized in my recent report. One of the steps they can take is to invest in an AI-driven security solution that’s capable of monitoring the network for digital threats. Learn how Lastline can do just that.