Management, compliance & auditing

Critical security concerns facing government

Challenge 1: Staying compliant

If the government enforces regulations, then its various departments and functions must also comply with those same regulations. Major data security regulations include:

• Federal Information Security Management Act (FISMA): This is part of the 2002 Homeland Security Act, which mandates how federal agencies should protect their systems and information. It applies to all government agencies and “requires the development and implementation of mandatory policies, principles, standards and guidelines on information security.”
• Health Insurance Portability and Accountability Act (HIPAA): Government organizations that provide healthcare must abide by this regulation. This security rule includes security and privacy rules, and addresses technical and non-technical safeguards
• E-Government Act: This act covers management and promotion of electronic government services and processes by establishing a Federal Chief Information Officer (CIO) within the Office of Management and Budget (OMB). It also includes measures that require the use of internet-based information technology to enhance citizens’ access to government information and services.
• Freedom of Information Act (FOIA): FOIA establishes the public’s right to obtain information from most, but not all, federal government agencies. Individual states have also passed their own FOIAs. While similar to the federal act, they are not identical.
• Gramm-Leach-Bliley Act (GLBA): Also known as the Financial Services Modernization Act, GLBA’s Safeguard Rule requires organizations to maintain a written information security plan, explaining its approach for protecting clients’ nonpublic personal information.

Challenge 2: Resource allocation

The U.S. federal government spends big on headline solutions; the 2019 U.S. President’s budget includes $15 billion for cybersecurity, an increase of $583.4 million over 2018. State and local government agencies, however, are hard-pushed to secure critical data, infrastructure and services with much smaller budgets.

According to a statement by NASCIO, commercial enterprises typically spend around 10% of their overall IT budget on cybersecurity, while most state cybersecurity budgets are between 0-3 percent of their overall IT budget. This is a major resourcing concern, particularly when we consider the successful hacking of some very prominent enterprises and that government agencies face the same security challenges as their commercial peers.

One issue is purely technical: the latest security measures are usually overly complex for the average agency. Integrating multiple products requires additional installation and maintenance funding. Another issue relates to human resources: agencies are faced with a staffing and know-how problem. Organizations in the public sector cannot compete with the salaries offered in the corporate world, where demand has created a substantial premium on cybersecurity skills.

Challenge 3: Inflexibility & lack of accountability

The bigger an organization, the slower it typically moves. In a 2018 study from SecurityScorecard, they found that in nearly 60 percent of security incident cases at a government facility, it took years to discover the breach.

If a security incident occurs, it will take large government agencies longer to mobilize the relevant parties and implement its incident response plan (IRP), assuming one exists in the first place. As middle managers start the process of getting approval from their superiors, security staff wait for the green light to begin mitigating the incident — and all the while, the attacker continues wreaking havoc.

Functioning IRPs must be well matched to the organization and the data they have to protect; one size does not fit all. This makes it difficult to transfer IRPs between government agencies, even though they may seem alike at a surface level. Staff know-how, threat levels, varying volumes of data and even cultural differences may render an IRP that is appropriate in one agency useless in another.

Good IRPs also facilitate people taking responsibility and being accountable should an incident take place. Designated people must be in the correct roles in order to make critical decisions; equally, these key employees must be well trained and clear on their responsibilities. Lack of accountability may be more common at larger government agencies, but it can permeate smaller ones too.

Challenge 4: Endpoint Security

Endpoint security refers to protecting a system when it is accessed via remote devices such as laptops, tablets or other mobile devices. Each device presents a potential entry point for security threats.

In 2018, Thales and Analyst, 451 Research looked at federal cybersecurity threats. They found that 71% reported a breach sometime in the past, with 57% being breached in the last year. The respondents ranked endpoint and mobile devices as “least effective at protecting sensitive Federal data – a major disconnect.”

These agencies are implementing many digital-first strategies, resulting in greater volumes and varieties of endpoint devices. Endpoint security in federal government agencies is now at a critical juncture. A survey of federal government IT and cybersecurity professionals from Samsung found that 64% of respondents place endpoint security breach prevention as a top priority.

Other focus areas from the survey included better management and dashboards, and secure configuration.

Visibility and awareness of endpoint security is a key problem. Many endpoint devices remain unknown or unprotected. Further, nearly half of government employees surveyed who use personal devices were not aware of or had not reviewed bring-your-own-device (BYOD) policies.

Challenge 5: Human error

“Most agencies don’t even know what IT systems they have,” said SANS Institute founder Alan Paller during a 2015 interview on government cyber challenges. “How can you lock the doors if you can’t even find them?” In a similar vein, levels of sensitivity must be understood for different data sets. Train timetables, for example, do not require the same protection as medical records.

In parallel, security risks are not always obvious, and people often underestimate the likelihood of a particular attack. While hacktivism is regularly reported in the media, various reports point out that human intervention and human error play an increasingly large part in cybersecurity incidents. The 2019 Data Breach Investigations Report found that for government organizations, 72% of breaches were due to cyber-espionage, miscellaneous errors and privilege misuse. The report also highlights that 68%of data breaches have an internal origin.

Inadvertent or non-adversarial threats from inside government agencies occur when employees, through ignorance or complacency, open up the doors Alan Paller speaks about. Big data and predictive analytics can detect employee actions that deviate from peer-group practices or their own previous behavior, but such solutions are expensive and potentially threaten employee rights.

Security awareness training as a network security tool

“Without self-confidence we are as babes in the cradle,” said modernist author Virginia Woolf. Government agency staff are vulnerable without awareness of the security concerns discussed in this paper. Recall too that these are merely the most prominent threats, with others emerging all the time.

Various training and security awareness programs, such as Infosec’s SecurityIQ program, can help agencies increase employee security awareness. The issue for government managers responsible for security is not finding such programs, but rather matching them to the specific awareness needs of their agency and the staff therein.

Here’s a quick look at how each security concern in this paper can be addressed through targeted employee awareness and training. 

• Compliance and resource allocation: Chief Information Officers and other executives should focus on this concern. They must be informed and up-to-date on how these high-level issues impact the entire security system. 
• Inflexibility and unaccountability: This challenge affects the whole system: staff up and down the hierarchy need to know how they can contribute to a security-aware culture and the responsibility they have in responding to security incidents. 
• Endpoint security: Managers, IT support staff and public-facing staff who use government agency systems should understand the importance of endpoint security. Appropriate policies regarding digital-first operations and bring-your-own-device need to be not just in place, but also embedded in the staff’s mindset. 
• Human error: This is one concern which no member of the staff is immune to. People will always make mistakes, but the likelihood of error dramatically decreases in line with the security awareness and training they receive.

Conclusion

Government agencies are an attractive cybercriminal target due to their number of staff and the sensitivity of the data they collect and store. The large number of staffers offers many entry points for attack via social engineering (such as phishing) and everyday human error. Personally identifiable information is valuable and hence, makes government agency databases a worthwhile target. 

Another factor working against government agencies is the issue of trust. They are part of the government: any security breach undermines public trust. The same applies to the staff within government agencies. It will be difficult for them to trust the system if they are not made aware of the security environment or if they observe managers not investing enough effort to address security concerns.

Awareness and training combined provide dual-strength security awareness. On the one hand, it informs government staff of technical security issues and helps build a security-conscious culture within the agency. On the other hand, it reassures both staff and the wider public that sufficient attention is being given to protecting the systems and data that underpin their government.

About Infosec

Infosec provides award-winning security awareness and training solutions. We deliver certification-based training courses for security professionals and enterprise-grade security awareness and phishing training for businesses, agencies and institutions of all sizes. Rooted in science-backed education methods that achieve measurable results, our security solutions fortify your organization against harmful and expensive security threats. Our mission is to transform the largest information security risk — your workforce — into your strongest line of defense. 

Sources

Cybersecurity Funding, whitehouse.gov

Ensure Dedicated Cybersecurity Funding for State and Local Governments with CIOs as Key Decisionmakers, NASCIO

2018 Government Cybersecurity Report, SecurityScorecard

Data Threat Report 2018, US Federal Edition, Thales

Closing the Gaps in Federal Endpoint Security, Samsung and Cyberscoop

2019, Data Breach Investigations Report, Verizon

2018 Government Cyber Security Report, SecurityScorecard

FISMA Implementation Project, Computer Security Resource Center

FOIA Basics, The National Security Archive

Health Information Privacy, US Department of Health and Human Services

Public Law 107–347, US Department of Justice

Gramm-Leach-Bliley Act, Federal Trade Commission

Government’s cyber challenge: Protecting sensitive data for the public good, Deloitte

Security Beyond the Traditional Perimeter, Ponemon Institute

Endpoint Epidemic, Palo Alto Networks

How much does federal government spend on cybersecurity?, Fifth Domain Cyber