Governments all over the world urge private companies to take security measures to protect the personal data of their citizens. For example, the recently adopted EU General Data Protection Regulation (GDPR) obliges organizations collecting personal data from EU residents to adopt information security measures protecting the collected information. However, governments need to be active not only in forcing private parties to protect their computer systems but also in making sure that their own information infrastructure does not have serious flaws.
A report called “Federal Cybersecurity Risk Determination Report and Action Plan” published by the U.S. government in May 2018 reveals that 71 of 96 federal agencies are either at risk or high risk. The report defines the term “high risk” as “Key, fundamental cybersecurity policies, processes, and tools are either not in place or not deployed sufficiently,” and the term “at risk” as “Some essential policies, processes, and tools are in place to mitigate overall cybersecurity risk, but significant gaps remain.”
The report presents four important findings, namely, the limited situational awareness of the agencies (Section 2), the agencies’ lack of standardized IT capabilities (Section 3), the agencies’ limited network visibility (Section 4), and the agencies’ lack of accountability for managing risks (Section 5). At the end of this article, we provide concluding remarks (Section 6).
2. The limited situational awareness of the agencies
One of the major findings of the report is that the agencies cannot identify the methods and vectors of cyber-attacks. Out of 30,899 cyber incidents that led to security breaches, the methods and the vectors of the attacks were not identified in 11,802 cases. Even in cases when they were identified, the agencies did not have processes in place to communicate the data about the attacks to other agencies. According to the report, only 59% of agencies reported having such processes.
3. The agencies’ lack of standardized IT capabilities
The identification of security vulnerabilities by agencies can be facilitated by the adoption of standardized procedures or technologies. For example, if agencies use the same standards for sending and receiving emails, they will facilitate the identification of phishing emails because a phishing email which does not comply with the common standard can be easily identified. The report indicated that the agencies employ fragmented identity, credential, and access management (ICAM) processes. For instance, one agency revealed that it maintains a decentralized environment with 23 domains and more than 300 unique user grouping based on geographic location, thus limiting the possibility to manage users’ access to data within the agency effectively.
4. The agencies’ limited network visibility
The effective response to cybersecurity incidents depends on the ability of the agencies to effectively monitor flows of data processed through their networks and detect cybersecurity incidents. Just 27% of the examined agencies reported that they could detect and investigate unauthorized attempts to access large volumes of data. This means that large volumes of data can be stolen from the computer systems of the other 73% without the knowledge of the compromised agencies. Even in cases when the agencies detect data breaches, they may not reply adequately as only 30% of the agencies have predictable, enterprise-wide incident response processes.
Ethical Hacking Training – Resources (InfoSec)
5. The agencies’ lack of accountability for managing risks
The report found that many chief information officers (CIO) and chief information security officers (CISO) of agencies often lack the authority to make important organization-wide decisions. This issue is particularly serious in agencies which employ multiple CIOs who are responsible for managing their own budgets. A decision taken by one of those CIOs may not apply to the security infrastructure falling within the scope of the other CIOs. One solution to this problem is to hold agency heads accountable for the security and governance processes of their organizations. More specifically, the agency heads should be obliged to conduct quarterly risk assessments and track agencies’ progress regarding the implementation of cybersecurity safeguards.
If the U.S. federal government would like to increase the number of private organizations implementing strong security measures, it needs to act as an example and adopt such measures itself. The report clearly shows that the U.S. government does not protect its network infrastructure well. In this regard, it is sufficient to note that only 15% of the federal agencies encrypt data at rest.
Based on the four findings discussed above, the U.S. federal government adopted four action plans which aim to address the current information security flaws of the agencies, namely, (i) implement a cybersecurity threat framework which will increase the situational awareness of the agencies, (ii) standardize the IT capabilities and tools of the agencies, (iii) consolidate or migrate information security operations center (SOC) operations in order to expand agencies network visibility, and (vi) increase the accountability for cybersecurity risk management within each agency.
Furthermore, although the report does not mention the names of the agencies having inadequate security measures, it is highly likely that the U.S. federal government will take individual measures against such agencies and require them and to quickly create and implement security strategies that will change their status from “at risk” or “at high risk” to “managing risk” which means that “the agency institutes required cybersecurity policies, procedures, and tools and actively manages their cybersecurity risks”. At present, out of 96 examined agencies, 12 are at high risk, 59 are at risk, and 25 are managing their risks.
1. Chabrow, E., ‘GAO: Agencies Show Persistent Cybersecurity Weaknesses,’ Bank Info Security, 29th of September 2015. Available at https://www.bankinfosecurity.com/gao-questions-completeness-infosec-guidance-from-omb-dhs-a-8558.
2. Coldewey, D., ‘Government investigation finds federal agencies failing at cybersecurity basics,’ 31 May 2018, Techcrunch. Available at https://techcrunch.com/2018/05/30/government-investigation-finds-federal-agencies-failing-at-cybersecurity-basics/?guccounter=1.
3. ‘Federal Cybersecurity Risk Determination Report and Action Plan’, May 2018. Available at https://www.whitehouse.gov/wp-content/uploads/2018/05/Cybersecurity-Risk-Determination-Report-FINAL_May-2018-Release.pdf.
4. Gantz, S., Philpott, D., ‘FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security,’ Newnes, 31 December 2012.
5. Newman, L., ‘The Bleak State of Federal Government Cybersecurity,’ Wired, 30th of May 2018. Available at https://www.wired.com/story/federal-government-cybersecurity-bleak/.
Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master’s degree in IP & ICT Law.