In “Federal Cybersecurity: America’s Data Still At Risk”, the US Senate Homeland Security and Governmental Affairs Committee identified “stark” lapses in cybersecurity preparedness in seven of the eight agencies the report reviewed. Some have not implemented baseline cybersecurity practices, some have used unauthorized systems, and many used legacy systems past end of life.
<p>Given the data they gather and functions they serve, government agencies face extraordinarily high levels of information security risk. Nation-states, criminals, and other actors bring sophisticated expertise and significant resources to bear in pursuing their objectives, and US government agencies are obvious targets. In short, economic well-being, public health, and critical infrastructure are all at risk, a fact that has become all too clear of late as attacks have escalated.</p>
<p>Unfortunately, the news that our government agencies have not established comprehensive measures to manage these cybersecurity risks is not new. The report released by the Senate Homeland Security and Governmental Affairs Committee on Tuesday echoes previous reports issued by the Government Accountability Office (GAO) and other watchdog agencies. As the Senate committee, the GAO, and others have recommended, government agencies must develop a comprehensive and centralized strategy for national cybersecurity. That includes the implementation of government-wide cybersecurity initiatives and addressing weaknesses in federal agency information security programs.</p>
<p>While such comprehensive approaches are clearly necessary, they take time to develop and deploy. In the meantime, government agencies can substantially enhance their security posture by improving their execution around basic security practices. These include streamlining the consistent and timely implementation of patches for known system vulnerabilities, increasing the security awareness of front-line employees, and creating better incident response programs. Government agencies must also limit the collection and use of personal information, which will reduce the risks they must manage.</p>
<p>Perhaps most importantly, the mindset of agency leadership must change. Like much of the cybersecurity industry, most agency security programs have invested significantly more in prevention technologies and products than they have in detective systems. But those products are failing. Insider threats, social engineering, zero-day attacks, state-sponsored attackers, and many other factors have made an over-reliance on prevention a losing bet. Instead of pretending they can build impenetrable systems, government agencies must increase their ability to discover threats and orchestrate responses before they can do significant damage. Accomplishing that requires realigning both security architecture and the organization, which must come from the top.</p>
<p>This is an unnerving report and should be considered as a call to action. These agencies deal with data that reaches the heart of what helps our country work, regulating transportation, research, and social services. It is startling to see how basic cyber protections are still not yet in place as we continue to see significant breaches making headlines. We are under active threat and need to take immediate action and make significant investment into our cyber security infrastructure starting with our talent pipeline. We have the tools to find them regardless of their background. We need everyone we can muster to join this fight.</p>