We are on a journey of highlighting industry specific security risks, tips and best practices for a stronger security environment. From healthcare, manufacturing and education to financial services, the energy sector and small-and medium-sized business – we’ll take a closer look at the risks and how to mitigate them in this Friday series. Today we’re looking at what government agencies can do to protect themselves (and their constituents).
The Government’s Cybersecurity Overhaul
The US government has had a rough six months, to say the least. In December 2020, the startling revelation emerged of a multi-agency attack due to the SolarWinds hack. Five months later, the operators of the Colonial Pipeline were attacked. Government agencies are vulnerable because, as many have concluded, it simply hasn’t been proactive enough in preparing for cyber disasters. #slowgoingcybersecurity
According to Insurance Journal, since 2010 the non-partisan Government Accountability Office alone has issued some 3,300 recommendations for agencies to address vulnerabilities. But by the end of 2020, hundreds of the recommendations had not been implemented at that point. (Though we should give agencies some credit since more than 2,000 of the vulnerability recommendations have been implemented.)
What has led to the weakness of federal government agencies? Let’s look at the five top risks.
1. Not prepared enough
Both U.S. Senator Angus King (ME), and Representative Mike Gallagher (WI) are co-chairs of the Cyberspace Solarium Commission, which can be likened to the 9/11 commission. Following the Colonial Pipeline breach, they released a statement which said the Commission was envisioned to be “the 9/11 commission that averts a cyber-9/11.” They added: “One of the gravest lessons from the terrorist attack 20 years ago was that it was a failure of imagination...America can and must be better –- we must be imaginative, and proactive, in navigating the threats of the age of cyber aggression.”
Going to back to 2015, a survey conducted by Frost and Sullivan showed that nearly half of the 1,800 respondents from the federal government sector felt that security had not improved over the past two years. About 17 percent said their agency’s security posture was worse because of their inability to keep pace with the changing threat environment and a lack of funds and more than half said their threat response times have not changed.
Six years later – and as evidenced by SolarWinds and the Colonial Pipeline hacks and other incidents -- many in the security industry agree much work still needs to be done.
For example, in this recent cybersecurity panel organized by Channel Partners, Booz Allen’s Jerry Bessette said he believes the federal government is absolutely not prepared for nation-state cyber attacks. He attributed it to the fact that “networks are still so complicated,” adding that, “And there are still so many organizations, including government agencies, that aren’t doing the basics.”
Robert Zukis of the Digital Directors Network added his two cents: “Hackers have clearly figured out the system is in and of itself the weak point and they’re exploiting it,” he said. “And unfortunately, we’re at ground zero at this point.”
2. Not enough of a priority
In March of this year, the GAO warned that more needed to be done. “Although the federal government has made selected improvements, it needs to move with a greater sense of urgency commensurate with the rapidly evolving and grave threats to the country.”
But well before then, it was already clear by May of 2018 the government did not consider cybersecurity to be critical. On May 15th, then national security advisor John Bolton eliminated the National Security Council’s position of cybersecurity coordinator.
That day, Rep. Bennie G. Thompson (MS), the Ranking Member of the Committee on Homeland Security, commented that “with cyber threats ever-changing and growing more sophisticated by the day, there is no logical reason to eliminate this senior position and reduce the already degraded level of cyber expertise at the White House.”
3. Staff shortages
It’s been widely known for years that lack of enough experienced cybersecurity professionals in the U.S. in the private sector, but that gap becomes a matter of national security when the entity you are talking about is the federal government.
Wind the clock back to 2019, when Jeanette Manfra, the assistant director for cybersecurity for CISA, addressed a crowd at TechCrunch Disrupt SF. She hammered the point home that the agency was making training for new cybersecurity professionals a priority – to the point they were looking towards elementary school-aged children for a future cybersecurity force. Because that is how important an initiative cybersecurity had already become.
“It’s a national security risk that we don’t have the talent regardless of whether it’s in the government or the private sector,” said Manfra. “We have a massive shortage that is expected that will grow larger.”
4. Nation-state cyber threats
According to Radware, nation-state hackers target government agencies, critical infrastructure and a very broad array of industries, governments and organizations. Typically, they strike via sophisticated techniques that interrupt business operations, leak confidential information and generate massive data and revenue loss. The bad actors who execute these attacks are increasingly implementing attacks on behalf of governments worldwide. The SolarWinds supply chain hack is widely viewed as a nation-state attack since everyone seems to agree Russia is behind it. No matter who is targeted, nation-state attacks are hugely disruptive, damaging and costly. With nine U.S. federal agencies directly impacted by the SolarWinds attack, the damage was real.
5. Not enough federal laws and guidelines
In July 2020, the General Accounting Office reported that the United States lacked a comprehensive internet privacy law governing the collection, use, and sale of personal information by private-sector companies. In addition, currently there is no federal law expressly regulating the commercial use of facial recognition technology, including the identifying and tracking of individuals.
During a session during the 2021 RSA Conference, Paul Rosenzweig, senior fellow for cybersecurity at the R Street Institute, said it “boggles my mind that 15 years into this cybersecurity crisis, we still don't have an operating picture of how frequently and what sorts of what breaches occur in the United States…"without a comprehensive breach notification law, we will never get a sense of what is actually happening on the ground."
Fixing federal agency cybersecurity – as fast as possible
All the attacks in the past year have put cybersecurity on the top of everyone’s agendas. As a result, many new laws are being considered to help severely curb ransomware, especially those attacks targeting the government. The most important of which comes directly from the top at the White House.
Following the 2020 cyber attack on numerous United States government agencies, on May 12th President Biden issued an Executive Order to improve the nation’s cybersecurity. The order seeks to strengthen public and private sector cybersecurity defenses and incident response capabilities.
The federal government reforms focus on three key themes: modernization, accountability, and resilience.
- First, modernizing federal agencies to modernize their IT systems and prioritizing the use of cloud services, utilizing multifactor authentication, and adopting encryption technologies for data at rest and in transit. Also, the Cybersecurity and Infrastructure Security Agency (CISA) will update standards governing the agencies' use of cloud services. Migration toward "Zero Trust Architecture” is also a goal.
- Second, federal civilian agency accountability will be increased by giving CISA access to agency network data to conduct vulnerability testing and creating a "Cyber Safety Review Board”. That Board will be tasked with considering mitigation activities and agency responses for any significant cyber incident involving either the government or private sector entities.
- Third, the White House order also calls for the federal government to create a playbook that enables the government to quickly identify, mitigate, and remediate threats.
States are getting involved too
Cybersecurity remains a focus in state legislatures, as many propose measures to address cyberthreats directed at governments and private businesses. In 2020, at least 38 states, Washington, D.C., and Puerto Rico all introduced or considered nearly 300 bills or resolutions dealing significantly with cybersecurity. The new regulations focused on areas from increasing penalties for computer crimes, requiring government agencies to implement training or specific types of security policies, insurance industry regulation, to creating tasks forces, councils or commissions to study/advise on cybersecurity matters to supporting programs or incentives for cybersecurity training and education.
Lots of work to be done
Clearly there is a great amount of work to be done in order to vastly improve the government’s cybersecurity posture. It will take time and billions, if not trillions of dollars. But at this stage, the government does not really have a choice.
Hopefully in the next few years we’ll begin to see a decrease in attacks as all necessary changes and laws are put in place.