Reports: US Cybersecurity Firewalls Built on Shaky Foundations
The U.S. military has bigger cybersecurity gaps than feared, and government agencies are behind schedule in shoring up their digital defenses. Those are the major findings of two new reports highly critical of the nation's efforts to raise the level of IT security so it can handle a new round of cyberthreats. The Department of Defense is called out for not having critical systems protected enough to withstand a coordinated cyberattack.
03/08/13 5:00 AM PT
A pair of new reports suggest that despite repeated attempts by the Obama administration to beef up U.S. cybersecurity, the nation is not ready to handle a major attack, and government agencies lag far behind deadlines for showing security improvements.
Those conclusions are reached in the Office of Management and Budget (OMB)'s Fiscal Year 2011 report to Congress on the implementation of the Federal Information Security Management Act (FISMA), and the Defense Science Board Task Force's study on resilient military systems and the advanced cyber threat.
"The federal government isn't just vulnerable, it's already compromised," Tim Erlin, director of IT security and risk strategy at nCircle, told TechNewsWorld. "This is the reality of today for all organizations."
The Cyberstate of the US Military
After conducting an 18-month study that ended last August, the Defense Science Board -- a federal advisory committee that provides independent advice to the U.S. Secretary of Defense -- concluded that the nation cannot be confident that its critical information technology systems will work under attack from a sophisticated opponent with good resources.
The DoD's networks are built on inherently insecure architectures, and the Department doesn't devote as much attention and resources to its IT networks as it does on its weapons and their IT capabilities, the DSB said. That has led to the DoD and its contractors suffering "staggering" losses of system design information.
The DSB task force developed a layered approach for managing cyberrisk, and criticized the DoD's approach to defend only against the inherent vulnerabilities that exist in all complex systems. The DoD did not have metrics to directly determine or predict the cybersecurity or resilience of a given system, the task force said, or to help decide how best to allocate cybersecurity spending.
"We value the contributions and recommendations of the DSB report but the department is continuously, report or no report, working to enhance its cyberposture and enhance its cybercapabilities, because those threats out there are growing in scope, sophistication and frequency," DoD spokesperson Lt. Col. Damien Pickart told TechNewsWorld.
The department is working "very closely with other interagency partners to ensure the nation has an optimal posture in cyberspace," Lt. Col. Pickart added. The DoD is also working closely with the private sector through the Defense Industrial Base (DIB).
"The Department of Defense has come to realize that, no matter how many moats or walls you have, they can be penetrated. They're sifting to protecting the data at rest, so even if an intruder comes in he won't be able to decrypt the data," said Brad Curran, a senior industry analyst at Frost & Sullivan.
The DoD is beginning to fund embedded forensic tools; when an alarm goes off, it can focus defensive resources into the area that has been penetrated.
"The problem is more of a cultural and organizational issue than a money or technology problem," Curran told TechNewsWorld. "It's so bureaucratic that it's difficult to respond quickly, contracts are long-term, and the law doesn't allow service program managers to switch money around internally very often."
Government Agencies Still Lax on Cybersecurity
When it comes to federal agencies, the OMB reported that in 2011, they detected controlled incidents only 49 percent of the time compared to 70 percent in 2010. The agencies authenticated remote access attempts only 52 percent of the time -- no change from 2010.
Only 58 percent of the agencies used email validation technology, compared to 46 percent the previous year.
The agencies did show improvement for the same period in other areas, including automated vulnerability management and in the encryption of portable devices. For all government agencies, FISMA capability implementation totaled 74 percent in 2011 as compared to 62 percent in 2010.
"The biggest issue is that the government isn't keeping up with the best practices required," Erlin remarked.