U.S. government agencies have invested time, effort and significant funding in the last several years to meet the challenges of cybersecurity threats. Unfortunately, the payoff has been disappointing, according to a report from the ISC2 Foundation, an affiliate of the International Information Systems Security Certification Consortium.
As part of its seventh Global Information Security Workforce Study, the foundation included a section on the U.S. government that involved a survey of 1,800 federal IT professionals. The GISWS survey was developed in partnership with Booz Allen Hamilton, Cyber 360 Solutions, and NRI Secure Technologies. It was conducted by Frost and Sullivan, and results were reported in early May.
“While the task at hand is indeed overwhelming given the complexity of threats and the government’s limited resources, when we consider the amount of effort dedicated over the past two years to furthering the security readiness of federal systems and the nation’s overall security posture, our hope was to see an obvious step forward. The data shows that, in fact, we have taken a step back,” said Dan Waddell, director of government affairs for the National Capital Region at ISC2.
Federal Performance Lags
The lack of progress by federal agencies to adequately address cyberissues is reflected in the responses of nearly 50 percent of participants who said that security had not improved in the last two years. Another 17 percent reported that their organization’s security posture was actually worse off, “primarily due to an inability to keep pace with threats, a poor understanding of risk management, inadequate funding and not enough qualified professionals.”
Other notable findings about federal cybersecurity:
- Responses: Threat response times have not changed in two years. More than half of respondents believed that their agency did not improve its security readiness, with response times actually lengthening.
- Threat Profiles: Application vulnerabilities and malware remain the top security threats and are increasing as a concern.
- Supply chain: Although procurement and acquisition are cited as areas of great vulnerability, there remains very little focus on applying security during the supply chain process.
ISC2’s Waddell offered some suggestions for turning the situation around.
“First, we need to target the workforce shortage crisis. Our response must go beyond simply filling open positions with bodies. If an agency or contractor is using a generic description for hiring purposes, they may have solved a short-term problem, but they have just created another one when that position becomes a revolving door fueled by turnover,” he told the E-Commerce Times.
“We need to do a better job developing role-based requirements first, then hire qualified staff that meet the job description requirements based upon their knowledge, experience and proven skills. That’s why programs such as the National Initiative for Cybersecurity Education and its National Cybersecurity Workforce Framework are critical,” Waddell said.
“Second, we must continue to improve situational awareness from a risk perspective within the federal government. The Department of Homeland Security’s Continuous Diagnostics and Mitigation program is trying to solve that problem on the federal level, but more work needs to be done. Decision makers must have a framework that includes people, process, technology and governance, so they can make risk-based decisions in near real-time,” he explained.
In typical government fashion, multiple federal programs have been initiated to address cyberthreats, including the FedRAMP security program for cloud development, DHS and National Science Foundation research, and efforts by the White House and the National Institute of Standards. Often, such multiple and broad scale efforts, while well intended, are unfocused and diffuse.
Programs Need Focus
“The lack of focus for these initiatives to be effective is more an outreach and awareness issue. Government is slow moving, and lacks resources to educate and communicate effectively,” Waddell said.
“For instance, the FedRAMP process, when done right, can alleviate some of the security concerns of moving sensitive data to the cloud, and actually reduce risk, but a lot of agencies need greater understanding of how FedRAMP’s controls apply to sensitive data, in order for them to adopt cloud on a wide scale. We found that 64 percent of U.S. federal respondents to our survey don’t even know if FedRAMP is having an impact on their agency’s cloud migration,” he pointed out.
“Another factor that is limiting the effectiveness of federal security initiatives is the government’s current procurement and acquisition practices. According to the ISC2 survey, 81 percent of U.S. federal respondents agree that security requirements should be mandated for each IT procurement. Until security requirements are mandated, the effectiveness of these initiatives will be limited,” Waddell noted.
A significant element for improving cybersecurity within the federal government, and more broadly in other sectors, is cooperation among all parties.
“The work that’s being done within DHS and across the current Information Sharing and Analysis Centers to share threat information between sectors such as finance, healthcare, critical infrastructure, retail, multi-state, and the federal government, marks progress in achieving this goal. Information exchange is actually happening today,” Waddell said.
“Soon you will see Information Sharing and Analysis Organizations being established which broaden the spectrum and include both ISACs and organizations that may not fall neatly into an existing ISAC framework. Getting this model working properly will help everyone get up to speed on cyberprotection, so that when one organization sees a threat, they can share it with other partners in near real-time,” he explained.
The results of the ISC2 report became a topic for discussion at a recent forum on cybersecurity sponsored by the immixGroup, with panelists offering different opinions on the findings of the survey.
“Sometimes I think the federal government is responding faster to cyberincidents than some people think,” forum panelist Gary Barlet, CIO for the USPS Office of the Inspector General, said in response to a question posed by the E-Commerce Times. “I’m not convinced the public perception is always as accurate as we would like it to be regarding cyberresponses.”
One factor affecting the reporting of incidents, he noted, was the challenge of striking a balance between the need for public disclosure and “whether you want to tip your hand to your adversaries and let the hackers know that you know what they have done.”
Different Sectors, Similar Results
“In the grand scheme, I don’t think the federal government is any worse or any better than other sectors in responding to incidents,” Barlet said.
“I don’t think it’s quite that simple that we are going either forward or backward. It’s more complex than that. In certain areas, as the threats multiply, you have the sense when you’re down in trenches — that you are losing ground,” Ernest McDuffie, a research scientist at George Washington University’s Cyber Security Policy and Research Institute, said at the forum.
“But I think the general awareness across government at all levels has been increasing, and that’s where you start,” he continued. “People have to be aware of the problems before you can start doing things to address it.”
Whatever the current status of federal capabilities in addressing cyberthreats, both the ISC2 report and the immixGroup forum suggest that cyberchallenges will be at the forefront of federal IT operation efforts. Those concerns are showing up in federal IT spending trends.
“Our analysis of federal spending does not cover the quality or performance of cybersecurity investments, but it is clear that this spending is increasing as a priority, and has been growing at a rate of around 8 percent, which is much higher than the rate for overall federal IT spending,” Kevin Plexico, Deltek VP, information solutions, told the E-Commerce Times.
In the future, that rate may moderate a bit to a 5.2 percent compound average growth rate, according to a Deltek analysis released late last year. The analysis projects that the federal addressable information security market will grow from US$7.8 billion in fiscal 2014 to $10 billion in 2019.