The spectacular database breach that affected nearly 21 million people highlighted the continuing vulnerability of U.S. government information technology systems, despite the expenditure of billions each year for cybersecurity programs.
The breach, which the federal Office of Personnel Management revealed this summer, resulted in the departure of the head of the agency and triggered widespread questioning about the adequacy of federal IT security by members of Congress and others.
The OPM breach “illustrates the need for strong security over information and systems” throughout the U.S. government, the General Accountability Office said a report released last month.
“During fiscal years 2013 and 2014, federal agencies continued to experience weaknesses in protecting their information and systems,” the report notes. Federal government IT systems “remain at a high risk of unauthorized access, use, disclosure, modification, and disruption.”
Offering a more sanguine view is a report from BitSight Technologies, which finds federal agencies’ cybersecurity performance pretty much in line with other major sectors and somewhat better than the healthcare and education segments.
“The federal government, currently in the spotlight in the wake of the OPM mega-breach, is the second-highest performing sector” among the six broad components of the U.S. economy analyzed, the firm’s report says.
The company’s analysis — its third annual report on federal government cybersecurity — shows that many agencies are performing well when it comes to overall security performance, according to BitSight.
On the BitSight index, a score of 900 reflects the best performance in cyberprotection. Using that scale, the six sectors measured by the company ranked as follows: financial — 716; federal government — 688; retail — 684; energy and utility — 652; healthcare — 634; and education — 554.
However, taking a scoreboard approach to measuring cybersecurity performance can be misleading. A major breach anywhere, whether in the public or private sector, can have devastating consequences.
Witness the OPM hack attack revealed this year, or the 2013 attack on Target, which potentially affected 70 million people. The U.S. government collects so much information that the impact of a breach can be enormous just for civilians. The impact of a national security cyberbreach could be incalculable.
GAO Cites Widespread Weaknesses
The U.S. government continues to be a prime target for hackers.
Federal agencies reported 67,166 cyberincidents in 2014 — a gain of 6,000 such occurrences from 2013, and more than double the incidents reported in 2009, according to a report GAO delivered to Congress last month.
Of the incidents reported for 2014, excluding non-cyberincidents, scans, probes and attempted access were the most widely cited type of incident across the federal government.
“This type of incident can involve identifying a federal agency computer, open ports, protocols, service, or any combination of these for later exploit,” notes the GAO report.
Of the 24 federal agencies GAO examined, all experienced persistent deficiencies. Most agencies were still challenged in meeting five critical cyberprotection functions:
- limiting, preventing and detecting inappropriate access to computer resources;
- managing the configuration of software and hardware;
- segregating duties to ensure that a single individual does not have control over all key aspects of a computer-related operation;
- planning for continuity of operations in the event of a disaster or disruption; and
- implementing agency-wide security management programs that are critical to identifying control deficiencies, resolving problems, and managing risks on an ongoing basis.
BitSights Measures Operational Performance
The BitSight rating is based on operational measurements referenced as a daily mean metric, including the composition of a network map of an organization’s Internet footprint.
“Security events, such as breaches, malware infections, and other incidents do factor into the overall rating. We also factor in organizational diligence, such as how an organization configures Internet services offered, including email servers, DNS, SSL and other services,” said Jay Jacobs, senior data scientist at BitSight.
“Another category we recently added is observations around employee behavior on the Internet. All together, we have over 100 data feeds and 20 billion new records that we process on a daily basis and aggregate to arrive at a rating for each entity we monitor,” he told the E-Commerce Times. [*Correction – Oct. 6, 2015]
Since several cyberinvasion methods are of particular interest to IT operators, BitSight broke out a subset analysis showing exposure levels to the Poodle, Freak and Heartbleed attack tools.
All six sectors monitored showed high exposure levels to the Poodle exploit, ranging between 69 percent for finance and 91 percent for education, with the federal government at 79 percent. For Heartbleed, the exposure level was well below 10 percent for five sectors, but education registered 23 percent. Exposure to Freak ranged from 30 percent to 75 percent, with government at 50 percent.
The BitSight ratings “are relative measurements, and what’s presented in the report are averaged over many different organizations in each industry,” Jacobs acknowledged.
In the sector ratings, the federal government “is very close to the retail sector, which has also had its share of headline-grabbing breaches over the last year,” he said. “So even though it may seem counterintuitive with recent headlines, by comparison the federal government is doing fairly well — or others are doing just as poorly — depending on your optimism or pessimism.”
Culture and Accountability
The elements contributing to the cybervulnerabilities federal agencies are subject to reflect a formidable task in meeting security goals.
“Cybersecurity is a systemic challenge across the federal government because of multiple factors, including rapidly evolving threats, rapidly changing technology, and a variety of organizational, cultural, leadership, managerial, resource and technical issues,” said David McClure, executive vice chair of the Industry Advisory Council, which is affiliated with the American Council on Technology.
“This combination of factors is what makes cybersecurity such a difficult problem to successfully address,” he told the E-Commerce Times. “ACT-IAC is collecting the best ideas and practices from a wide range of government, industry and academia sources, in the hope that we can provide useful recommendations on how federal agencies can improve the effectiveness of their cybersecurity programs.”
Lack of accountability has been a major deficiency in the federal culture related to IT security, argued Morgan Wright, principal of Morgan Wright. In fact, the launch of a 30-day government-wide sprint to shore up security after the OPM breach demonstrated a longstanding deficiency in accountability.
“For too long, major systems were developed — even with Federal Information Security Management Act requirements — that lacked the necessary data and transport protections to adequately defend against a cyberattack,” he told the E-Commerce Times.
“Why does it take a 30-day sprint to discover problems that should have been addressed in the normal course of business?” Wright wondered. “The current culture is still too much of a reflection of the past — security was never the foundation for discussion.”
In the private sector, managers can be fired and companies can be taken to court over cyberbreaches, he noted, but such sanctions are largely missing in government, leading to a culture of inertia in addressing problems.
“By its very nature, it is difficult to hold someone accountable — especially at the senior executive level,” said Wright. “Agency heads are not subject to the same personal and corporate liability that the private sector is. Numerous Inspectors General reports have been issued on agencies that span different administrations. Why are we still dealing with the same problems from eight or 10 years ago?”
Clearly, there is a need for more streamlined procurement processes for federal agencies to acquire and deploy cyberprotection technologies.
*ECT News Network editor’s note – Oct. 6, 2015: Our original published version of this column misquoted BitSight’s Jay Jacobs as saying that the firm processed 200 records daily. The correct figure is 20 billion records. We regret the error.