Another day, another cybersecurity breach at federal agencies
Federal IT security pros say external sources are the biggest threat to their agency or network, while defense agencies indicate state-sponsored cybersecurity attacks are their most significant external cybersecurity issue.
Nearly one-third of federal civilian and Defense Department agencies experience a cybersecurity incident daily, according to CDW Government Inc.'s 2009 Federal Cybersecurity Report. The report, based on a September survey of 300 federal information technology security professionals, also found that the number and severity of cybersecurity incidents has stayed the same or increased in the last year.
Defense and civilian IT security professionals say external sources are the biggest overall threat to their agency or network, with defense agencies indicating state-sponsored cybersecurity-warfare programs as their most significant external cybersecurity issue. For civilian agencies, independent international hackers and software problems are the most widely reported external challenges.
At the same time, internal threats such as inappropriate Web surfing, lax user authentication and loss of computing devices continue to leave agencies vulnerable to cybersecurity threats. Respondents cite malware, inappropriate employee activity and remote-user access as the top cybersecurity challenges they face each day -- and that remote computing challenges are increasing more than all others.
“Fundamentally, cybersecurity is not just a technology issue -- it is a management and cultural challenge for federal agencies,” said Andy Lausch, vice president of federal sales for CDW-G. “Federal IT security professionals are engaging in the cybersecurity war on multiple fronts, and they need the participation of the federal employees, managers and senior staff that they support. First and foremost, federal IT security professionals are calling for increased end-user education, both to reduce internal cybersecurity incidents and to close the door to external threats.”
In response to growing threats, the majority of federal IT security professionals on the front lines say their requirements for network monitoring/intrusion prevention, encryption, user authentication, end-user education, patch management and network access control have increased or significantly increased during the last year -- yet just half say they have adequate budget to meet their cybersecurity needs.
Agencies may see budget relief during the next few years, according to a forecast on information security spending released in October by market research firm Input, which projects federal spending on information security products and services will increase from $7.9 billion in 2009 to $11.7 billion in 2014 in direct response to heightened attacks, evolving threats, and presidential and congressional focus on cybersecurity improvements.
To address cybersecurity issues, agencies are taking a multifaceted approach, focusing on end-user training for internal challenges and cybersecurity tools for external threats. To address avoidable end-user mistakes and reduce vulnerabilities, 82 percent of agencies provide ongoing training classes on security policies and procedures. To combat external threats, 81 percent have an Internet firewall and 71 percent have intrusion protection/detection.
However, despite agency training commitments and technology implementations, many agencies still experience avoidable internal risks. More than 70 percent of agencies have experienced inappropriate Web surfing/downloads in the past 12 months, and more than 40 percent have seen the unauthorized transfer of sensitive information. As a result, federal civilian and defense agencies agree that their No. 1 priority for improving agency cybersecurity is more end-user education.
Based on the findings of the 2009 Federal Cybersecurity Report, CDW-G recommends that federal agencies:
- Reassess end-user training: Establish programs and metrics to measure training success. Communicate security policies that include guidelines for acceptable use and policy acknowledgment. Establish consequences for noncompliance with agency cybersecurity policies.
- Address the mobile threat: Implement a tiered security architecture for mobile assets such as two-factor authentication, VPN sessions, data-at-rest encryption, remote Web filtering and endpoint security software to ensure mobile devices are compliant and within policy.
- Implement industry-standard technologies: To reduce malware threats and enforce acceptable use policies, assess the agency enterprise and implement basic cybersecurity tools across the agency enterprise.
- Participate in the Federal Trusted Internet Connections program, which reduces the number of agency Internet connections. Participants confirm improved security.
“During the last several years, federal agencies have proven they can do more with less in challenging budget environments,” Lausch said. “Unfortunately, they are simply outpaced by organized crime, increasingly sophisticated hackers and state-sponsored professionals. It is time for computer users to step up and take an active role in cybersecurity efforts. Much like Americans have made recycling an everyday task, it is time for users to form a new habit -- making smart, network-protecting activity a part of their daily routines.”
CDW-G’s online survey collected responses from 150 federal civilian and 150 defense IT professionals familiar with their agency’s cybersecurity measures and challenges. It identifies agency cybersecurity threats, steps federal IT professionals are taking to combat them and opportunities for improvement.