01 Oct Weak Federal Cybersecurity Measures are Deteriorating Further – and That’s Extremely Dangerous
RSAConference | By: Bob Ackerman | September 24, 2018
It may seem relatively quiet on the cybersecurity front these days, and in some ways, it is. There are no new reports of breaches at the National Security Agency or the federal government’s Office of Personnel Management, and, happily, no other major credit reporting agency has followed in the footsteps of Equifax as a victim of a devastating breach – one that last year exposed sensitive information on 143 million Americans.
Headline-grabbing breaches alone, however, hardly provide a complete picture of the state of cybersecurity affairs.
Most important is the progress of work being done to block future breaches, and this seems to be non-existent. The federal government has never done a good job managing cybersecurity. And now it has apparently abandoned the crucial goal of improving cybersecurity defenses. In fact, they are weakening.
Proof point No. 1 is President Trump’s cybersecurity executive order(EO), announced 16 months ago. Remember that? Amid lots of fanfare, it mandated a review of U.S. cybersecurity capabilities and, among other things, put responsibility for cybersecurity risk on the heads of federal agencies. It also required status reports on the security of critical national infrastructure. Reports from the federal agencies were due in 90 days and those related to infrastructure in 180 days.
It has become clear, however, that the Trump administration has failed to complete many of the provisions of the EO in many of the various reports required.
The incompetence doesn’t stop here, either. Four months ago, the White House eliminated the position of cybersecurity coordinator on the National Security Council, thereby eliminating a post central to developing federal cybersecurity policy.
Still No Federal Cybersecurity Plan
With November mid-term Congressional elections only weeks away, the White House still has not presented a coherent plan to protect election systems. It’s well-known that hackers with Kremlin ties attacked the computer systems of Democratic officials and spread misinformation on social media before and after the 2016 presidential election. Today, many states remain highly vulnerable to Russian hackers as the elections approach. What is the Trump administration waiting for?
Deteriorating focus on cybersecurity is both a global and national security imperative, and the cyber domain is in route to becoming a hotbed of economic warfare. All this negligence makes everybody less safe.
In addition, it is highly embarrassing that other major global players are moving forward while the U.S. is falling increasingly behind.
Earlier this year, for example, the World Economic Forum announced a new Global Center for Cybersecurity in an effort to safeguard the world from hackers and protect against rogue nation-states. The goal of the center is to create a safe and secure global cyberspace, allowing collaboration among governments, businesses, law enforcement agencies and cyber experts to better protect against cyber attacks.
A few months later, Europe implemented the General Data Protection Regulation (GDPR), requiring businesses to protect the personal data and privacy of European Union citizens in transactions that occur within EU member states. Penalties for non-compliance are severe.
Stunning Report Card from OMB
Back on the home front, meanwhile, a recent report by the White House’s Office of Management and Budget (OMB) reinforces the dire need for change across dozens of agencies. Among the 96 federal agencies it assessed four months ago, it deemed 74% either “At Risk” or “High Risk,” which means that crucial and immediate improvements are required.
Not only are so many agencies vulnerable, but more than half lack even the ability to determine what cybersecurity software runs on their systems. And the OMB says that only one in four agencies could confirm the capability to detect and investigate signs of a data breach. So most agencies are essentially flying blind.
In aggregate, the OMB concludes that agencies do not understand today’s threat environment and lack sufficient resources to combat it. So they come up short instituting standardized cybersecurity processes and lack visibility into what is occurring on their networks, especially the ability to detect data exfiltration.
Separately, the latest annual report mandated by the Federal Security Management Act underscores that the Department of Homeland Security– the government’s point agency on cyber issues – also needs to improve its security apparatus. It recently garnered disappointing marks in three of the five areas covered in the annual information security assessment.
Some States Trying to Step into the Gap
The only good news on the government cybersecurity front – albeit geographically limited — is that a handful of states, including California, Arizona, New Jersey and Washington, have been trying to fill some of the security gap by creating tough new cyber laws or more robust cybersecurity strategies in their states.
Less than three months ago, California, for example, mandated its own version of GDPR, effective in 2020, giving state residents much more control over how their data is collected, used and handled. Consumers will learn what information companies are collecting about them, why they are doing so and who they are sharing it with. They can also stop companies from sharing their data. Like GDPR, corporate violators of the law will face stiff fines.
Arizona takes a community approach to cybersecurity operations via coordination between the state government and the Arizona Cyber Threat Response Alliance, a nonprofit coalition of businesses and universities that grew out of an FBI program.
The group runs workforce development programs and facilitates communication between the technology industry, academia and law enforcement. The state’s chief information security officer, meanwhile, runs the government’s cybersecurity infrastructure and recently hired a single vendor to monitor risk across all 133 state agencies.
In New Jersey, the state’s Cybersecurity and Communications Integration Cell (NJCCIC) — modeled after practices at the U.S. Department of Homeland Security –takes the lead on all state cybersecurity issues and also helps cities and townships unequipped to handle computer crimes. Among other things, the NJCCIC has taken a role in responding to a hacking attack at Rutgers University and monitoring cyber threats linked to a Pope Francis visit in 2015.
In the state of Washington, cybersecurity measures are overseen by a private sector CISO who reports directly to the state chief information office and also assigns major roles to emergency management and state military agencies, such as the National Guard. This multi-disciplinary model improves critical infrastructure protection.
Ultimately, the Federal Government Must Be the Ringleader
In the end, of course, the federal government needs to be the ring leader in cybersecurity protection because all 50 states must be protected.
Yet even if President Trump’s EO were to be implemented, far more needs to be done at the federal level. Unaddressed is that civilian agencies, and to a lesser extent, intelligence agencies need to seek opportunities to share cyber technology and to consider listing cutting-edge cybersecurity startups on the technology vendor list. In addition, excessive security vulnerabilities in the electric grid and other U.S. infrastructure must be addressed.
At the absolute minimum, the White House must actually enforce the President’s cybersecurity EO. In the government’s fiscal year that ended in September 2017, federal civilian agencies reported 151 cyber attacks to the Department of Homeland Security, up from 109 the previous year. Between 2006 and 2015, the number of incidents reported soared tenfold.
Substantial improvement across the board is essential. This is among the reasons I’m working with others to kick off the inaugural Global Cyber Innovation Summit next year in Baltimore, providing an open forum to tackle, among other things, how to address the capital’s myriad cybersecurity shortfalls. Going backward is too dangerous to contemplate.