Federal Officials’ Confidence in Internal Cybersecurity Has Dropped Significantly Since 2014

Federal officials’ confidence in the ability of their agencies to guard against cybersecurity threats has eroded significantly over the past two years, according to a survey conducted by Dell and the Government Business Council. Federal employees are concerned that their agencies need to do more to educate workers about cyberhygiene best practices and how to protect themselves from malicious threats, the survey found.

The Government Business Council and Dell sent the survey to a random sample of federal officials in February, and 464 senior-level federal employees responded. The survey results were first reported in late April.

While 65 percent of respondents to the same survey in 2014 were “confident” or “very confident” in their department or agency’s ability to protect information systems from cyberintrusions, only 35 percent of respondents in the current survey expressed the same degree of confidence.

Andy Vallila, Dell’s security sales general manager for the Americas, said in an interview with FedTech that the results were certainly disheartening.

“My initial reaction when I saw the result, was, while we certainly live in an environment of heightened threats… the lack of confidence is concerning,” he said. “These are the very professionals in the agencies we entrust to positively influence the environment they are experiencing.”

Rising Concerns About Security Threats

According to the survey, “a lack of confidence in organizational cyberdefenses extends to personal information security.” Just 28 percent of federal leaders are confident or very confident in their agency/department’s ability to safeguard their personal information, compared to 58 percent two years ago.

Additionally, fewer than one in three respondents are confident or very confident in their agency or department’s ability to keep up with evolving cyberthreats, a significant decline from the 60 percent confidence level in 2014.

Vallila said that although the data breach of millions of federal employees’ personal information last year at the Office of Personnel Management likely contributed to the drops in confidence in cybersecurity, he added, “I don’t think it’s any one particular breach or event.”

Vallila noted that malware coming in from applications like email also is contributing to a general sense of insecurity. Another issue, he said, is that there is a “lack of connectivity between the network layer and the identity and access management layer” of agencies’ systems. That often increases the risk of identities and accounts being compromised because the risk of data requests is not being measured, he said.

Dell, he noted, offers software that connects the two layers to score the different requests for information at the network layer, and, based on that score, “can take prohibitive action before credentials or data are comprised.”

It’s more of a challenge for agencies to upgrade their systems in order to add that kind of security if the machines are proprietary and legacy systems, as opposed to systems built on open standards, Vallila said.

Improving Cyberhygiene and Modernizing Systems

Many federal agencies haven’t modernized two important areas of protection, Vallila said: two-factor authentication and being able to properly analyze packets that come through email attachments and then have encryption to protect users’ data.

Many threats facing federal agencies “speak to a lack of capability in one of those areas,” Vallila said. Agencies also need to engage in “simple user education” — train employees to not click on suspicious emails and to exhibit practices that will protect their identity.

When asked about significant cyberthreats to their department or agency, the survey respondents most commonly identify email embedded with malware (63 percent) and phishing/spear phishing (62 percent), similar to to the top identified threats in the 2014 survey.

Federal leaders indicated in the survey that their greatest cybersecurity gaps are workforce-related. When asked to name cyberdefense elements “in need of significant improvement,” 55 percent cited cybersecurity personnel and 46 percent named workforce education.

Vallila urges agencies to “think big, start small” with improving their cybersecurity, and also to think beyond their immediate needs. Agencies need education, more funding, and better and faster sourcing around procurement, he said.

“We do believe that changes in considerations as to how cybersecurity defense is implemented are necessary along with user education,” he said.

For more information on federal cybersecurity issues, visit fedtechmagazine.com/security.

This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.