Darren Guccione is CEO of Keeper Security.
The end of the fiscal year is a time for government agencies to assess the effectiveness of programs and services, especially when determining budgets. With fiscal 2015 ended, few would argue that all federal agencies should critically evaluate the effectiveness of their cybersecurity programs and, in particular, whether more resources are required to meet the ever-increasing need for better protection.
While acknowledging that every agency is different, the unvarnished truth is that the government as a whole needs to spend a lot more on cybersecurity.
Recently, the Office of Personnel Management, itself a victim of one of the largest and most detrimental hacks against a government agency, reported that the fingerprints of 5.6 million federal employees were stolen – in addition to the personal identifiable information of 21 million employees, including Social Security numbers. Social Security numbers can be changed; credit card and other financial numbers can be changed. But changing your fingerprints, particularly if you have top-level clearance? You can see the severity of the problem here.
The OPM hack is just the most recent example of a worsening problem: The cybersecurity defenses of the federal government aren’t sufficient to the scale of the threat.
According to a July report from the Government Accountability Office, the number of cybersecurity incidents against the federal government has increased 1,000 percent since 2006, from 5,503 to 67,168.
As one might assume, federal spending on cybersecurity has increased over the years – to roughly $12.5 billion a year. As one research firm put it, “the annual cybersecurity spending of the U.S. federal government is bigger than any national cybersecurity market (including both public and private sector), exceeding at least twofold the largest cybersecurity spending countries.”
The White House’s fiscal 2016 budget asks for $14 billion, or 35 percent more than the 2014 allotment. But like everything else in government spending, that figure is divided among dozens of agencies, and the amount any one agency receives often isn’t enough.
For example, a report from Bank of America Merrill Lynch found that 11 federal departments, including Social Security, NASA and the State Department, spend less than 1 percent of their budget on cybersecurity. OPM, the report notes, “spent the lowest percentage on cybersecurity out of all the departments” in 2014. Meanwhile, DHS, which has the highest spending ratio, still only devoted 3.5 percent of its budget to cybersecurity.
The second issue is that how the money is spent is just as important as where it is spent.
For example, the proposed budget for Homeland Security allots $480 million to threat detection services, such as its EINSTEIN intrusion detection system. But only $102 million is designated for what we might call prevention services.
Obviously, threat detection – knowing when hackers have infiltrated a system – is critical. But so too is prevention, which is where federal agencies need to start devoting more resources.
How critical? A recent SolarWinds survey of 200 IT security professionals in federal government found that 53 percent believed “careless and untrained insiders” were the largest source of cybersecurity threats.
Also, a 2014 report from the Republican staff of the Senate Homeland Security and Governmental Affairs Committee blasted federal agencies for failing to adhere to even the most basic cybersecurity protocols, such as installing regular software updates or mandating strong passwords. (One of the more common passwords used for federal systems was, incredibly, “password”.)
All of these oversights fall under the category of prevention. So while federal agencies should demand larger cybersecurity budgets, they must also ensure those extra dollars are going to the right prevention methods. In particular, federal agencies must focus on:
Internal Security Training: Federal workers should undergo thorough cybersecurity training courses so they can better understand how their actions might compromise federal systems. As the SolarWinds survey emphasized, federal IT workers are extremely concerned that ill-trained employees are the weakest link in the cybersecurity chain. As one network manager at a federal agency told The Washington Post, “Our security holes begin at the top,” meaning even the senior management shouldn’t be immune from security training.
Password Management: Federal agencies can do much more to ensure the most basic cybersecurity defense tactic – a strong password – is not only mandated but rigorously enforced. To that end, federal agencies should invest in password management solutions that take password creation out of the hands of employees. The top-tier enterprise password managers use the highest levels of encryption technology and also add an extra layer of security through two-factor authentication. Unlike many of the expensive threat detection technologies, password management solutions are far more affordable for government agencies.
Better BYOD and IoT Policies: As with other industries, the federal government is faced with the dilemma of allowing employees to use personal devices, such as smartphones and tablets (“bring your own device”). In fact, the White House has issued guidelines for agencies that allow BYOD, although it says they aren’t mandatory. Indeed, as the Brookings Institution noted, there are no governmentwide policies related to BYOD or to the rise in “Internet of Things” devices: Aside from the Department of Veterans Affairs, not a single agency has adopted a strategy related to BYOD or IoT. But these devices, and employee desires to use them for work, aren’t going away and they represent serious cybersecurity vulnerabilities.
Federal agency budget battles are often highly politicized and can drag on interminably. However, given the massive scale of cyber threats and that they target EVERY agency, shouldn’t the government bolster its allocated finances to fight against one of the greatest national security dangers of our time? I would say undoubtedly, the answer is yes.