Most Cyber Execs Don’t Think OPM Hack Changed Much

Most federal cybersecurity executives don’t think the government’s response to a major hack last summer actually helped agency security, a new survey suggests.

About 52 percent of federal information security professionals said they didn’t think the Cybersecurity Sprint -- a 30-day, White House-directed effort to shore up federal cyber hygiene -- improved their overall information security, according to findings from (ISC)2, a nonprofit dedicated to IT security training and certification.

The group interviewed 54 federal cyber executives, across defense, intelligence and civilian agencies and contractors, for their overall feelings about information security.

Sixty-five percent of respondents said they didn’t think the federal government as a whole could detect ongoing cyberattacks, and 59 percent of executives said their agencies were not able to fully understand how cyberattacks could breach their own systems, according to the survey.

“So many working in this industry are just overwhelmed,” Tony Hubbard, a principal at professional services firm KPMG, which partnered with (ISC)2 on the report, said during a panel discussion about the report in Washington on Thursday. “It’s a tough spot,” he explained, because IT shops need to keep their operations running while also trying to upgrade their security and implement top-down directives -- all with limited funding.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The White House-issued Cybersecurity National Action Plan,  which includes an effort to modernize information systems using a $3.1 billion revolving fund and installing a federal chief information security officer, has the potential to mitigate some of their challenges, respondents said.

When asked about the biggest obstacles to their cybersecurity advancement efforts, 65 percent of execs listed lack of funding, 48 percent said lack of understanding on the topic and 48 percent said lack of accountability, and the report found.

A federal CISO could begin to alleviate the accountability challenge -- 21 percent of survey respondents said there wasn’t a leader in their agencies whose sole responsibility was cybersecurity. However, that person, whose appointment is expected in the next several weeks, won’t be able to effect immediate change, said David Shearer, chief executive officer of (ISC)2 and former deputy CIO at the Interior Department.

Without a clear role and a understanding of the operational implications for the policies they recommend, “it’ll just be another person,” Shearer said. “It’s unclear how much control they’ll have,” he said. While it’s easy to issue top-down directives, he added, it’s often “just another executive order or another piece of guidance that doesn’t have any teeth.”

Lack of funding impacts agencies’ ability to recruit the necessary cyber talent, Janice Haith, deputy CIO of the Navy, said during the panel discussion. Haith said her department is trying to recruit in Silicon Valley and other tech-rich areas such as Texas, Georgia and parts of the Northeast, but is also sending employees to bulk up on cyber skills through outside classes, if talent can’t be recruited.

But with limited funding for salaries, “we’re just not competitive” with the private sector, Haith said, and often cyber talent transitions out of the Navy every few years.