The White House has released its yearly assessment of agency compliance with the governmentwide cyber laws.
The White House has released its yearly assessment of agency compliance with the governmentwide cyber law known as the Federal Information Security Management Act. And given the spate of breaches and hacks that hit both government and the private sector, the results may not be all that surprising.
Sensitive agency data is often not encrypted. Many departments do not use two-step verification for accessing government networks, despite post-Sept. 11 requirements that employees carry login smart cards. And cyber training is deficient in one of the most unlikely areas…
2014’s Biggest Federal Computer Security Blunders
1. Federal agencies reported 15 percent more information security incidents in fiscal 2014 compared to fiscal 2013, rising from 60,753 to nearly 70,000 events. These incidents included phishing attempts, malware infections and denial-of-service attacks, as well as leaks of paper records and sensitive emails sent without encryption.
2. Less than half, or 41 percent, of civilian agencies used identity verification with smart cards for accessing networks (The Defense Department requires biometric cards for accessing military systems). The low adoption rate of "strong authentication" is significant because, according to the White House's new cyber enforcement unit "E-Gov Cyber," a majority -- 65 percent -- of government cyberincidents were related to or could have been stopped by two-step ID checks.
3. The Small Business Administration, Nuclear Regulatory Commission, Housing and Urban Development Department, Labor Department and the State Department scored zero on using strong authentication. State, NRC and Labor each have been hacked in recent years.
4. Meanwhile, SBA, the National Science Foundation, Transportation Department, State, Labor and Agriculture Department have no ability to encrypt, or scramble, email so that the messages can't be intercepted. Unencrypted emails are a primary source of leaks, according to the report.
5. More than 25 percent of employees with significant cyber duties have not undergone cyber training at NRC, the U.S. Agency for International Development and the departments of Defense, Health and Human Services and State.
6. NASA and the Department of Veterans Affairs have no way to automatically detect (or block) unauthorized software on computers.
Still, here are three reasons why agencies might yet learn from past mistakes:
1. The new E-Gov Cyber squad "is prioritizing the agencies which have encountered difficulty in implementing strong authentication" for CyberStat sessions -- data-driven reviews where the White House highlights weaknesses.
2. Nearly 80 percent of major federal agencies have so-called continuous monitoring programs that automatically detect whether security controls are in place, according to federal inspectors.
3. Seven agencies, which were not named in the report, are using an upgraded version of the government's intrusion detection system, dubbed EINSTEIN, that can kick out hackers. So-called EINSTEIN 3 has the ability to block and disable attempted incursions before harm is done.