Agencies Often Lack Strong Authentication and it’s a Big Problem

The cyberbullies of the world like to beat up on the U.S. government.

The Office of Management and Budget’s annual Federal Information Security Management Act report to Congress revealed that agencies reported nearly 70,000 cyberincidents in fiscal 2014, a 15 percent bump up from the previous year. My colleagues at Nextgov did an excellent job visually explaining the vast array of cyberthreats agencies face today, but what’s particularly troubling is that many of the cyber-beatings the government takes are preventable.

The FISMA report states that U.S. Computer Emergency Readiness Team incident reports "indicate that in FY 2013, 65 percent of federal civilian cybersecurity incidents were related to or could have been prevented by strong authentication implementation. This figure decreased 13 percent in FY 2014 to 52 percent of cyberincidents reported to US-CERT.”

Before we go further, here is the FISMA report’s definition of strong authentication:

The use of an “identification authentication technology to ensure that access to federal systems and resources is limited to users who require it as part of their job function. Strong authentication requires multiple factors to securely authenticate a user: (1) something the user has, such as a PIV card; (2) something the user is, an approved user; and (3) something the user knows, such as a password or key code.”

Now, let’s backtrack.

By the numbers, agencies are getting a little better at implementing strong authentication, but the data is a little skewed. If you remove the Defense Department from the equation -- DOD makes good use of strong authentication principles -- the FISMA report says only 41 percent of civilian CFO Act agencies have implemented strong authentication for network access in 2014.

Even with DOD included, and factoring in large, strong authentication jumps from the Commerce Department and the Environmental Protection Agency, US-CERT contends that 52 percent of cybersecurity incidents could be prevented across government by strong authentication.

That’s eye-popping to any IT security professional – or whoa-inducing if you’re Keanu Reeves.

But let’s explain that geek-speak to the masses the same way HBO’s “Last Week Tonight” host John Oliver helped former National Security Agency leaker Edward Snowden explain complex government surveillance using nude photos we all millions of people take.

Let’s say a particular make of car gets broken into 70,000 times a year by thieves, and nearly a quarter of those attempts results in crooks making off with ID cards, ash-tray change or even the car itself.

What if I told you better locks would prevent and deter more than half of those breaches?

That’s precisely what strong authentication does. It’s not cheap, but in our analogy, neither is buying a new locking system that doesn't let everyone in.

“It’s not cheap when you bring cost into it,” said Deb Gallagher, Defense Manpower Data Center special adviser, speaking at an event April 15. “I don’t think [strong authentication] is necessary all the time, but it is very important to know who it is that is on [the DOD] network and who it is that is accessing our information.”

Gallagher noted that when DOD required smart cards for network log-ons circa 2005, the department experienced a 46 percent reduction in successful intrusions. Certainly in today’s tech-savvy culture, when data breaches at big-time organizations get front-page media treatment, that’s a great return on investment.

Now, intelligent use of strong authentication is logically the best tradeoff for government. Going back to our “new wardrobe” analogy, you don’t need to wear the shiniest suit every day. The best approach is to pick and choose where and what level of strong authentication makes sense within your organization.

“It’s about figuring out when the risk profile matches the strength of authentication,” said Mike Garcia, deputy director for the National Institute of Standards and Technology’s National Strategy for Trusted Identities in Cyberspace.

“You don’t always have to authenticate something strongly, you don’t always need to prove something,” he added. “Figure out what you need and associate that risk profile with strength of transaction. That gets us out of the idea to get relatively expensive authentication tokens for everyone.”

The conversation over identification and access management is not likely to end anytime soon. On April 30, we’ll host a webcast to further discuss the government’s progress in adopting strong authentication with NIST’s Paul Grassi. Make sure to register.  

(Image via Gajus/ Shutterstock.com)