The State of Data Security in the Federal Government
Most agencies don’t have a solid grasp of what data they have or where it is located.
Despite substantial annual spending on federal cybersecurity, breaches are still being reported at a disturbingly high rate. Nearly half of U.S. federal government respondents in the 2021 Thales Data Threat Report noted they have experienced a security breach at some point, and of these, 47% said they had experienced a breach in the last 12 months. While not every breach is the size and scale of the now infamous SolarWinds attack of last year, this rate is disturbing. Clearly, as attackers get better at their job, it gets harder for security professionals to do theirs.
The Federal Edition of the 2021 Thales Data Threat Report looked at various aspects of data management and security in a wide-ranging survey of more than 2,600 security professionals and executive leaders, including 100 from U.S. federal agencies. Here are a few important takeaways to help illustrate the severity and scope of today’s cyberattacks. These are noteworthy given the recent White House Executive Order to Improve the Nation’s Cybersecurity.
Understanding where data resides
Most agencies don’t have a solid grasp of what data they have or where it is located. In fact, just over one-fourth (28%) of federal respondents have full knowledge of where their data is stored, and just one-third (33%) claimed to be able to fully classify their data. You cannot protect your sensitive data if you do not know where it is. Dedicating time and resources to discover and classify data is essential in order to apply the relevant measures to protect it.
Increased cloud migration
2020 was the year of accelerated digital transformation. Roughly one-quarter (29%) of federal respondents now store more than half of their data in the cloud, and 57% of respondents indicated that 31-50% of the data that is stored in an external cloud is sensitive. However, cloud migration has proven to scale at a much faster rate than encryption. Only 15% of respondents stated that more than half of their sensitive data stored in the cloud is encrypted. This is alarming given that encryption is a key element of the White House executive order. Part of the reason may be that encryption and key management can be complex, and skilled personnel with both cloud platform and security expertise are in high demand. For all of their many benefits, cloud computing and hybrid environments have also layered on considerable complexity—and complexity is oftentimes the enemy of good security.
A tangled web of key management systems
Another common challenge is the web of key management systems. The survey found that the largest percentage (41%) of federal agencies currently employ between five and seven separate key management products, while a small number (9%) have as many as 8-10 key management products. These typically include a mix of key management software, hardware security modules (HSMs), homegrown solutions, and spreadsheets or flat files. While having a complex management system prevents organizations from knowing exactly where everything is stored, it is also costly and complex for IT organizations to protect data using multiple encryption technologies across disparate data silos. Centralizing management ensures keys are secure and always provisioned to authorized encryption services.
The eye-opening statistics from the 2021 Thales Data Threat Report demonstrate that modern cybersecurity requires a mindset shift in which security is implicitly attached to data and the users who need to access it. If we don’t change the game, federal agencies will continue to suffer from continuous data breach attacks that have far and wide implications—including financial. We must empower our federal government to protect data at every turn, and in the event of an attack, ensure alerts are raised immediately, whether it’s malware, ransomware or a phishing campaign.
The good news is that secure data storage and encryption is on the horizon for federal agencies. The recent executive order is the first full acknowledgement of the necessary mindset shift at the national level. By mandating the use of encryption and multi-factor authentication, it puts the focus on what matters most: data and identities. At the end of the day, security needs to be designed around both the data, with end-to-end encryption, and the users, through multi-factor authentication. The federal government should accept nothing less to secure their data and operations.
Lloyd Mitchell is the president of Thales Trusted Cyber Technologies.