Federal Cybersecurity Has Room for Improvement, a Year After OPM Hacks

A year after the security breaches that targeted the Office of Personnel Management (OPM), in which personal information of 22.1 million current, former and potential federal employees was stolen, the federal government has made progress on cybersecurity but still has a long way to go. That’s a key takeaway from a recently released survey from security certification firm (ISC)² and management consulting company KPMG.

The survey comes as OPM and federal agencies continue to take steps to bolster cybersecurity protections and improve policies. In January, the government announced that it would be establishing a new agency to handle background checks and investigations, and that responsibility for protecting those records would be shifted from OPM to the Department of Defense. That plan has come under scrutiny from lawmakers.

The (ISC)² and KPMG survey looked at “a targeted pool of executive-level government officials and contractors with the goal of reporting the state of cybersecurity from federal cyber experts whose purview included an enterprise-wide perspective.” The report is based on a survey of 54 cyber executives who identified themselves as U.S. federal senior managers or contractors with cybersecurity responsibility in government. The online survey request was distributed to personnel from defense, civilian and intelligence agencies, and government contractors and consultants.

More Work Needed on Cybersecurity

According to the survey, 59 percent of respondents say that their agency “struggles to understand how cyber attackers could potentially breach their systems,” and 40 percent of respondents say they are unaware of where their organization’s key assets are located.

The survey also found that 65 percent of respondents “disagree that the federal government as a whole can detect ongoing cyber attacks.”

According to the survey, 77 percent say that there are senior leaders in their agency whose sole responsibility is cybersecurity, but 21 percent could not identify such a leader. Like many similar reports, these findings indicate that “leaders are realizing that people can be their organization’s greatest cybersecurity asset or greatest liability,” with 42 percent of respondents indicating that people are currently their agency’s greatest vulnerability to cyber attacks.

Additionally, 67 percent of respondents “believe their agencies can appropriately respond to a cyber incident” but by contrast 40 percent think “their agency’s incident response plan is not effective in responding to cyber attacks,” even after the OPM data breaches.

A year ago, after those breaches were disclosed, federal CIO Tony Scott launched a 30-day “Cybersecurity Sprint” that instructed agencies to immediately take steps to further protect federal information assets and improve the resilience of federal networks, the report notes. Yet 52 percent of respondents disagreed that the Sprint response improved the overall security of federal IT.

Technology is highly prized to improve security, the report finds. When asked how departments within their agency ranked elements of cybersecurity, 56 percent say IT is "very important" and 35 percent say it’s "important." Yet 44 percent also say purchasing and procurement is important, and an equal amount say human resources plays an important role.

Making Progress and Looking Ahead

Based on the survey results, (ISC)² and KPMG recommend that, to improve cybersecurity, “more technology is no longer the sole solution — effectively dealing with cybercrime requires that we place more focus on the human perspective and implement a more balanced and holistic approach as it relates to the people + process + technology equation.”

The report also says that the government’s approach to increasing awareness and vigilance across an agency “must include regular and continuous cyber hygiene trainings and simulation drills, rather than annual awareness seminars with ineffective PowerPoint presentations.”

Additionally, the report says agencies must “address the dissatisfaction among the federal cyber executive ranks and empower them with more authority to make risk-based decisions and, above all, improve the cyber culture within their respective agencies. This will enable collaboration across all levels and departments within an agency.”

OPM has been touting improvements it has made into its own cybersecurity. As FierceGovernmentIT reports: “Department of Homeland Security hackers responsible for finding weak spots in federal agencies found that OPM's cybersecurity is now so strong they couldn't infiltrate networks to execute a phishing attempt. And once they did gain access, fewer OPM employees fell for the scam – the result of training after the hack, said Clifton Triplett, OPM's senior cybersecurity adviser, whom the agency hired last year.”

However, OPM is still looking for a new permanent CIO, and has placed a job listing for the position four months after their previous CIO, Donna Seymour, stepped down. Lisa Schlosser is currently the acting CIO in the interim.

This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.