Study: US federal agencies still lacking strong cyber hygiene

A new study showing how US federal agencies still don't have a firm grasp of cyber-security was ironically released days after a third-party contractor hired to fortify the US Office of Personnel Management's systems suddenly quit.

Report highlights cyber-security failings
Report highlights cyber-security failings

A new survey study showing how federal agencies and their IT contractors still do not have a firm grasp of proper cyber-security practices was ironically released just days after the third-party contractor hired to fortify the US Office of Personnel Management's (OPM) systems suddenly quit partway through the job.

The joint study, conducted in March by cyber-security education and certification institution (ISC)2 and the professional services firm KPMG, sought the opinions of 54 cyber executives in the US federal government, either working as agency employees or contractors. 

“The State of Cybersecurity from the Federal Cyber Executive Perspective” research report found that 40 percent of respondents said that their agency's incident response plan was not effective in responding to cyber-attacks, even after the OPM data breach in June 2015 that exposed 21.5 million records and prompted calls for sweeping IT security reforms.

Moreover, 52 percent of respondents opined that that the Cyber Sprint mechanisms put in place by federal CIO Tony Scott – intended to rapidly implement several high-priority cyber-security procedures in the wake of the OPM breach – did not improve the overall security of federal information systems. 

Perhaps worse, 25 percent of respondents said their agency made no changes following the breach (although 35 percent said the breach resulted in a greater emphasis on various preventative measures, such as multi-factor authentication).

The findings appear to jibe with reports earlier this month that Imperatis Corporation, a third-party contractor hired to harden OPM's cyber defenses, abandoned the project. According to a report by Nextgov, the OPM claims that Imperatis employees stopped showing up to work in May, effectively ceasing operations on the company's $20 million contract due to “financial distress.” 

OPM spokesman Sam Schumach also said in the article that the setback would have “very little impact on current OPM operations,” considering the contract was slated to end in June anyway.

In an update to the story, Imperatis responded to Nextgov, issuing a statement that read: “The company is confident that as and when the full facts are publicly available, they will completely contradict the mischaracterisation of the company's performance being reported at this time.”

Other findings from the (ISC)2 report that looked beyond just the OPM breach were similarly discouraging. For instance, 59 percent of respondents agreed that their particular agency struggles to understand how attackers could potentially breach their systems, while 40 percent said their agencies were not fully aware of the location of key assets that hackers might steal, corrupt or hijack. And 60 percent disagreed with the notion that the federal government as a whole currently has the capability to detect ongoing cyber-attacks.

Dan Waddell, CISSP and managing director of (ISC)2's North American region, told SCMagazine.com that government cyber executives are clearly worried that “adversaries are moving at light speed, and because the government is still very bureaucratic, and filled with processes and red tape… a lot of times they just can't keep up with the attacks.”

Chief among the causes that respondents blamed for government agencies' lack of advancement in cyber-security was insufficient funding (65 percent), followed by a lack of accountability (48 percent) and lack of understanding (48 percent). 

Regarding the dearth of funding, Waddell was cautiously optimistic that after the presidential election, Congress will “give security folks some authority to make [cyber-security] decisions and divert resources toward that.”

Non-IT employees also present a threat because they don't necessarily see cyber-security compliance and best practices as their personal responsibility. Indeed, 42 percent of respondents said that people are currently the biggest vulnerability to cyber-attacks. And while 91 percent of survey takers said their IT departments considered cyber-security to be an important or very important priority, the numbers were far less optimistic when addressing other departments (56 percent for HR, 56 percent for purchasing and procurement and 41 percent for public relations).

“There needs to be fundamental shift in how they [agencies] train all users within the agency that cyber-security is part of everyone's job. Until we do that, we're still going to see agencies struggle to cope,” said Waddell. “Breaches are going to happen, but if everyone is on board, we're going to minimise a lot of damage and a lot of that risk.”

In addition to better training, the report also recommends that agencies upgrade their malware detection software from traditional signature-based solutions to predictive, behaviour-based solutions.

Waddell said that moving forward, the key is practicing sound cyber hygiene, all year round, as opposed to reacting after the fact, as with the OPM breach. 

“If you're only going to the doc when something goes wrong, you're not practicing basic hygiene,” said Waddell. And he added, that doctor visit “is going to be very painful”.