An analysis conducted by SecurityScorecard found that, as an industry in the US, government ranked 16 of 18 in terms of cyber security, ranking ahead of only telecoms and education. Imagine that – government cyber security was worse than the healthcare industry and its own spree of compromised data.
A slightly positive note, this is an improvement for government compared to 2016, when it ranked dead last in the survey. A United States Office of Personnel Management (OPM) audit released at the end of fiscal year 2016 also found serious problems across a broad range of serious issues.
This is the same OPM that was the victim of a breach that may have affected 21.5 million records. Notable attacks on government bodies in 2017, included the ransomware attacks on Pennsylvania State Senate Democrats and smaller government bodies, such as the Richmond, Indiana housing authority.
The SecurityScorecard analysis included 552 government bodies, across local, state and federal levels, and found several clear areas of deficiency that could compound to create a substantial cyber risk. These included updates, patching, endpoint protection, and more, but we’ve included some key areas below that caught our eye.
Cyber Security is on the Overdue List
In the 2016 report, the OPM reported that of its “46 major information systems, 43 have POA&M (Plan of Actions & Milestones) items that are greater than 120 days overdue. Furthermore, 85 percent of open POA&Ms are over 30 days overdue, and over 78 percent are over 120 days overdue.”
If government is also slow by its own measures of effectiveness, it shouldn’t come as a surprise that their ability to respond to fast-moving security threats is limited – particularly in an environment where there is limited knowledge and resource available to address the developing and fast growing threats that are out there.
The report reveals that budgets are a challenge at every level of government, and perhaps the biggest challenge in better procurement for cyber security is that so few interest groups vote on the basis of improving cyber security, with economic, social and moral issues often driving the decision-making. Local governments would be helped by receiving more funding to procure cyber security solutions from state and federal agencies (this does look to be a possibility). The cost effectiveness of many solutions on the market today, a long with the ease of implementation, could definitely help government cyber security become more efficient.
Moving to the Cloud
Of the top 10 concerns for State CIOs for 2018, Number 2 is cloud services. This includes devices, networks, strategy, deployments, management and more. This is a concern for many organizations, but it’s especially pronounced in government, which has long been reliant on antiquated on-premise systems (one need not bring up the fact that ICBM launch-sites are using 70s-era floppy disks).
As government systems gradually follow the private sector in moving to the cloud, they become massive targets for fraud and breaches that need security orders-of-magnitude higher than what is required in comparable private institutions.
System Updates and Patch Management
With the biggest headline-grabbing attacks often being enabled by poor system update practices and patch management (Equifax comes to mind…), government is particularly vulnerable where multiple contractors or vendors may be involved through Request-for-Proposal-driven processes that make accountability and consistency complex to manage. Integrated cloud services may make this easier, but fundamentally government is a complex system, making it more systems maintenance more difficult to manage .
In the OPM’s own systems, it was also found that 17 of 45 contingency plans had not been reviewed in the past year. “Only 2 of OPM’s 46 major information systems were subject to an adequate contingency plan test in FY 2016. Furthermore, 9 of the 46 major systems have not been tested at all since 2014.” While perhaps not all government systems are in such a state of neglect, one can imagine this is a widespread issue.
Shortage in Qualified IT Personnel
It can be hard to acquire the right talent, especially at local levels. As part of the Cyber Resiliency Act, there would be money granted to address talent gaps in the State government cybersecurity workforce. This is key. It is unclear to what extent this would work for counties, but the need is definitely there, even if there is a shortage of cyber security talent throughout all industries.
Moving Towards Solutions
There are positives overall. By late 2016, NASCIO was reporting improvements in awareness, funding increases and that the CISO was becoming a more integrated role in government institutions.
Ultimately, government cyber security is critical given the data, records and the sensitivity of said data and records compared to what the average business needs to protect.
The State Cyber Resiliency Act would take care of many of the issues that governments are facing, especially on the most local levels. The plan would provide the resources these government bodies need to protect critical data and networks and fill talent gaps. The National Association of Counties “urges Congress to work in a bipartisan, bicameral manner to pass H.R. 1344/S. 516 and support America’s counties as we work to improve our cybersecurity capabilities.”
Clearly a bi-partisan issue, it’s also something that would also be a boon for the cyber security industry, ultimately enabling more R&D and better security and products in the long run.
Late in 2017, The Cybersecurity and Infrastructure Security Agency (CISA) was established under the DHS umbrella. This is another step in the right direction, showing the federal government is taking baby steps of its own, before local governments can fully follow suit
- Check out NASCIO, with a mission to “foster government excellence through quality business practices, information management, and technology policy.”
- Read the full text of State Cyber Resiliency Act
- A slightly older but interesting report on State of Cybersecurity in Local, State & Federal Government
- Have a look at how “US Federal Agencies Using the DMARC Standard“