How Federal Agencies Might Improve their Poor Cybersecurity Posture

Photo: LagartoFilm

Hillary Clinton may have dodged an indictment when the FBI announced it would not recommend criminal charges against her for using a private email server while Secretary of State, but the State Department itself took a hit on account of its overall security culture.

During the FBI announcement last week on the Clinton email probe, FBI Director James Comey faulted the State Department for “generally lacking in the kind of care for classified information that is found elsewhere in the U.S. government.”

The State Department’s inspector general in May heavily criticized Clinton’s email practices and critiqued the organization at large, writing in its report that the department, and the office of the Secretary in particular, have been “slow to recognize and to manage effectively the legal requirements and cybersecurity risks associated with electronic data communications, particularly as those risks pertain to its most senior leadership.”

The department has been plagued by “longstanding, systemic weaknesses related to electronic records and communications,” the report concluded.

While the State Department is particularly notable for its cybersecurity problems, the federal government overall is doing poorly. Just think back a year ago, when the Office of Personnel Management (OPM) announced it had been the target of a massive data breach resulting in the theft of millions of people’s personal information.

The private sector has been watching how the government is faring in the security arena — and two of the top cybersecurity companies have advice ready for departments looking to improve their cybersecurity posture.

“Most government agencies experience fundamental issues with their security postures, but there is a maturity curve, per se, in the severity of these issues,” Ken Durbin, federal programs strategist at Symantec, said. “Agency hierarchies can make it difficult for leadership to get an accurate view of the hardware and software assets residing in their environments. If agencies don’t know what’s on their network, they don’t know how to – and can’t – protect it.”

An analysis released in April from SecurityScorecard, a startup monitoring cybersecurity strength of companies, found that U.S. federal, state, and local government agencies ranked in last place in cybersecurity compared to 17 private industries, such as transportation, retail, and healthcare.

The federal organization with the strongest security posture was the United States Bureau of Reclamation, followed by the Architect of the Capitol, the CIA, the Federal Trade Commission, and the National Science Foundation.

The State Department finds itself near the bottom of the cybersecurity barrel. The government agency with the weakest security posture was NASA, according to SecurityScorecard, followed by the State Department, the National Oceanic Atmosphere Administration, the Treasury Department, and the Fish and Wildlife Service. And SecurityScorecard’s most recent rating of the State Department gives it a grade of ‘D,’ according to Alexander Heid, chief research officer at SecurityScorecard.

“State.gov has hits on most categories of externally visible issues of concern, such as observed malware infections, insecure network communication protocols, outdated encryption protocols and leaked credentials observed circulating within the hacker underground,” he wrote in an email. “An active defacement was also observed indexed on public search engines, whereby a hacking crew has ‘tagged’ their handles on a state.gov subdomain.”

How can government agencies boost their cyber security posture? The Cipher Brief reached out to top firms Intel Security and Symantec to see what advice they could offer to the public sector to potentially strengthen cybersecurity.

Make data the centerpiece of cybersecurity

Intel Security’s chief technical strategist Scott Montgomery said the Clinton email server issue in particular points to the importance of having a data-centric security strategy. The key questions each agency should be asking are: What is really the most important data to protect? And how can it be ensured that if there is a breach, hackers will find information that is worthless to them?

“If you think about organizations that have sensitive or classified data, and you think about the way we transmit and receive data and how that’s changed over the last couple of years, people need to become a lot more data centric in their thinking and planning,” he said. “The value of the data doesn’t change just because you’re using a different kind of server or a different kind of transport mechanism or a different kind of client — the data’s the data.”

Government agencies need to rethink data, he said, and that includes identifying what data is key and thinking about the longevity of its importance.

For example, Montgomery said, consider the activities of a brigade overnight — “that might be extremely important today, tonight, but a month from now, it probably doesn’t have the same value as what it’s doing” at that very moment. But organizations, government or otherwise, “keep everything forever and try to protect it that way, and that’s not natural,” he said.

“I think not just government, but all organizations should be focusing on what data is valuable, how long is it valuable, and if it falls into the wrong hands, what are my protections about detecting that and protecting against that,” Montgomery, who used to serve as the company’s federal chief technology officer, added.

Focus on talent & increasing efficiency

By 2019, there will likely be a major workplace shortfall in the cybersecurity workforce, according to a study last year —Frost & Sullivan projects  the shortage will reach 1.5 million worldwide by that year. And the U.S. government will certainly feel the pain.

“What this creates in both government and nongovernment organizations is this specific demand for both automation and preserving talent,” Montgomery said. “There’s a lot of transition in the labor force and in order for orgs to survive, they have to retain talent and have to automate more tasks. Because even if they can retain, practitioners are saying we don’t have enough people, and it’s going to get worse before it gets better.”

That means a dual focus on both retaining cybersecurity talent — always a struggle for the public sector — and increasing the emphasis on automating more tasks, Montgomery said. “Any organization that is not focusing on increasing their efficiency in security operations is making bad decisions,” he said.

Government agencies, in the face of hackers and state sponsored adversaries, must focus on the efficiency challenge. There’s no question that’s a difficult task, given the number of things that must be protected, from mobile to the cloud to the internet of things, and Montgomery said that “organizations need to double down in becoming as efficient as they can.”

Durbin also emphasized the importance of recruiting and maintaining top talent, noting it is a “struggle” for the government.

“Federal agencies require the best of the best and often find that top talent jumps ship within a couple of years to the private sector, so it’s important for them to find ways to compete with the private sector and keep employees on board,” he said.

The White House on Tuesday announced measures to tackle that very issue, releasing its first-ever Federal Cybersecurity Workforce Strategy to help recruit, retain, and develop talent. In a blog post touting the new strategy, the White House also said it is “committed to a plan by which agencies would hire 3,500 more individuals to fill critical cybersecurity and IT positions by January 2017.”

Learn to share

Agencies often fail to consistently share security information with each other — something the private sector is much more adept at doing, Durbin said.

“Companies in the manufacturing and healthcare industries, for example, share threat information and learn from each other when it comes to cybersecurity incidents,” he pointed out.

The lack of sharing information is a major problem for federal agencies looking to boost their cybersecurity posture.

“Many departments don’t consistently share security information, and agencies still struggle to merge and correlate that data,” Durbin said. “It isn’t a matter of if, but when an incident occurs — so it’s imperative for agencies to have an accurate picture of their networks and data so they can put a detailed plan in place and know how to react once the worst happens.”

Don’t get lost in the cloud

“The use of the word cloud has become sort of a panacea that covers everything,” Montgomery said. “And cloud is a wonderful technology — if you’re using it to solve a problem the cloud can solve.”

So what is the cloud, other than a tech buzzword? It’s a network of computers that store and process data remotely, sharing resources to allow more efficiency.

Some departments may well benefit from the cloud, Montgomery pointed out, particularly if they do a lot of number crunching. Then the cloud is the “perfect application,” able to help with that task without needing to purchase more computers, he said. The question for many in government, however, is whether the cloud would allow the same level of regulatory compliance as would occur in their own data center.

“The answer is I don’t know,” Montgomery said. “But until you know as an organization you can meet your compliance with a lower cost, don’t go. Find out first you can reduce your overall cost and can get the same level of service agreements from a third party as from your own internal team.”

Some good news for government?

“I hesitate to say an agency is doing poorly with cybersecurity, because it often is not in their control,” Durbin said. “Funding issues plague everyone and greatly affect an agency’s ability to handle cybersecurity the right way.”

But there are things the federal government is already doing right, according to the private sector. Take the Department of Homeland Security’s Continuous Diagnostics and Mitigation program, which Durbin noted “raises the baseline of cybersecurity protections across agencies and facilitates the move to ongoing authorization” and Montgomery said has helped promote the idea that “we need to be vigilant all of the time.”

“I think Homeland really got it right, and I see organizations all across the board utilizing it,” Montgomery added.

The Office of Management and Budget (OMB), for instance, has made strides with its move to ongoing authorization. The process, which requires agencies to re-authorize their networks every 72 hours instead of every one to three years, “takes a big step away from the traditional culture of compliance and toward more effective continuous monitoring,” Durbin noted.

Government agencies are beset by problems with budgets, procurement, a slow moving bureaucracy, and the existence of antiquated legacy systems — things the private sector often does not have to deal with. However, those on the other side say government still has much it could learn from the private sector.

According to Heid, the scores of SecurityScorecard “are ever changing, however the government vertical as a whole still has a long way to go to match the information security postures of private sector enterprises.”

To improve cybersecurity, agencies need to focus on the fundamentals when it comes to knowing what is happening on their networks — and zero in on what is most crucial to protect, Durbin said.

“Private sector organizations are typically more agile, and can react more quickly to the changing threat landscape,” Durbin said. “They are more likely to take a chance on newer, cutting-edge technology and deploy that technology to reap the benefits.”