U.S. Government Systems Will Be 'At Risk for Years to Come'

The US government will apparently need to get a handle on the same cybersecurity issues it grappled with in 2018 as for some agencies, subpar performance is expected for years to come.

State sponsored espionage, insider threats, securing infrastructure and supply chains and increases in cybercrime and the cost of cybercrime are among the top issues the government has to come to terms with. Other challenges for the government include picking better passwords, staying on top of patch management and cybersecurity awareness training.

Late last year, the Government Accountability Office (GAO) released a report demonstrating how poorly 23 federal civilian agencies performed in the implementation of securing their systems.  

What the GAO Found

"The 23 civilian agencies covered by the Chief Financial Officers Act of 1990 (CFO Act) have often not effectively implemented the federal government's approach and strategy for securing information systems. Until agencies more effectively implement the government's approach and strategy, federal systems will remain at risk. To illustrate:

• As required by Office of Management and Budget (OMB), inspectors general (IGs) evaluated the maturity of their agencies' information security programs using performance measures associated with the five core security functions

• identify, protect, detect, respond, and recover. The IGs at 17 of the 23 agencies reported that their agencies' programs were not effectively implemented.

• IGs also evaluated information security controls as part of the annual audit of their agencies' financial statements, identifying material weaknesses or significant deficiencies in internal controls for financial reporting at 17 of the 23 civilian CFO Act agencies.

• Chief information officers (CIOs) for 17 of the 23 agencies reported not meeting all elements of the government's cybersecurity cross-agency priority goal. The goal was intended to improve cybersecurity performance through, among other things, maintaining ongoing awareness of information security, vulnerabilities, and threats; and implementing technologies and processes that reduce malware risk.

• Executive Order 13800 directed OMB, in coordination with the Department of Homeland Security (DHS), to assess and report on the sufficiency and appropriateness of federal agencies' processes for managing cybersecurity risks. Using performance measures for each of the five core security functions, OMB determined that 13 of the 23 agencies were managing overall enterprise risks, while the other 10 agencies were at risk. In assessing agency risk by core security function, OMB identified a few agencies to be at high risk."

Emerging Threats Report by Norton

The United States is projected to account for half of breached data by 2023 according to a report by Norton. Other findings:

• Mobile malware is on the rise.

• Most mobile malware is hosted by third-party app stores.

• Identity theft impacts 60 million Americans.

• The United States is the number one target for targeted attacks by state-sponsored (and a few private) groups.

President Trump's budget for fiscal year 2019 allocates $15 billion for cybersecurity. The Department of Defense (DOD) receives the largest allotment of almost $8.5 billion.

The Pentagon & The Intelligence Community

Earlier this month, Bleeping Computer reported on an annual audit performed on the DOD by The Defense Department Inspector General. The findings were published in a lengthy and heavily redacted report on January 9, 2019.

The article states that, “according to the Office of Inspector General, the Department of Defense is still lacking when it comes to the speed of addressing cybersecurity recommendations designed to reduce such risks affecting the Pentagon's network, 266 different unresolved such issues dating as far as 2008 being discovered during the audit.”

The article goes on to point out that in a report regarding the Audit of the DoD FY 2018 Financial Statements, the DoD OIG report states that, "across multiple DoD Components, auditors found significant control deficiencies regarding IT systems."

The future of cybersecurity looks similarly bleak for the US intelligence community. “Nearly all information, communication networks, and systems will be at risk for years to come,” the 2019 National Intelligence Strategy states. Released on Jan. 22 by the Office of the Director of National Intelligence, the National Intelligence Strategy is a charted course for the US intelligence community to follow.

According to the strategy, “as the cyber capabilities of our adversaries grow, they will pose increasing threats to U.S. security, including critical infrastructure, public health and safety, economic prosperity, and stability.” China, Iran, Russia and North Korea are cited as the largest nation-state threats to the US. “Our adversaries are increasingly leveraging rapid advances in technology to pose new and evolving threats— particularly in the realm of space, cyberspace, computing, and other emerging, disruptive technologies.”

In bringing government agencies into compliance, in some cases budgetary issues are an obstacle. Training is also often an issue. In bringing the intelligence community into compliance, addressing the workforce gap is critical because the intelligence community, “must attract and retain the right, trusted, agile workforce that possesses skills such as the critical analytic, scientific, technological, engineering, math, cyber, and foreign language skills required to support current and future mission challenges.”