Research Report: The Virtual Public Sector

Emerging cyber threats demand new thinking

Government agencies need a better approach to dealing with cybersecurity threats, and they know it.

A recent survey by the 1105 Government Information Group found that a broad range of potential threats worry agency officials and they’re aware of several weaknesses in responding to those threats.

The top threat, according to the survey, is information loss from data leakage or systems attacks, with 48 percent of respondents saying their agencies were very concerned about it. But at least 40 percent of respondents indicated their agencies were similarly concerned about four other threats. (See chart.)

Figure 1

Chart

All told, 61 percent of respondents agreed that the advance of cybersecurity threats was outpacing their agencies’ efforts to keep up, while only 13 percent disagreed.

These findings align with the conclusions of a report the Obama administration released earlier this year.

“The federal information security defensive posture is a constantly moving target, shifting due to a relentless, dynamic-threat environment, emerging technologies and new vulnerabilities,” administration officials wrote in the fiscal 2012 report to Congress on the implementation of the Federal Information Security Management Act of 2002.

Malware and spyware, which can infiltrate a user via e-mail or public websites, continue to be a pressing concern. The Obama administration reports that such malicious code is one of the most widely reported types of incidents across the government – and that agencies are actively taking measures to counter it.

But such measures must encompass more than technology. The administration is encouraging agencies to focus on improving their employees’ cybersecurity competencies to combat social engineering, phishing and insider threat attacks, the report states.

In a February report, auditors at the Government Accountability Office urged agencies to take an even broader view of cybersecurity. “Technologies do not work in isolation,” they wrote. “Cybersecurity solutions make use of people, process and technology.”

Despite those recommendations, government officials are not confident in agencies’ ability to execute holistic approaches to security, the 1105 Government Information Group survey found.

Although most respondents gave their own and other agencies good marks on developing security policies, by and large they gave low marks all around for implementing security solutions that incorporate people, processes and technology. (See chart.)

Figure 2

Chart

The survey also found that respondents were not confident about the quality of risk assessments being performed across government. That sentiment is echoed in the GAO report. Although agencies continue to make progress in many aspects of cybersecurity, they are regressing in the area of risk assessments, the study found.

In fiscal 2010, 13 of 24 inspectors general reported that their agencies were in compliance with risk management requirements. Only eight of 22 could do so in 2011.

But help is on the way. In late 2012, the Homeland Security Department announced plans to award blanket purchase agreements for continuous-monitoring tools in addition to a continuous-monitoring-as-a-service solution.

The Continuous Diagnostics and Mitigation program is intended to provide federal, state and local agencies with the ability to “improve their existing continuous network monitoring capabilities, correlate and analyze critical security-related information, and enhance risk-based decision-making at the agency and federal enterprise levels,” according to the request for quotes.

However, some experts say more needs to be done.

In March, SafeGov, a forum of information technology industry experts focused on promoting the use of trusted cloud solutions, proposed a new approach to assessing cybersecurity risks at federal agencies. The Organizational Cyber Risk Indicator was developed by aggregating the results of evaluations by FISMA’s inspector general from across government.

The report also recommends looking at the risk associated with specific information assets, rather than with the information systems themselves. The problem with the traditional system-centric model is that it does not account for security as information moves from one system to another.

“By shifting from a ‘systems’ approach to a more integrated and holistic ‘information’ perspective, agency leaders can better emphasize ‘data protection’ and address multiple policies and statutes including the Privacy Act and FISMA, among others,” the SafeGov report states.

Additionally, the report encourages agencies to look at risk in terms of an agency’s broader organizational priorities. Once they understand those priorities, cybersecurity officials can determine which information assets are associated with them. That will ensure that they invest their resources where they’re most needed.

-------------------------------------------------------------------------------------------------------------------------------------------------------

Methodology and survey demographics

Between May 28 and June 6, 2013, 186 subscribers of FCW, GCN and other 1105 Government Information Group publications responded to an e-mail survey about cybersecurity trends in government agencies. Survey respondents were comprised of those with insight into their agencies selection of cybersecurity strategies. Beacon Technology Partners developed the methodology, fielded the survey and compiled the results.

Approximately three out of four respondents were technology decision-makers (CIOs or other IT managers or professionals), while 24 percent were senior managers, program managers or other business decision-makers. Approximately 67 percent came from the federal government (33 percent civilian, 34 percent defense) and 33 percent from state or local government agencies.

About this Report

This report was commissioned by the Content Solutions unit, an independent editorial arm of 1105 Government Information Group. Specific topics are chosen in response to interest from the vendor community; however, sponsors are not guaranteed content contribution or review of content before publication. For more information about 1105 Government Information Group Content Solutions, please email us at GIGCustomMedia@1105govinfo.com

 

ON-DEMAND WEBCAST
Cybersecurity Research Report: Agencies Battle Cyber Threats, Budget Cuts

View this on-demand webcast presentation to get an in-depth look on everything related to cybersecurity and how to stay ahead of the curve.