One year after OPM breach, cyber execs see little improvement
- By Derek Major
- May 19, 2016
After last year’s data breach at the Office of Personnel Management, many believed it would compel agencies to take security seriously.
That seemed to be the case, as federal CIO Tony Scott mandated a 30-day cyber sprint that assessed the security of federal civilian and military IT networks and called for agency CIOs to take immediate and specific actions to further secure their systems and data.
However, research conducted by (ISC)², a not-for-profit company specializing in IT education and professional development, revealed that 52 percent of government executives and contractors surveyed do not believe the exercise improved the overall security of federal information systems.
Additionally, the report showed nearly 60 percent of respondents believe their agency currently struggles to understand how cyberattackers can breach agency systems, with 40 percent indicating they were not aware of where key assets are located. This indicates that network boundaries may be changing faster than executives realize, the report said.
That really stood out to Dan Waddell, the managing director of the North American district for (ISC)2, who said those two findings are related. “If you’re failing to understand how you’re attacked, a lot of that is due to not knowing where all of the assets are,” he said. “These are the types of thing the government needs to solve quickly.”
More than a year after the breach, 65 percent disagreed that the federal government as a whole is capable of detecting ongoing cyberattacks, and 25 percent of respondents said their agency did not make any changes in response to the OPM breach. Forty percent of respondents believe their agency’s incident response plan is not effective.
And 42 percent of the federal executives surveyed said that people are currently their agency’s greatest vulnerability to cyberattacks.
“If you look at some of the breaches that have occurred, these are not highly complex issues,” said Tony Hubbard, who leads the cybersecurity practice for the federal government at KPMG, the survey’s research sponsor. “Whether it's someone clicking on a link introducing malware or taking a router or a device out of the box and not changing the password -- these aren’t technology issues, these are people issues.”
Hubbard said that part of the problem is that agency components that do not deal with cybersecurity issues every day don’t take it seriously.
“According to the survey, human resources still does not really get the fact that cybersecurity is really important, so we’re missing a really important stakeholder,” Hubbard said. “If we can get HR to really embrace the fact that cybersecurity is everyone’s job, then we’re really going to see some of that benefit and inspire change.”
Both Waddell and Hubbard agreed that improving security amid budgetary constraints, outdated technology and federal regulations will be difficult, and that change will not happen overnight.
“Even if there was a silver bullet out there,” getting technology in place quickly “would be a challenge, and that’s something that the federal government is continuing to deal with,” Hubbard said. “It could take months from beginning to end.”
The (ISC)2 report is based on information gathered through an online survey and personal interviews with 54 targeted, seasoned cyber executives working for federal agencies in defense, civilian and intelligence agencies as well as contractors and consultants.
The full report can be downloaded here.
Derek Major is a former reporter for GCN.