Employees Give Federal Cybersecurity Low Marks - Miles Jennings

How bad is cybersecurity at the federal government? Nearly half of 1,800 federal employees surveyed said the government is getting no return on its ramped up investment.

Dan Waddell, a director of government affairs for the consortium, said the results are somewhat predictable yet startling. He added, “When we consider the amount of effort dedicated over the past two years to furthering the security readiness of federal systems and the nation’s overall security posture, our hope was to see an obvious step forward. The data shows that, in fact, we have taken a step back.”

A consortium press release showed:

• Nearly half of respondents say that security has not improved over the last two years, while 17 percent of respondents say their organization’s security posture is actually worse off – primarily due to an inability to keep pace with threats, a poor understanding of risk management, inadequate funding and not enough qualified professionals.

• Despite significant efforts over the last two years, 58 percent of respondents are still not confident that legislators will provide new or adequate levels of funding to meet cybersecurity needs.
• Threat response times have not changed in two years. More than half of survey respondents believe that their organization did not improve its security readiness, with response times lengthening. Application vulnerabilities and malware remain the top security threats and are increasing as a concern.
• Although procurement and acquisition are cited as moments of great vulnerability, there remains very little focus on applying security during the supply chain process.
• Despite the softening of hiring budgets and a decrease in barriers to entry, an increasing number of respondents say they do not have enough information security personnel to meet the demands of their mission, and that the workforce gap is hurting the organization and its customers.
• There has been little return on the larger investment in National Institute of Standards and Technology’s Cybersecurity Framework. Just 15 percent of organizations outside of the federal government have implemented this Framework to date; and 45 percent say they don’t know if they’ll utilize it.
• Cloud is still slow to take off despite the federal government’s CloudFirst initiatives. The Federal Risk and Authorization Management Program (FedRAMP), in particular, is having less of an impact than was anticipated in advancing cloud migration, with 64 percent of respondents not knowing if it is having any impact.

Waddell says there are some encouraging signs. Salaries have improved by 4 percent since 2013, which could help attract more people to the federal government. But he added more needs to be done to improve the investment in cybersecurity. “Given the significant demand for skilled professionals, training and education are areas of investment that can lead to significantly higher returns and help to both attract and retain cybersecurity professionals,” he said.

Not related to the survey, the U.S. Navy has made a 5-year commitment to improving its fight against cybersecurity. According to FierceGovernmentIT.com, the Navy’s five-year cyber strategy plan is designed to address the rising threat to military networks and, perhaps, position the military branch as a more offensive force in cyberspace.

The latter part of the paragraph is the most important. Typically the federal government is seen as slowly reactive, as the rest of this article demonstrates. An active offensive, to use a sports analogy, would be the best defensive move.

A Navy press release said the plan has five strategic goals:

• operate the network as a warfighting platform,
• conduct tailored signals intelligence,
• deliver warfighting effects through cyberspace,
• create shared cyber situational awareness, and,
• establish and mature the Navy’s Cyber Mission Force.

Vice Adm. Jan E. Tighe, commander of the US Tenth Fleet, said,  “A lot of work had been done since our inception in 2010 and the world has changed – gotten a lot more dangerous. The cyberspace domain is changing on a daily basis. First and foremost [the plan is] a way to organize our mission and to begin to measure if we’re making sufficient progress in each of our goal areas.”

The press release added that all domain access and specifically ensuring access to space, cyberspace and the electromagnetic spectrum is a key element in how the Tenth Fleet fits into the overall Navy plan, and actually builds on the overall Information Dominance Strategy. Information Dominance is defined as the operational advantage gained from fully integrating the Navy’s information functions, capabilities, and resources to optimize decision making and maximize warfighting effects. The three pillars of Information Dominance are assured command and control, battlespace awareness, and integrated fires.