Protecting your own PC and smartphone from hackers is challenging, but the job of protecting the critical systems used by federal agencies to run the country is on a scale so big, few can comprehend it. Additionally, despite the provision of increased budgets and resources, governments are still playing catch up as hackers remain one step ahead in the cyber race. Maintaining federal security is expensive and slow to show definitive results for the vast sums of money being invested in trying to protect this critical national infrastructure.
Last February, the White House requested $19 billion to federally fund cybersecurity measures in 2017. That is a $5 billion — or 36 percent increase — over the $14 billion requested for 2016, an indication of the challenge government agencies face in protecting their systems from hackers.
A report from Market Research Media highlights just how much the U.S. government is spending on this area: “The annual cybersecurity spending of the U.S. Federal government is bigger than any national cybersecurity market, exceeding at least twofold the largest cybersecurity spending countries.” The report says that the U.S. federal cybersecurity market will grow steadily at about 6.2 percent between 2015 and 2020.
It is hardly surprising to see attacks against government agencies on the increase, given the critical nature of the systems involved and the scale of data they collect. From the top-secret IP stored by the Department of Defense (DoD) to the highly personal data stored by the Office of Personnel Management (OPM) and the sensitive information held by the Department of Homeland Security (DHS), it all adds up to make the government a big target for hackers today.
A Challenging Landscape
The challenge for those tasked with protecting these systems is that the adversaries they face are a diverse group of people. The term “hacker” includes everyone from the script kiddie trying to show off to his friends by defacing a government website, to nation-state cyber armies that are seeking to gain a foothold inside government systems.
Protecting systems against such a diverse range of cyber risks can be a daunting task — especially given the vast scale of the federal agencies’ systems that need to be maintained.
The new administration in the White House will have to come to terms with the fact that the volume and sophistication of attacks is going to continue to increase; and it will have to find more cost-effective ways of protecting their systems, as increasing the cybersecurity budget at the pace it has been happening in recent years is simply not sustainable.
According to the 2016 Federal Information Security Modernization Act, there was a 10 percent increase of cybersecurity incidents between 2014 and 2015. As more of our lives are conducted online, the attack surface for hackers is getting bigger, meaning federal agencies will see this uptick in incidents continue.
In recent years, we have seen numerous high-profile attacks against government agencies, but the types of attacks have not been uniform. Nation state-backed hackers have the resources to build and deploy malware crafted specifically for the task of breaking into federal systems, allowing them to remain undetected for long periods of time. At the other end of the scale, a single, well-crafted phishing email can be used to infiltrate any system by targeting one of the thousands of federal employees who may not recognize the attack.
These attacks highlight the problem that simply buying technology to protect your systems is not enough, as the weakest link in the chain is often the human one, and therefore education of employees is just as important as technology when it comes to protecting the data that federal agencies hold.
Some recent government initiatives show that attitudes within federal agencies are changing. The Department of Defense recently held Hack the Pentagon and Hack the Army programs which invited ethical hackers to try to find vulnerabilities in their systems. Last September the White House appointed the first ever Chief Information Security Officer (CISO), who is charged with driving policy and implementation of leading cyber-practices across federal agencies.
Last year, the White House announced the Cybersecurity National Action Plan (CNAP) which set out to overhaul federal security. The plan included the setting up of a fund to train new cybersecurity professionals; and the establishment of a Commission on Enhancing National Cybersecurity, which would draw on the experience and expertise of thought leaders from the private sector to help steer government policy.
Using cost-effective techniques and industry best practices will help agencies limit the government’s cyber risks, but with the number of hackers trying to breach their systems growing, federal agencies are likely to be playing catch-up for some time.
As government increases mobility, agencies need a mobile security platform to separate and protect data.