Attacks/Breaches

4/13/2018
10:30 AM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Federal Agency Data Under Siege

Seventy-one percent of IT security professionals in US federal agencies have reported breaches in their organizations.

The US government continues to grapple with the same cybersecurity challenges faced by most organizations, but it has a different set of hurdles to overcome than its private-sector counterparts. As a result, federal agencies are experiencing more data breaches than other industry sectors. Despite skyrocketing IT security spending, successful attacks are escalating across the board. Federal agencies in particular are weathering a perfect storm around data that puts agency secrets — and the personal data of over 330 million American citizens — at risk.

According to Thales' 2018 Data Threat Report—Federal Government Edition, 57% of federal respondents reported data breaches, a threefold increase over the 18% recorded back in 2016. As many as 12% experienced multiple breaches in 2017 and in previous years.

Many agencies are in a difficult position. Federal agencies must protect sensitive data and both thwart bad guys hunting for citizens' private data and nation-state hackers with their own agendas — in addition to grappling with perennial underfunding, understaffing, and antiquated systems that commercial enterprises tossed into the dumpster years ago. At the same time, they need to make government more accessible and transparent via digital transformation, which inevitably exposes them to more cyber threats.

But these factors don't completely explain the growing numbers of breaches at federal agencies.

Catching Up with the Private Sector
Despite these troubles, agency IT security professionals are trying to stay positive, partly because spending is sharply increasing this year. "Like most other sectors, data security spending plans in the US federal sector are up compared to last year — way up," says Garrett Bekker, 451 Research's principal analyst for information security, as highlighted in the Thales report. "Perhaps more importantly, for the first time, the US federal government ranks the highest of any US vertical in terms of spending increase plans — more than nine out of 10 (93%) plan to increase security spending in 2018."

In fact, a staggering 73% of federal agencies say their IT security spending will be much higher in 2018, according to the report. This comes after several years of IT security spending well below that of commercial enterprises.

"The bad news is that reports by US federal respondents of successful breaches last year (57%) are far ahead of the global average (36%), and also the global federal sector (26%). Further, 70% of US federal respondents say their agencies were breached at some point in the past," says Bekker.

Digital Transformation Compounds the Problem
As in the private sector, digital transformation is a big cause of the data threats plaguing federal agencies. According to the report, an increasing number of federal agencies are adopting cloud services, with many operating multi-cloud environments at rates that outstrip even those in the private sector. A staggering 45% of federal agencies use five or more infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) providers, as opposed to just 20% in the private sector. Nearly half (48%) of federal agencies use more than 100 software-as-a-service (SaaS) applications, where data is harder to control, versus the global average of 22%.

However, a paltry 23% of federal agencies use encryption in the cloud — and in more than a third of all cases where encryption is applied (34%), the encryption keys are in the hands of the cloud provider. "US and global federal show preference for allowing cloud providers to control encryption keys," says Bekker. "This is a potential problem since they don't really have full control over their data if they don't control the keys."

Strengthening Cyber Resilience
To keep the government's digital initiatives alive and strengthen cyber resilience, agencies report — at rates of 77% or higher — that they will be implementing, or are planning to implement, better encryption technologies to protect sensitive data. This includes data masking (89%), database and file encryption (88%), encryption in the cloud (84%), and application layer encryption (77%).

However, each IaaS and PaaS deployment and environment needs a specific data security plan, enforced by policy, operational methods, and tools. Agencies clearly recognize the need for action, but they must rethink their priorities. Case in point: data-in-motion and data-at-rest defenses are ranked equally at 78% and 77%, respectively, as the most effective tools for protecting data, according to the report. Unfortunately, this isn't where IT security spending is being directed. In fact, data-at-rest defenses — which are the most effective at protecting large data stores — are seeing the lowest spending increases, at only 19%, while endpoint and mobile defenses are garnering the biggest increases (56%). 

Says Bekker: "The largest amount of respondents plan to increase spending on endpoint and mobile devices, despite ranking endpoint and mobile devices as least effective at protecting sensitive federal data — a major disconnect."

Governments must rethink their priorities. The adoption of digital technology (cloud, Internet of Things, big data, mobile payments, etc.) requires new approaches to protecting citizen data, government secrets, and other sensitive information. In the digital world, there is no room for breaches, outages, or even service interruptions. Customers expect an instant, seamless, and hassle-free user experience. In times of digitalization, the competition is just one click away, and even reduced availability can cause financial harm.

Besides using encryption technology, firewalls, and intrusion-detection systems, a distributed denial-of-service (DDoS) mitigation solution can help preventing service outages. Especially with the IoT gaining maturity and billions of devices are being connected, the threat landscape is evolving fast. Technologies such as artificial intelligence pose an additional threat for organizations, as they can be used maliciously to boost cyberattacks such as DDoS attacks.

Thus, it's essential for federal agencies to constantly review the cyber capabilities and make further adjustments, if and where necessary. Relying on traditional security solutions such as on-premises solutions is simply not sufficient considering the rapid change of technologies in the course of the digital revolution.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.