In today’s increasingly-connected digital age, almost every industry struggles with cybersecurity. While massive breaches of mega corporations attract headline news, the U.S. government unfortunately has its own share of vulnerabilities in cyberspace.
In the wake of Russian interference during the 2016 U.S. elections and the breach of the Office of Personnel Management (OPM) in 2015, it is painfully obvious that the federal government — all levels of government, really — need to enhance their focus on cybersecurity.
Today, sophisticated attacks exploit vulnerabilities to steal information and money, and hackers are developing capabilities to disrupt, destroy or threaten the delivery of essential government services. Because government agencies are often responsible for protecting the personally identifiable information of millions of Americans, they serve as tantalizing targets for hackers, bad actors, and nation-states seeking to to damage.
According to the U.S. Department of Homeland Security in its newly published cybersecurity strategy released earlier this year, cyber incidents reported to the DHS by federal agencies increased more than tenfold between 2006 and 2015, culminating in the 2015 OPM breach that compromised personal data of 4 million employees and 22 million people overall.
Despite the fact that incidents are on the rise, government agencies continue to struggle to secure their most sensitive data. And while the Trump administration passed an executive order centered around cybersecurity in May, it also eliminated its top two cybersecurity policy and management leadership roles, including one that specifically oversaw federal government cybersecurity.
Reinforcing the need for an increased focus on cybersecurity by government agencies, a recent report issued by the White House’s Office of Management and Budget, 74 percent of the 96 federal agencies assessed are deemed either “At Risk” or “High Risk,” meaning that they need crucial and immediate improvements when it comes to cybersecurity.
Worse yet, in addition to so many agencies being vulnerable, more than half of them lack even the ability to determine what software runs on their systems, and only one in four agencies could confirm that they even have the capability to detect and investigate signs of a data breach, which means the vast majority are essentially operating in the dark.
Maybe most problematic of all, in 38 percent of government cybersecurity incidents, the relevant agency is never able to identify the “attack vector,” meaning it never learns how a hacker carried an attack out. If government agencies aren’t able to mitigate the gaps in their security, attackers will continue exploiting the vulnerability.
Likely the most sizable and significant issue facing government agencies is the use of legacy technology systems. Some agencies are using five different versions of Windows that date back 10 years and are running multiple versions of third-party applications like Java and Flash. Managing all of that risk without simplification and standardization becomes next to impossible — there aren’t enough qualified security pros in the world.
While any software is prone to technical vulnerabilities, thousands of software vulnerabilities are discovered and reported every year, meaning that the older the system is, the more likely it is to have unmatched vulnerabilities. The government’s ongoing use of outdated legacy systems — mainly due to long procurement processes and budget constraints — increases the importance of staying up to date with patch management.
In fact, following the WannaCry ransomware attack that disabled hundreds of thousands of computers in 150 countries, U.S. Senator Mark Warner issued a press release pressing federal agencies on patch management. Unfortunately, in spite of the rise of malicious code targeting known vulnerabilities on unpatched systems and the resultant negative effects incurred, government agencies still struggle with patch management.
In the end, our daily lives, our nation’s economic vitality and our national security all depend on a stable, safe and resilient cyberspace. However, without responsible leadership coming from the top of each agency and from the White House, many people doubt the possibility that big changes will be made in the near future. The U.S. government should continue to focus on securing its own network while working with the private sector and international communities to better protect itself and millions of Americans from harmful cyber attacks.
Automox is a cloud-based patch management and endpoint protection platform that provides the foundation for a strong security framework by automating the fundamentals of security hygiene to reduce a company’s attack surface by over 80 percent. A powerful set of user-defined controls enables IT managers to filter and report on the vulnerability status of their infrastructure and intuitively manage cross-platform OS patching, third party patching, software deployment, and configuration management. To sign up for a free, 15-day trial of Automox’s cloud-based, automated patch management solution, visit www.automox.com/signup.