The State of U.S. Federal Cybersecurity in 2016

Featured article by Paul Curran, Application Security Community Specialist, Checkmarx

One malicious email can, and has, jeopardized the sensitive data of countless U.S. civilians. How? Federal agencies collect and store some of the most sensitive and top secret data. This data ranges from top secret defense IP’s in the Department of Defense (DOD), current and former federal employee personal records at the Office of Personnel Management (OPM), the hypersensitive data found in the Department of Homeland Security (DHS) and, according to the 2016 Federal Information Security Modernization Act produced by the Office of Management and Budget (OMB), many of these agencies need to be doing much more to protect their sensitive data. For these federal agencies cybersecurity should be playing a major role in not only their day to day operations, but also in their future budgeting, planning and staff education and training.

2016 has been a big year not only for major breaches targeting federal agencies, but also for some big strides forward in the way that America’s treating the future of cybersecurity. To get a better understanding of what cybersecurity in the federal government looks like today, from astronomical budgets to NASA hacks, let’s take a look at what’s going on in the field of federal cybersecurity.

Facts & Figures

First, let’s look at the most recent reports on federal cybersecurity. According to the 2016 Federal Information Security Modernization Act from the Office of Management and Budget (OMB), there was a 10 percent increase of incidents between the fiscal years of 2014 and 2015, as cybersecurity incidents rose to 77,183, up from 69,851 in 2014. Cyber-attacks against federal agencies are increasing as hackers and malicious parties continue to gain access to sensitive information systems Federal networks and data.

On a positive note, the report indicates that all 24 Chief Financial Officer’s (CFO) Act agencies report their high-value assets to the OMB, and 81% of their users are now using two-factor authentication, indications of improvements after the 2015 fiscal year.

FCW reporter Zach Noble, however, paints a more dismal picture of the report results, as he notes that “federal agencies are still vulnerable to some of the most common cyber-attacks,” which include social engineering (250 reports by CFO Act Agencies), phishing (60 reports) and malicious code/malware (7,466 reports).

When it comes to meeting the Cross Agency Priority (CAP) target goal of being 95% capable of detecting and blocking unauthorized software, only 7 of the 24 federal agencies meet the minimum score, with the average cross-agency score being 68%. Similarly, only 9 out of the 24 CFO Act agencies meet the CAP goal target of being 95% capable to deal with vulnerability management. There is definitely room for improvement when it comes to federal cybersecurity, and the 2016 OBM report just begins to shine sufficient light on it.

Examples, Examples & More Examples

Now, reports aren’t the only evidence that we have pointing to a need to improve federal cybersecurity, in the past year there have been plenty of examples to prove that federal agencies are vulnerable. For example, America is still reeling from the damage created after the giant Office of Personnel Management (OPM) hack. This year the massive OPM hack dwarves other agency hacks not only in size, but also in severity as personal data and records of every current, and many former, federal workers have not only been stolen, but have also shown up for sale on the dark web as early as June 2015. In April 2016, more information about this hack came to light, when it was discovered that as many as 22 million accounts were compromised. As time goes on, it’s clear that this hack will further unravel, with potentially devastating consequences as malicious parties further exploit the victims.

Now, for another example, back in February 2016, as America was getting ready to enjoy the Superbowl, Motherboard reported that an anonymous hacker had released the apparent names, job titles, email addresses and phone numbers of over 20,000 supposed Federal Bureau of Investigation (FBI) employees and 9,000 alleged Department of Homeland Security (DHS) employees. 1,000 of the FBI employees whose data was stolen were in highly sensitive intelligence analysis roles. In a scary example of how dangerous the mix of a lack of security awareness and social engineering can be, the attacker compromised an email account of an employee of the Department of Justice (DoJ) before proceeding to gain access to a classified virtual machine after he obtained a token to gain entry by simply asking for help accessing the portal on a phone call.

Most recently, in March 2016, the Department of Veteran Affairs (VA) reported that they had blocked 160 million malware attacks over the past year, but are struggling with both “repeat information security deficiencies” and “inconsistent implementation” when it comes to their security posture.

The list of various agencies that have experienced significant breaches in the last year could go on for ages, but these examples show why a serious change in both security mentality and standard operating procedure are needed on a federal level.

The Policy Perspective

In early February 2016, the White House announced that they were going to take “bold actions to protect Americans in today’s digital world.” Following persistent threats against citizens by hackers and against governments by state actors, it’s clear that America needs for from a cybersecurity standpoint and the CNAP is the beginning of a long-term solution.

Major focuses of the CNAP include the establishment of the “Commission on Enhancing National Cybersecurity” which will “make recommendations on actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sectors while protecting privacy; maintaining public safety and economic and national security.”

Additionally, the CNAP highlights the efforts needed to modernize government IT while improving its management with a $3.1 billion Information Technology Modernization Fund. The National Cybersecurity Alliance will also be launching a National Cybersecurity Awareness Campaignin order to empower Americans to secure their online accounts through multi-factor authentication in partnerships with some of the biggest names in technology and online payment solutions. Looking towards 2017, the CNAP also includes a plan to invest over $19 billion for cybersecurity as part of the President’s Fiscal Year budget which is a 35 percent increase from the 2016 budget.

A Federal First: America’s CISO

Included within this $19 Billion USD budget is money that will be allocated to hire and employ the first chief information security officer (CISO) for America whose will be a seasoned cyber chief. Dan Waddell, managing director and director of US government affairs, does note that finding a candidate at the proposed salary, ranging from $123,175.00 to $185,100.00 USD per year will be a challenge. Currently, the job posting is listed as closed.

Looking Forward

Following such initiatives as 2015’s “30 Day Cyber Sprint,” 2016 is ramping up in terms of cyber initiatives taken by at a Federal level. While many of the CFO Act Agencies mentioned are mentioned in this post due to the breaches and exploits, one agency that has taken a commendable step in trying to stay ahead of the hackers is the Department of Defense (DoD).

The DoD hackathon was a beta program that ran from April 18 to May 12 this year, where 1,400 eligible hackers were invited to try and hack various Pentagon websites (dodlive.mil, dvidshub.net, myafn.net and dimoc.mil) as a part of a bug-bounty program. In the end, 250 submitted at least one vulnerability report and 138 were determined to be legitimate, unique and eligible for a bounty, according to the DoD website. This is a great initiative that should be replicated and improved upon by other Federal agencies in order to do some “penetration” tests in a controlled environment, yet one that simulates attacks that may occur in the wild.

Moving forward hopefully more agencies will follow the DoD’s example. However, one program won’t be enough. As the years ends we hope to see more education and policies, leading to less examples of attacks. What do you think? Let us know your thoughts on the state of federal agency cybersecurity in 2016 in the comments below.

Paul Curran BIO

Paul is an application security community specialist at Checkmarx, responsible for writing, editing, and managing the social media community. With a background in mobile applications, Paul brings a passion for creativity to investigating the trends, news and security issues facing the development, security and greater IT communities worldwide. Through his work, Paul aims to inspire and teach security professionals how to stay ahead of the curve in application security in an era where cyber attack sophistication, and frequency, is rising exponentially.