‘Untenable’: 3 out of 4 US govt agencies grossly unprepared to ward off cyberattack
The White House Office of Management and Budget (OMB) found 71 out of 96 government agencies have cybersecurity programs that are “at risk” or “high risk” when it comes to security.
Dozens of federal agencies are unable to deal with cyberattacks on their networks, the Federal Cybersecurity Risk Determination Report and Action Plan revealed. The report was commissioned in response to Executive Order 13800, which requires all federal agencies submit risk assessment reports.
“Federal agencies possess neither robust risk management programs nor consistent methods for notifying leadership of cybersecurity risks across the agency,” the report found, without naming the agencies it details.
Unaware of system hacks
The OMB looked at cyberattacks on federal systems in 2016 that compromised information or functionality, and found over a third of the 30,899 compromises of systems in 2016 never had a threat identified – meaning the agencies were not even aware if they were hacked.
This leaves the agencies at further risk as, if they are unable to detect a compromise, they won’t be able to learn who carried it out and how.
The report also found 73 percent of the agencies can’t tell when data exfiltration attempts are made, and therefore can’t detect when large volumes of information leave their network. More worryingly, not many agencies are even testing their capabilities to detect security breaches.
The news is particularly alarming given the 2015 breach of the Office of Personnel Management, which saw the theft of the fingerprints of 5.6 million federal employees.
Lack of uniformity
The report also revealed the haphazard collection of systems used across agencies – a lack of uniformity which creates further risks. One agency uses 62 separate email services, making it “virtually impossible to track and inspect inbound and outbound communications across the agency.” Not only that, the report found half of the agencies don’t know what software is running on their systems.
A failure to standardize email systems makes it more difficult to protect against phishing attempts, malicious attachments, and validating email senders.
Lack of Encryption
Encryption was another major security concern flagged in the report, with only 16 percent of federal agencies encrypting their data storage and bureaus generally treating the tech protection method as a “low priority.” The agencies which aren’t related to defense budgeted less than $51 million between them to encrypt data in 2017, with half of that amount going to just two agencies.
Meanwhile, the report found that when something has been compromised, 59 percent of the agencies have a process to communicate the threat, while a third have a procedure in place for alerting people about the breach.
Like this story? Share it with a friend!