When he issued Executive Order 13800 (EO 13800) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, President Trump’s goal was to highlight that security and public accountability of government officials are foundational pillars while emphasizing the importance of reducing cybersecurity risks to the Nation. In accordance with the Executive Order, effective cybersecurity requires any organization—whether a private sector company, a non-profit, an academic institution or an agency at the state, local, or Federal level—to identify, prioritize and manage cyber risks across its enterprise. On May 30, 2018, the Office of Management and Budget (OMB) published the Federal Cybersecurity Risk Determination Report and Action Plan to the President of the United States (Risk Report), which was a requirement under Executive Order 13800. The Risk Report captures OMB’s assessment of cybersecurity risk management capabilities across the federal enterprise and provides recommendations to address the mission-critical cybersecurity gaps.
Findings and Recommended Action Plan
In their federal cybersecurity review, OMB and DHS examined the capabilities of 96 civilian agencies across 76 metrics to determine those entities’ ability to identify, detect, respond and, if necessary, recover from cyber incidents. According to the report, “The current situation is untenable.” The report’s findings indicate that 71 of 96 agencies (74%) participating in the process had cybersecurity programs that were either “at risk” or at “high risk.” (The report defines the term “high risk” as “Key, fundamental cybersecurity policies, processes, and tools are either not in place or not deployed sufficiently”; the term “at risk” applies to agencies where “Some essential policies, processes, and tools are in place to mitigate overall cybersecurity risk, but significant gaps remain.” The report continues: “…the risk assessments show that the lack of threat information results in ineffective allocations of agencies' limited cyber resources. This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact federal cybersecurity." The report also indicates that the timeline for the implementation of access management capabilities, boundary protection and event management capabilities is likely to be delayed due to “a series of government-wide and agency-specific implementation challenges.” On a more nuanced level, the report presents four important findings, namely, most agencies’ limited situational awareness, lack of standardized IT capabilities, limited network visibility and lack of accountability for managing risks.
Limited Situational Awareness
One of the major findings of the report is that the agencies cannot identify the methods and vectors of cyberattacks. Out of 30,899 cyber incidents that produced security breaches, the methods and the vectors of the attacks were not identified in 11,802 cases. Even in cases when they were identified, the agencies did not have information-sharing processes in place to communicate the data about the attacks to other agencies. According to the report, only 59% of agencies reported having such processes.
Lack of Standardized IT Capabilities
Agencies can facilitate the identification of security vulnerabilities by adopting standardized procedures or technologies. For example, if agencies use the same standards for sending and receiving emails, they will facilitate the identification of phishing emails because a phishing email that does not comply with the common standard can be easily identified. However, this is not the case with federal agencies. The report indicated that many agencies employ fragmented identity, credential and access management (ICAM) processes. For instance, one agency revealed that it maintains a decentralized environment with 23 domains and more than 300 unique user grouping based on geographic location, thus limiting the possibility to manage users’ access to data within the agency effectively.
Limited Network Visibility
The effective response to cybersecurity incidents depends on agencies’ ability to effectively monitor flows of data processed through their networks and detect cybersecurity incidents. Just 27% of the examined agencies reported that they could detect and investigate unauthorized attempts to access large volumes of data. This means that large volumes of data can be stolen 73% of the other agencies’ computer systems without their knowledge. Even in cases when the agencies detect data breaches, they may not respond adequately, as only 30% of the agencies have predictable, enterprise-wide incident response processes.
Lack of Accountability for Managing Risks
The report found that many agencies’ chief information officers (CIO) and chief information security officers (CISO) often lack the authority to make important organization-wide decisions. This issue is particularly serious in agencies that employ multiple CIOs who are responsible for managing their own budgets. A decision taken by one of those CIOs may not apply to the security infrastructure falling within the scope of other CIOs.
Recommended Action Plans
In response to the aforementioned worrying findings, the Risk Report identifies four core actions that can help address cybersecurity risks across the federal enterprise:
- Increase cybersecurity threat awareness by implementing the Cyber Threat Framework to prioritize efforts and manage cybersecurity risks,
- Standardize IT and cybersecurity capabilities to control costs and improve asset management,
- Consolidate agency Security Operation Centers (SOCs) to improve incident detection and response capabilities, and
- Drive accountability across agencies through improved governance processes, recurring risk assessments and OMB’s engagements with agency leadership.
Discussion and Comments
The report’s key takeaway is that the US government spends too much and does not get enough, allowing critical governmental agencies to run at high cybersecurity risk, thus jeopardizing national security. But even if they follow the recommendations provided above, organizations will not create any positive result if there is a lack of leadership. As Gregory Touhill noted, “the biggest risk still is careless, negligence and indifference to policy, a poorly trained workforce, and lack of management attention. When was the last time you heard someone get fired because they made a big mistake in cyber? Accountability is key, and oversight is really important too.”