With all the talk about cyber security risks in the news, you would think that the U.S. federal government would be doing a better job of protecting its data from cyber attacks, including the very real threat of state-sponsored hackers. Yet, as a new Office of the Management and Budget (OMB) report points out, nearly 75 percent of federal agencies are still woefully unprepared to handle cyber security risks of any kind. This all comes on the heels of the United States government eliminating the position of federal cybersecurity czar earlier this year. While the report, which was prepared in collaboration of the Department of Homeland Security (DHS), did not specifically call out which agencies were failing to respond to global cyber threats, it did suggest that the failures, gaps and inadequacies were relatively evenly distributed across the entire federal government. In fact, 71 of the 96 federal agencies reviewed were deemed to be “at risk” or “at high risk” of a cyber attack. The report defined “at risk” to mean that there were significant gaps in security preparedness, while “at high risk” means that fundamental processes were not even in place to deal with cyber security risks.
The final conclusion of the report was that the situation surrounding cyber security risks was “untenable” and needed to be addressed immediately. Federal agencies had little situational awareness, had few standardized processes in place for managing (or even reporting) attacks, and failed particularly when it came to encrypting data. It all paints a picture of federal agencies being unable to respond in the event of a major cyber attack.
Federal agencies need to improve in several key areas
Perhaps most damaging was the assessment that federal agencies don’t even know where cyber security risks are coming from, or how to respond to these security risks. The OMB report looked at more than 30,000 cyber attacks that took place in 2016 and found that in 38 percent of the cases, federal agencies could not even identify the threat vector. So how can you respond if you don’t even realize the full scope of the cyber security risks? This is what the OMB meant by a low level of situational awareness – the first step in any defense is simply being to recognize the scope and scale of the event so that a proper response can be planned.