Post 5: The Invisible Threat: Addressing Cybersecurity in the Public and Private Sectors

 photo 4bc729d6-b328-48f2-a249-fa61b616cd43_zpsnzs0qm0u.jpg
Cybersecurity has become a national security priority for the US government. (thedigitalbridges.com).

In December 2016, the Obama administration created the Commission on Enhancing National Cybersecurity.[1] The Commission was tasked with assessing the current state of US cybersecurity and recommending steps that the government, private sector, and the nation could take to protect digitally stored information. [2] In its conclusion, the Commission offered advice and declared cybersecurity to be one of the greatest challenges faced today by the United States. [3]

The Commission’s report was timely. From 2006 to 2015, the number of cyber incidents reported by federal agencies jumped more than 1,300 percent. [4] Additionally, since 1997 federal information security has been on the high-risk list of the Government Accountability Office. [5]

Even more disconcerting has been the government’s inability to protect sensitive information. In 2016, cyber risk firm SecurityScorecard performed a digital security health analysis of the government. [6] In its report, the firm held that US federal, state and local government agencies ranked last in cyber security when compared to 17 major private industries. [7]

SecurityScorecard based its finding in part on 35 government data breaches, two of which occurred in 2015. [8] In May of that year, hackers stole data from 700,000 IRS accounts that included social security numbers and other sensitive information. [9] In June, hackers breached Office of Management and Personnel computers and stole addresses, health and financial history, and other private details, from 19.7 million people who had been subjected to a government background check. [10]

There are several reasons, among others, for these breaches. First, some government computers run outdated software. In 2014, it was estimated that 10 percent of government computers were vulnerable to attack because they ran Windows XP after Microsoft had stopped providing security updates. [11] However, when an agency seeks an upgrade, requesting and implementing software updates can be a timely process. The updates must first be approved by several departments and committees, often rendering the update obsolete by the time it is installed. [12]

An additional problem lies in the complexity and size of government networks. Government networks tend to grow exponentially over time, becoming larger and more complex. [13] As a result, implementing retroactive security measures becomes difficult because agencies don’t understand the scope of their system. [14] Even more so, if the agency doesn’t grasp the extent of their network, it may not be able to identify suspicious behavior within the system. [15]

Lastly, in the past various federal agencies had separate cybersecurity systems. [16] As a result, real-time cybersecurity information could not be shared between agencies. However, the Obama administration created the Cyber Threat Intelligence Integration Center (CTIIC) to promote inter-agency cybersecurity data collaboration. [17] Thus, the CTIIC has begun to address this issue, though additional communication between agencies is still needed.

With these challenges in mind, the last two administrations have acted to address cybersecurity. For instance, in 2015 President Obama signed an Executive Order that urged private sector companies to share cybersecurity information with one another and the federal government. [18] Although advisory, the Order also encouraged development of clearinghouses for sharing security data. [19]

 photo a1c28a5d-e11b-4b9a-b9c8-c9450f16b168_zpss90i1pyp.jpg
President Obama discussed cybersecurity at Stanford University in 2016 (Nicholas Kamm, AFP, Getty Images).

President Trump has also addressed cybersecurity by outlining a plan to protect government information systems. Though it is yet to be signed, the administration drafted an Executive Order aimed at updating government technological infrastructure. The draft also called for review of government cybersecurity capabilities and vulnerabilities, along with a report on incentivizing the private sector to adopt further security measures. [20]

It is clear that cybersecurity offers President Trump a difficult challenge. He must lead the development of a new government method to protect sensitive information. With that in mind, there are three components that should be included in the president’s cybersecurity policy.

First, Congress must appropriate spending for upgrading government information systems. Like President Obama’s 2016 request, funds should be directed toward hardware and software updates with oversight from an appointed committee. [21] With this, the government would take steps toward graduating to contemporary cybersecurity infrastructure.

Second, the government should continue to collaborate with Silicon Valley companies to combat cyber threats. With its wealth of engineering talent, Silicon Valley ingenuity should be paired with the vast trove of government cybersecurity information to build a comprehensive digital defense. [22] This would include expanding current relationships between Washington DC and Silicon Valley and offering tech companies worthwhile financial incentive to participate.

Lastly, government agencies and the private sector must take additional steps to share information. This would include establishing an integrated interagency platform for sharing real-time cyber threat data. Also, agencies must remain in personal contact with private sector companies to establish trust and a system for information sharing and problem-solving. With this, the government and private companies would remain informed and able to respond to cyberattacks.

In all, the speed of modern technology has left the government behind on cybersecurity. Although federal agencies possess nearly unlimited resources and dedicated employees, the slow nature of the federal bureaucracy precludes rapid response to cyber threats.

In order to catch up, the government must invest in new infrastructure, collaborate with private sector enterprise and open its trove of security data to participatory use by all agencies. If not, the most powerful country in history risks falling victim to a keystroke from a single person with coding experience and malevolent intent.

[1] Office of the Press Secretary (2016). Statement by the President on the Report of the Commission on Enhancing National Cybersecurity. The White House. Retrieved from https://obamawhitehouse.archives.gov/the-press-office/2016/12/02/statement-president-report-commission-enhancing-national-cybersecurity.

[2] Id.

[3] Id.

[4] Davidson, J. (2016). Federal Cyber Incidents Jump 1,300% in 10 years. The Washington Post. Retrieved from https://www.washingtonpost.com/news/powerpost/wp/2016/09/22/federal-cyber-incidents-jump-1300-in-10-years/?utm_term=.4f1130ddd5a5.

[5] Id.

[6] Volz, D. (2016). US Government Worse Than All Major Industries on Cyber Security. Reuters. Retrieved from http://www.reuters.com/article/us-usa-cybersecurity-rankings-idUSKCN0XB27K.

[7] Id.

[8] Id.

[9] McCoy, K. (2016). Cyber Hack Got Access to Over 700,000 IRS Accounts. USA Today. Retrieved from http://www.usatoday.com/story/money/2016/02/26/cyber-hack-gained-access-more-than-700000-irs-accounts/80992822/.

[10] Davis, J.H. (2015). Hacking of Government Computers Exposed 21.5 Million People. The New York Times. Retrieved from https://www.nytimes.com/2015/07/10/us/office-of-personnel-management-hackers-got-data-of-millions.html.

[11] Pepitone, J. (2015). Federal Data Breach: Can the Government Protect Itself from Hackers. NBC News.com. Retrieved from http://www.nbcnews.com/tech/security/federal-data-breach-can-government-protect-itself-hackers-n370556.

[12] Id.

[13] Id.

[14] Id.

[15] Id.

[16] Fortune. (2015). US Launching a New Cyber Security Agency After Sony Attacks. Fortune Tech. Retrieved from http://fortune.com/2015/02/10/u-s-launching-a-new-cyber-security-agency-after-sony-attacks/.

[17] Id.

[18] Zezima, K. (2015). Obama Signs Executive Order on Sharing Cybersecurity Threat Information. The Washington Post. Retrieved from https://www.washingtonpost.com/news/post-politics/wp/2015/02/12/obama-to-sign-executive-order-on-cybersecurity-threats/?utm_term=.af5c15c0004b.

[19] Id.

[20] Washington Post. (2017). Read the Trump Administration’s Draft of the executive Order on Cybersecurity. The Washington Post. Retrieved from https://apps.washingtonpost.com/g/documents/world/read-the-trump-administrations-draft-of-the-executive-order-on-cybersecurity/2306/.

[21] Dillow, C. (2016). Obama Unveils National Cybersecurity Action Plan. CNBC. Retrieved from http://www.cnbc.com/2016/02/09/obama-unveils-national-cybersecurity-action-plan.html.

[22] Id.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: