Most Federal Agencies Are 'At Risk' or Worse, According to Damning Cybersecurity Report

Image for article titled Most Federal Agencies Are 'At Risk' or Worse, According to Damning Cybersecurity Report
Photo: Getty

The US Office of Management and Budget set out to investigate just how up to snuff the cybersecurity programs at federal agencies are and—surprise!—it’s bad. The recently released report shows that most agencies within the government fail to clear even the lowest bars when it comes to cybersecurity preparedness.


The main takeaway of the report, which is filled with some pretty brutal quotes and statistics, is this: of the 96 agencies OMB assessed, nearly three-quarters were either considered to be “at risk” or “high risk” and in need of immediate improvements to their protocols. The report concluded, “the current situation is untenable.”

Given the sheer size of the federal government and the glacial pace at which it typically moves, it might not be all that surprising to learn that agencies are lagging behind in cybersecurity best practices. But the report indicates agencies aren’t just slightly out of date—some are essentially operating in completely in the dark.

OMB found that 73 percent of federal agencies can’t detect attempts to access large volumes of data. That means just one in four can actually identify data exfiltration attempts, though only in theory as the report notes “even fewer agencies report testing these capabilities annually.” That is not great news considering the federal government is a prime target for such an attack and has fallen victim to them before. In 2015, the Office of Personnel Management suffered a breach that allowed hackers to steal the fingerprints of 5.6 million federal employees.

Troublingly, it’s entirely possible a similar attack may have already happened and the government has no clue about it. OMB looked at 30,899 cyber attacks on federal systems that led to the compromise of information or functionality that took place in 2016 and found that a whopping 11,802 of them—38 percent—never had a threat vector identified. In those cases, the government has no clue who carried out the attack or how, leading the OMB to reason that “Agencies do not understand and do not have the resources to combat the current threat environment.”

Even if an agency identified a cyberattack, odds are good it wouldn’t have a clue who to tell about it. Just 30 percent of agencies have “predictable, enterprise-wide incident response processes in place” to report an incident.

Worsening the situation is the fact that there is just a whole mess of different systems being used across the government’s many agencies. The report found there are 62 separately managed email services running across the federal system, which OMB said makes it “virtually impossible to track and inspect inbound and outbound communications across the agency.” Worse yet, half of all agencies can’t even detect what software is running on their systems and just 16 percent of agencies are encrypting their data at rest.


These issues will take a lot of fixing, but could in part be combatted by some standardized cybersecurity practices. Say, some type of cybersecurity coordinator that operates out of the White House. (You know where this is going, right? The next sentence is going to tell you that the Trump administration eliminated the very role that could help with this problem.)

Too bad John Bolton pushed the president to ditch the cyber advisor post earlier this month in an effort to cut down on bureaucratic red tape. Insert your own “This Is Fine” meme here.


[Office of Management and Budget, TechCrunch]



I can chime in on this a little. I work in Cyber/IT field in DC. Like anywhere else in the country, IT professionals are in high demand. The “big dog” agencies like the DoD, NSA, FBI and CIA or major defense contractors (Boeing, Lockeed, etc.) hire the best while everyone else fights for leftovers.

Who the hell wants to work in IT/Cyber for the Department of Labor or Department of Housing and Urban Development? So they tend to fall behind.. way behind.

Also, can you imagine trying to explain to Ben Carson and his staff the importance of routine vulnerability scans and patch management?