Government worst of all industries in cybersecurity, says report

Malware, password theft and worker indiscretions are problems for all levels of the U.S. government

Government worst of all industries in cybersecurity
Credit: U.S. Department of the Interior

“Government, we have a problem”—to paraphrase the crew of the 1970 moon flight reporting back on Apollo 13’s technical fault. 

But it sounds about right to describe, in one line, the somewhat frightening state of U.S. government infrastructure—including that of NASA, which is the worst of the federal agencies—exposed recently in a report.

Network infrastructure weaknesses and vulnerabilities abound, according to SecurityScorecard.

The tip of the iceberg appears to be the now-famous 2015 Office of Personnel Management loss of 21 million people’s Social Security numbers and other Personally Identifiable Information (PII).

But that’s just one of the manifestations, the report suggests.

This year so far, four major attacks have already taken place on federal agencies, SecurityScorecard says in a related blog post. PII for 29,000 employees of the FBI and Department of Homeland Security were published by hackers, NASA lost PII on 2,400 individuals, and the IRS was hacked. And it’s only the end of April.

“Government organizations ranked at the bottom of all major performers, coming in below information services, financial services, transportation and healthcare,” SecurityScorecard says in its report.

Susceptible to malware, password threat and worker indiscretions

The study looked at organizations at local, state and federal levels, and its researchers say susceptibility to malware, password theft and worker indiscretions, such as “employees using corporate account information in social networks” along with phishing gullibility, is a problem.

The bottom ranking for government was lower than that for education, which was second lowest, and for telecommunications, which followed. As one might expect, the IT vertical performed best.

I wrote earlier this year about how universities were having a problem with cybersecurity due in part to local and state governments not having plans in place.

In the government overall scheme of things, the main problem appears to be not so much that the agencies can’t respond to immediate data breaches, but that the culture doesn't adapt to new risks as time moves on.

“The government is already reacting, knowing that no data breach is acceptable, that cyberattacks are poised to get worse,” says SecurityScorecard. “However, the government can’t only address the risks and vulnerabilities that led to its most recent hacks. It must also evolve to combat the new security risks each new year brings.”

A step in the right direction

A 35 percent increase in current cybersecurity spending is suggested by President Obama, SecurityScorecard points out. That and other initiatives are a “step in the right direction towards improving cybersecurity,” SecurityScorecard says. But the Obama program isn’t approved yet, it reminds us.

Federal agencies admit to falling behind the private sector when it comes to digital transformation, I wrote a few months ago. A bit like this issue of lacking cybersecurity, the departments that want to be “digital,” know it’s a good thing and are remarkably knowledgeable about it, but they say they can’t afford it.

They believe that “more digital is better,” the report I wrote about then found, but they were simply stumped as to how to go about being “transformational.” Money wasn’t the whole problem discovered.

Echoes of this issue, perhaps? One answer might be to use outsiders that have more specialization.

Governments “should consider using outside resources to assist in examining vulnerabilities and developing plans for short- and long-term remediation,” SecurityScorecard says.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10