The White House and the Department of Homeland Security have finished a government wide review examining the security of federal agencies, and the results aren’t pretty.
Dozens of federal agencies have cybersecurity programs that aren’t properly equipped to deal with cyber intrusions in their networks, according to a new report released by the White House Office of Management and Budget. Of the 96 federal agencies examined, a whopping 71 were relying on cybersecurity programs deemed “at risk or high risk.”
President Donald Trump came to office promising cybersecurity would be a major priority – vowing on the campaign trail to order a review of U.S. cyberdefenses and to confront malicious cyber activity by foreign governments. And this report was commissioned last May under his sweeping executive order on cybersecurity, which broadly sought to hold agency heads accountable for protecting their networks.
Trump’s relative prioritization of federal cybersecurity was welcomed by many experts in the wake of the massive Office of Personnel Management breach that exposed the personal information of some 22 million people in 2014, and in light of the intelligence community’s fresh concerns about Russia’s election interference during the 2016 presidential election.
But one year later, the results of this report spotlight how the federal government is still struggling to organize its cybersecurity efforts. And former White House and DHS officials worry that the Trump administration lacks a path forward without proper leadership at the top.
“Things aren’t improving as fast as we need them to,” said Ari Schwartz, who served on the National Security Council during the Obama administration as senior director for cybersecurity. “We’re behind where we need to be to be successful in preventing attacks.”
The report found that 12 agencies had “high risk” programs, meaning key cybersecurity tools weren’t in place or weren’t deployed sufficiently. Fifty-nine agencies had “at risk” programs, meaning some of the right policies were in place but there were “significant gaps” in terms of security. OMB also noted that federal agencies lacked the visibility into their own networks that would help them detect attempts to steal data and respond to other cyber incidents.
Although the report doesn’t identify which agencies had cybersecurity problems, the scope of the issues described in the report makes it clear that both small and large agencies alike have a ton of work to do, said Stewart Baker, former assistant secretary for policy at DHS.
“It would be comforting but wrong to assume that the agencies at risk are pipsqueaks like the National Endowment for the Arts or the Federal Mediation Service,” Baker told me. “We’re at that awkward stage where every agency is aware of the threat but few of them have changed their budget priorities to counter it. That, plus the fact that some of the most mission-critical applications are the hardest to patch, means that many of the at-risk programs are essential to the functioning of the government.”
Making matters more complicated, the White House decided in recent weeks to eliminate the role of cybersecurity coordinator, a position created under President Barack Obama to oversee cybersecurity policy across the federal government.
In theory, orchestrating an action plan after this report would be right in the cyber czar’s bailiwick. But with former cybersecurity coordinator Rob Joyce returning to the National Security Agency and no replacement on the way, there appears to be no obvious advocate in the White House to help agencies improve the very cybersecurity programs the report calls deficient.
“That’s the type of thing that the cyber coordinator used to be in charge of,” Schwartz said. “Getting rid of that complicates the matter and makes it harder to do that kind of management.”
This won’t be a simple fix: The 59 “at risk” agencies are still learning how to respond to digital threats, Schwartz said. Even more troubling are the dozen “high risk” agencies. “It means that they’re not improving,” Schwartz told me. “Based on my experience, it would mean that these are agencies that don’t have the ability to fix their problems.”
The report offered several recommendations to help agencies better protect themselves against digital threats. They include: using the same language across agencies to identify and categorize cyberthreats, standardizing certain cybersecurity tools to help control costs, consolidating the teams within agencies that respond to cyberthreats, and increasing accountability for top agency officials.
There is one bright spot in the report, said Frank Cilluffo, a former homeland security adviser to President George W. Bush: It offers “a snapshot on where the federal government writ large currently stands and offers a process on how to improve.”
“The bad news,” he said, “is the results themselves are disappointing and highlight just how much more still needs to be done.”
- Content by: Derek Hawkins, The Washington Post, Published May 30, 2018