The Federal Communications Commission’s (FCC) recent “cyberattack” fiasco doesn’t surprise experts, given how terribly prepared they think smaller federal agencies are for most cyberattacks.
Large private sector companies routinely grapple with cybersecurity and fending off cybercrime, so for smaller federal agencies that may not have the resources to outsource cybersecurity to federal contractors — especially independent agencies like the FCC, the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), the Federal Election Commission (FEC), the Social Security Administration (SSA) and the Environmental Protection Agency (EPA) — cybersecurity is a major, constant struggle.
A recent Tenable survey of 2,100 organizations found that only 48 percent have semi-adequate to adequate cybersecurity measures in place, while 33 percent do the bare minimum.
On Tuesday, the House passed bipartisan legislation that would establish the Continuous Diagnostics Mitigation division within the Department of Homeland Security, which would endeavor to protect federal agencies from cyberattacks.
Part of the problem according to Stuart Madnick, a professor of information technology and engineering systems at MIT’s Sloan School of Management, is that organizations tend to have the wrong focus in cybersecurity.
“Most organizations are focused on trying to prevent cybercrime, but resistance is futile,” he told InsideSources. “You can try to prevent as hard as you can, and that will make you less of a low-hanging fruit, but anyone who is diligently trying will find a way to work around. Most organizations private or public are pouring 90 percent of their energy into the prevention side.”
Trying to prevent cyberattacks, Madnick says, is a waste of time, because you’ll be attacked regardless.
“My sense is people are not very well prepared for a variety of reasons, because people think of being prepared in terms of what they’ve experienced in the past,” he said. “The problem with cyberattacks is they’re always something you’ve never seen before. Both private and public tend to be very poorly prepared. Most people, when a problem occurs, they kind of scurry to try to deal with it.”
The deck is stacked against most organizations: according to an August Malwarebytes study, 10 percent of cybersecurity professionals are engaged in “Black Hat” activity and 50 percent know or have known someone engaged in “Black Hat” activity.
This is especially alarming for federal agencies handling sensitive information. Because cybercrime is such a lucrative business for many cybersecurity professionals, it is now harder to trust whoever is handling your cybersecurity.
Furthermore, Madnick said 50 percent of organizations who have experienced a cyberattack don’t know they’ve been attacked, which adds to the confusion and explains why some — like the FCC and DNC — jumped to conclusions as soon as they noticed anything remotely off.
Madnick has experience with state government and local government information technology (IT) systems, and said most government entities’ resources and funding for cybersecurity is “relatively minimal,” which is especially concerning ahead of midterms.
Despite the mad dash to improve elections security this year, Madnick doubts federal, state and local governments have done enough, based on how outdated their IT systems are.
“That’s a very scary system because it involves local authorities, state authorities, federal authorities, and I suspect none of them have put in the time and energy needed,” he said, despite the news coverage.
Large federal agencies suffer cyberattacks but have more resources and better cybersecurity measures in place to handle them. Smaller federal agencies, on the other hand, are “ripe to be pilfered with.” Some may regularly experience attacks without even realizing it.
“There was a report that the Department of Energy had been attacked 20-some times in the past year,” Madnick said. “Not all the attacks were successful, but they were information-gathering attacks, a lot of their internal documents were being stolen.”
The Center for Strategic and International Studies’ (CSIS) Vice President James Lewis — an expert in cybersecurity who previously worked for the Commerce and State Departments — said cybersecurity has “been a struggle since the first computer was installed” in federal agencies.
“The intelligence agencies and the military do an 80 percent job, anybody else is catch as catch can,” he told InsideSources. “Agencies don’t want to give up their independence, so we have a lot of agencies that just don’t have the resources or the people, and that’s a guaranteed vulnerability. Bigger agencies do better, like the Treasury, Department of Justice (DOJ, Department of Defense (DOD, but not all of them.”
Lewis thinks the biggest problem for the smaller, independent agencies is their size and the fact that they tend to handle cybersecurity in-house.
“They really need to outsource a lot of these functions either to another agency or the private sector,” he said. “That’s kind of a budget thing but also a strategy thing.”
Some agencies may need bigger budgets, but Lewis also said some agencies may not be able to outsource simply because of the nature of their authorization. Many agencies aren’t permitted to outsource much of their data simply because it is so sensitive.
“The ways the laws were written 30 years ago require an agency to maintain some control of data storage,” Lewis said. “The federal government’s guidelines for agencies to move data into the clou is 1400 pages long, and that’s a problem right there, you have a rulebook that’s so complicated no one can figure it out.”
FedRAMP, which helps an agency transfer its data to the cloud, requires a lengthy authorization process that may be burdensome for small, independent agencies.
For some agencies, then, amending existing regulations regarding how they handle their data could allow them to pursue better cybersecurity measures.
“If you’re posed to safeguard people’s data, you have to think about when you move it to a cloud service provider. It’s not impossible, but it does take money and thought,” Lewis said. “You have to have someone to manage these contracts. You have privacy concerns. The old thing was, I’m an agency, I have data, I put it in a file and it’s safe. When they moved that over to the digital mindset, it becomes, do I want to move that outside of my own agency boundaries.”
In the meantime, Madnick said all organizations need to rethink cybersecurity and be more proactive about regular screenings, because getting attacked is inevitable. The severity of an attack, however, can be mitigated.
“You need to start backwards, and say what it is that you don’t want to go wrong,” Madnick said. “And what mechanism can you put in place to make sure that doesn’t happen or minimize how much damage it can do. I don’t think most organizations are doing that, because it’s not normal. I think we have this naive assumption that if we prevent enough we won’t have to prepare. I do think we can do a heck of a lot better job in preparations.”