Federal government spending on cybersecurity has increased substantially over the past several years, but a return on that investment remains elusive.
Breaches such as the one disclosed last week by the Office of Personnel Management and similar ones at the Internal Revenue Service, White House, and State Department in recent months show that federal agencies remain dangerously exposed to cyberattacks despite the billions of dollars poured into securing them.
The fiscal year 2016 federal budget allocates $14 billion on cybersecurity. That figure is a little more than 10 percent higher than the $12.5 billion set aside for 2015 and a massive 35 percent more than what the government spent in fiscal 2014. The cybersecurity budget represents about 16 percent of the total federal information technology budget of $86 billion for 2016, compared to the 4 percent or so that private companies typically allocate for the same purpose.
For 2016, the Department of Homeland Security has twice as much budget – $582 million – for just its EINSTEIN intrusion detection system and its continuous diagnostics and mitigation programs than JPMorgan Chase, the nation’s largest bank spends on its entire cybersecurity program annually.
Yet, the cybersecurity situation for many federal agencies appears to be getting worse instead of better. The Office of Management and Budget’s (OMB) latest report to Congress on the state of federal information security shows that federal agencies reported nearly 70,000 information security incidents in 2014, up 15 percent from the year before.
To be fair, a vast majority of the incidents involved non-cyber causes, such as a lost or stolen devices containing sensitive data, or pertained to policy violations, suspicious activity and attempted break-ins. At least some of the reported increase in security incidents last year also likely had to do with the fact that agencies are simply getting better at detecting intrusions.
Even so, the numbers are discouraging in the context of the spending on cybersecurity in recent years. In a recent survey conducted by Frost and Sullivan on behalf of security certification organization (ISC)², nearly half of the 1,800 respondents from the federal government sector felt that security has not improved over the past two years. About 17 percent said their agency’s security posture was actually worse because of their inability to keep pace with the changing threat environment and a lack of funds and more than half said their threat response times have not changed.
Multiple factors have contributed to the situation.
Just because the government has increased cybersecurity spending does not mean that all agencies have benefited equally from the largesse. A substantial chunk of the budget has typically gone to the Department of Defense and the DHS. Of the $14 billion set aside for cyber in the 2016 budget, more than $5.5 billion is meant for the DOD.
In 2014, the DOD and the DHS alone accounted for $10.3 billion of the total $12.7 billion in IT security spending reported by federal agencies. The DHS spent some $473 million on preventing malicious cyberactivity across government agencies and another $722 million detecting, analyzing, and mitigating threats on behalf of other agencies. Meanwhile, the OPM spent a relatively paltry $7 million on the same two categories in 2014 even though the agency stores personally identifiable information on 32 million people, more than most other federal agencies.
“The big guys get the big dollars because they have so much to protect,” says Howard Schmidt, former White House cybersecurity coordinator and currently executive director of the Software Assurance Forum for Excellence in Code. The smaller ones don’t always do as well, he says.
Strong authentication is another major issue, Mr. Schmidt says.
Many federal cybersecurity incidents can be avoided simply by implementing stronger processes for authenticating government workers to systems and networks. Yet, too many agencies and federal workers continue to rely solely on antiquated username and password mechanisms for accessing critical systems and data. The OMB estimates that as of 2014 there were more than 134,280 user accounts that had privileged, or elevated, access to federal systems, but were protected with just a username and password. Many attacks involve hackers stealing such credentials and using them to gain full access to networks and systems.
A 2004 presidential directive signed by then-President George W. Bush requires all federal agencies to issue what are known as personal identification verification (PIV) cards to all employees and contractors. The cards are meant to give agencies a strong secondary way to authenticate users.
Yet, more than 11 years after the directive was passed, PIV card use remains dismally low across the federal government, Schmidt says. Only about 70 percent of federal employees have PIV cards, but it is a number that drops to an even lower 40 percent if the defense department is excluded. A total of 16 federal agencies, including recently breached entities like the OPM and State, allow a majority of users to log into their systems with just a username and password.
Individual agency efforts to bolster cybersecurity are also often hampered by the interconnected nature of federal systems, many of which are often ancient and antiquated, says Jasper Graham, a former technical director at the NSA and currently a senior vice president at security firm Darktrace.
“Even if one agency can upgrade and move right along they still have to maintain interconnectivity,” with other agency systems, Mr. Graham says. Protecting such connections can be a substantial financial and administrative burden for agencies. “Government systems have to deal with a tremendous legacy issue. After a while you end up in a situation where your security is only as strong as your weakest link.”
Cumbersome and bureaucratic procurement practices don’t make the cybersecurity task any easier, he says. Every single item the government wants to buy has to be bid upon and go through an elaborate approval and procurement process that is not just time consuming but expensive as well. Where private companies can quickly acquire what they need to secure their networks, government agencies are bound in red tape.
"Even for things that should not be difficult there’s a process. Nothing is straightforward," says Graham.
According to Alan Paller, research director at the cybersecurity training outfit the SANS Institute, a skills mismatch is another aggravating factor.
Government agencies, he says, spend a lot on security but just not correctly. Many agencies are literally bristling with sophisticated tools for detecting and monitoring intrusions and threats. “But they are mainly watched by contractors who do not know what to do with the data,” generated by these systems, he says. “The tools can find the problem, but it is the high tech people who know where to look that are missing.”