Dive Brief:
-
More than one-third of federal cyber incidents lacked a concrete identity for the attack vector, highlighting agencies' inadequate level of situational awareness, according to the Office of Management and Budget (OMB)'s 2018 federal cybersecurity report. OMB, the Department of Homeland Security, the National Security Agency and the Office of the Director of National Intelligence will help agencies integrate a cyberthreat framework that will provide "hierarchical, structured, transparent and repeatable methodology" for uniformly defining threats across the federal government.
-
OMB found that federal agencies have a tendency to allocate funds reserved for cyberdefense for "single point solutions" for "perceived security gaps" instead of the gaps that are already exploitable. OMB suggests using more threat intelligence and network traffic flow, as well as enabling more transparent communication between agency CIOs, CISOs and CFOs to better design cyber budgets for the most pressing needs.
-
Whitelisting software is a struggle for about half of agencies, resulting in tools that overlap or running multiple versions of a software with different vulnerabilities. To resolve the issue, OMB will help move agencies to "standard configurations" and "new government-wide marketplaces" to help secure federal systems and more efficiently streamline resources.
Dive Insight:
OMB wants agencies to follow the "adversary life cycle." The first stage of the lify cycle is identifying indicators of a threat followed by examining the actions used by adversaries. The third stage is identifying the objective of the adversary. Once an agency has determined the objective, it can begin examining the changes in strategies adversaries take to accomplish their objective. But the federal government has a long way to go in cybersecurity and overall IT modernization.
The struggle with whitelisting software was also evident in the federal agency scorecard initiated through the Federal Information Technology Acquisition Reform Act. The scorecard added software licensing to its grade list in November, and 17 of the 24 agencies received an 'F.' The most recent scorecard was published in May, and 14 agencies still have a failing score in the subject.
Failure to procure a solid software inventory indicates that federal agencies do not have complete awareness of what is on their networks. But in an age when shadow IT persists and legacy systems are still dominating federal IT, it's hard for federal agencies to keep pace, said Bob Sydow, Americas Cyber Leader and partner at EY, in an interview with CIO Dive.
There's already a need for a "harmonization of regulatory compliance along cybersecurity" in the private sector, but creating a bridge between the public and private sectors is needed now more than ever when cyberthreats have increased in "veracity, volume and precision," according to Sydow.
But all of federal IT's cyber woes could stem from its slow adoption of the cloud, despite it being a technology that agencies "should all be comfortable with," according to Rep. Will Hurd, R-TX, speaking at a cyber event in Washington last fall.