Survey: Federal agencies woefully unprepared to stop data breaches

Despite the US government's increased spending on cybersecurity protections, a survey released Friday found that 90 percent of federal technology officials say their agencies remain dangerously vulnerable to breaches. 

In fact, some 60 percent of tech officials surveyed said their organizations have suffered some kind of breach in the past year. 

As Washington has been rocked by computer attacks over the past year such as the massive Office of Personnel Management hacks that exposed millions of sensitive documents, tech workers remain pessimistic about Washington's ability to improve its defenses against malicious hackers.  

The tech analysis firm 451 Research recently polled more than 100 officials who work at federal government agencies as part of a much larger survey that canvassed more than 1,000 tech executives worldwide. Vormetric, the cybersecurity firm that commissioned the research, said that the responses about US government cybersecurity preparedness were drawn just from participants working at federal agencies.

The survey comes on the heels of a government report showing that cybersecurity incidents at government agencies were up 10 percent compared to last year. The Office of Management and Budget reported to Congress last week that the US-Computer Emergency Response Team received notice of 77,183 incidents over the past year.

The OMB figures and those from Vormetric and other recent surveys paint a familiar picture of the federal government’s continuing struggle to bolster cybersecurity amid fast evolving threats and increasingly sophisticated adversaries.

Over the past few years, billions of dollars have been spent on ramping up federal information security technologies and skills. For 2017, the Obama administration has proposed a cybersecurity budget of $19 billion, up 35 percent from this year’s budget. The current budget of $14 billion is itself 10 percent higher than 2015’s budget.

The spending and numerous cybersecurity initiatives by government have resulted in some positive change. There's broader use of new monitoring and threat detection tools. Most importantly, over the past 12 months, federal agencies have also sharply increased the use of two-factor authentication technologies for accessing computer systems.

That does not appear to be enough. Many federal agencies are stuck with antiquated systems that are ill equipped to handle modern security challenges and budget constraints limit their ability to modernize.

There’s also a disconnect between what agencies spend their budgets on and what’s needed to really ensure data security, said Sol Cates, chief security officer at Vormetric.

For example, many agencies appear to be placing a higher emphasis on breach detection while paying less attention to actually preventing breaches, Mr. Cates said.

There’s also an enormous amount of money being spent on wasteful activities, said Alan Paller, research director at the SANS Institute. "You don’t and won’t see commercial companies spending on security the way the government does," Mr. Paller says.

“Commercial companies know better than to spend 20 to 40 percent of their budget paying consultants to interview people and write reports," on cybersecurity, said Paller, whose organization offers security training and certification programs for government and industry.

A Cybersecurity National Action Plan (CNAP) announced by the White House in February proposes $3.1 billion to replace old systems that have become too complex and expensive to maintain. The plan also invests $62 million in scholarships and establishing national centers for excellence for those interested in cybersecurity careers in government.

But with just months left in the Obama administration, stopping breaches will depend on implementing CNAP proposals quickly. Inertia and an inherent resistance to change continue to be huge factors within government, said Ben Johnson, a former National Security Agency analyst and chief security strategist for security vendor Carbon Black.

"Historically people or technology that get into government stay there a long time," he said.

CORRECTION: This story was updated to correctly state the number of federal IT workers who say the government isn’t prepared to defend against cyberattacks.