Government cybersecurity: What’s improved and what needs work?
May 24, 2016
Defense has always been a major issue for the U.S. government. Keeping the American people safe from threats both at home and abroad is vital, and this importance shows in the national budget. Out of the $1.1 trillion allocated in fiscal year 2015 discretionary spending, $598.5 billion went toward the military. That's 54 percent of the budget, clearly showing how important defense is to the U.S. government.
That said, it wasn't until recently that government entities began to take cyberdefense seriously. With this decision to beef up the country's cybersecurity has come quite a lot of advancement, but agencies still have a long way to go before the country is truly secure. So what are government officials doing right, and what areas need improvement?
Phishing attacks are becoming less successful
One of the major areas of development recently is the discovery that government employees are increasing their ability to sniff out phishing attacks. These scams, which utilize massive email campaigns in order to either illegally gather information or infect the victim's machine, rely on ignorance and general cybersecurity malaise on the part of the recipient.
However, the Department of Homeland Security recently conducted a survey with KPMG and found that workers are getting better at spotting phishing schemes, according to a report compiled by the DHS Office of Inspector General. The study utilized security experts who masqueraded as DHS technical support employees who were locked out of the system and needed login credentials. These auditors called other staff members, attempting to get ahold of this information.
Of the 28 people who were called, only eight took the time out of their day to speak with a person using a phone number they didn't recognize. Out of those who answered, none ended up actually giving the auditors any login credentials. Although this is certainly a small sample, the fact that the DHS is touting this as a success shows how dire the social engineering situation used to be. Government employees are quickly learning not to trust someone over the phone, thereby increasing the cybersecurity of the country as a whole.
Cyber Command is getting more focused
Another big improvement in U.S. government cybersecurity is the recent National Defense Authorization Act that has passed a House committee. This act is meant to strengthen the nation's cyberwar capabilities by turning Cyber Command into a bona fide military unit, according to The Hill. As it stands, Cyber Command is under the authority of the National Security Agency.
This limits the department's ability to wage cyberwar because the NSA is currently mostly focused on intelligence gathering. While this is certainly an important endeavor, the point of Cyber Command is to turn it into a military force to be used offensively against outside or internal threats. It's hard to say exactly what Cyber Command does or what it will do – according to Tech Insider contributor Paul Szoldra, the military doesn't want to compromise current operations by letting the enemy know what it's doing.
That said, Szoldra stated that the military as a whole is doing everything from blocking communications from ISIS agents to jamming signals sent from cellphones to explosive devices. Regardless of how they move forward, there are simply a lot of benefits to creating a dedicated cyberwar unit.
"A combatant commander designation would allow us to be faster, which would generate better mission outcomes," said Cyber Command head Adm. Michael Rogers, who is also the director of the NSA.
Phishing has given way to whaling in the hacking community
Although government entities are doing a lot better with spotting regular phishing scams, hackers have begun to move away from these kinds of attacks. In fact, there's a new social engineering attack that's poised to do quite a lot of damage in the years to come. It's called whaling or business email compromise, and it involves the criminal hacking into the email account of an important individual.
TechTarget's Margaret Rouse has stated that whaling ventures target high-ranking officials such as CEOs or politicians in an effort to trick lower-level employees into giving up money or information. In fact, this trend has become such a problem that the FBI has found that between October 2013 and February 2016, organizations lost around $2.3 billion to these kinds of attacks.
Whaling attacks rely on an obedient workforce, something that the government already has. Workers very rarely question their superiors, especially within the public sector, and an agency director losing control over his email account could very well jeopardize national security. Employees are going to need to take an active role in verifying the identity of superiors when asked to do something that's out of the ordinary.
Windows XP no longer receiving updates
After April 8, 2016, Microsoft stopped any sort of technical support for its massively success Windows XP operating system. While this is certainly a long time coming, this is a major problem currently facing agencies. Although it's impossible to say exactly how many government computers are running Windows XP, Government Technology contributor Tod Newcombe stated that it's certainly a substantial number.
Newcombe pointed out that around 30 percent of global computers run the OS, and around 95 percent of ATMs rely on it, which are both terrifying numbers consider Microsoft will no longer be putting out security patches. If a large enough number of government machines are running Windows XP, hackers could find a major vulnerability that could easily lead to a massive data breach.
Clearly, the government has a long way to go to improve its current cybersecurity standing. That said, major steps have already been taken and it would appear agency leaders are really intent on bettering security standards.