Lack of funding exposes US federal agencies to high data breach risks
US federal agencies suffer the highest volume of data breaches out of government agencies worldwide and budgets are part of the problem, new research suggests.
Security
On Thursday, cybersecurity firm Thales, in conjunction with analyst firm 451 Research, revealed the results of a new study into the security practices and effectiveness of government entities.
The 2018 Thales Data Threat Report, Federal Edition, suggests that US federal agencies are experiencing a rise in data breaches not only from past years but are also reporting higher rates in comparison to non-US government counterparts.
According to the survey, based on the responses of IT professionals working in the federal sector, 57 percent of federal agencies experienced a data breach in the past year, in comparison to only 26 percent of non-US government agencies worldwide.
This is a vast jump from an estimated 34 percent in 2016 - 2017, and 18 percent in 2015 - 2016.
In addition, 68 percent of respondents say their agencies are "very" or "extremely" vulnerable to the cybersecurity challenges of today, while only 48 percent of global counterparts admit to the same.
The US government is pushing for IT modernization as part of the Trump Administration's Executive Order 13800. The order has been met with mixed reviews due to a demand for a full-scale review in a very short timeframe and a lack of concrete requirements to modernize cybersecurity.
The problem is one faced not only by government agencies but the enterprise at large today. There is a critical need to revamp systems and reduce the risk of data breaches and successful cyberattacks, but legacy systems, antiquated software and a lack of funding can make adequate security an impossible task.
Thales suggests that funding is an issue for federal agencies, too.
The overall federal IT budget dropped by roughly $6.2 billion in 2017, and while the White House has set aside investment for over 4,000 IT projects in mission delivery, administrative services, and support systems, IT infrastructure, security, and IT management, according to Thales, cuts are anticipated over the coming year which may impact basic IT budgetary needs.
According to the federal 2018 budget (.PDF), from 2015 through 2018, government-wide legacy spending as a percentage of total IT spending rose from 68 percent to 70.3 percent.
With such a large percentage being taken over just to maintain old, insecure, legacy systems, it is no wonder that many employees in the federal sector have concerns over adequate security.
"Aging legacy systems may pose efficiency and mission risk issues, such as ever-rising costs to maintain and an inability to meet current or expected mission requirements," the budget reads. "Legacy systems may also operate with known security vulnerabilities that are either technically difficult or prohibitively expensive to address and thus may hinder agencies' ability to comply with critical statutory and policy cybersecurity requirements."
Perhaps in order to maintain the balance sheet, federal agencies are turning towards cloud services, with 45 percent of respondents saying that their agency uses more than five Infrastructure-as-a-Service (IaaS) vendors.
In addition, 48 percent of those surveyed said over 100 Software-as-a-Service (SaaS) applications are in use.
With the weight of legacy systems pushing on their shoulders and the need to work with new, more innovative technologies and services at the same time, over two-thirds -- 72 percent -- of respondents said that they are becoming increasingly concerned over vulnerabilities spawned from shared infrastructures.
A further 62 percent were concerned about who has access to encryption keys, and where.
In total, 68 percent of those surveyed added that they are concerned about potential data breaches stemming from the cloud.
"The massive adoption of cloud computing does not correlate with implementations of data security tools suited to protect these new environments," said Garrett Bekker, Principal Analyst for Information Security at 451 Research. "Although 78 percent view data-in-motion and 77 percent view data-at-rest encryption as the most effective tools for protecting data, only 23 percent of US respondents have implemented encryption in the cloud. Additionally, only 31 percent claimed cloud computing security was a top spending priority."
Despite these worries, 93 percent of respondents said that security spending will be increased over the coming year within their IT budgets. In total, 56 percent plan to spend their budgets by focusing on endpoint security, 48 percent will hone in on network security, and 19 percent view data-centric security as a focal point.
Related coverage: Government agrees to up Medicare card privacy and security controls | Homeland Security orders federal agencies to start encrypting sites, emails | Kaspersky hauling Homeland Security to court to overturn federal ban | Microsoft to expand Azure Government Secret cloud option for handling classified data | US government subcontractor leaks confidential military personnel data
According to the survey respondents, complexity, business impact, and a lack of funding are all adoption barriers to modern cybersecurity protection.
However, federal IT employees and agencies as a whole remain motivated to do more. In total, 53 percent of survey respondents said the implementation of best practices and the avoidance of penalties are key motivators for change.
In addition, compliance scored highly at 43 percent.
In January, the United States Department of Homeland Security (DHS) confirmed that a data breach took place at the DHS Office of Inspector General (OIG), leading to sensitive data belonging to 247,167 employees being exposed.