Federal Security Hasn't Improved Since the OPM Breach

Despite the government’s response to the massive Office of Personnel Management (OPM) data breach last year, agency security has not improved.

That’s according to survey findings from the (ISC)², which has also named the finalists for the 2016 (ISC)² US Government Information Security Leadership Awards (GISLA).

The 2016 State of Cybersecurity from the Federal Cyber Executive Perspective report reveals that the OPM data breach that compromised the personnel records of 21.5 million current, former and retired federal employees and contractors in June 2015 wasn’t the wake-up call many thought it would be.

The (ISC)² also announced the winners of its 13th annual U.S. Government Information Security Leadership Awards (GISLA) program. They include, ironically, Gregory Touhill, who led the team that managed the response to the OPM breach.

Despite the president’s call-to-action imposed on federal agencies in the resulting “Cyber Sprint” exercise, 52% of respondents disagree that the exercise improved the overall security of federal information systems. One quarter (25%) of respondents said their agency made no changes in response to the OPM data breach; and still, a year later, 40% of respondents surveyed believe their agency lacks an effective response plan.

Also, an alarming 59% of respondents say that their agency currently struggles to understand how cyberattackers could potentially breach their systems, with 41% indicating their agency is not aware of where key assets are located.

Almost two-thirds (65%) either disagree or strongly disagree that the federal government as a whole is capable of detecting ongoing cyberattacks. And in the main, federal cybersecurity executives are disheartened by the current environment, with 25% unsatisfied or extremely unsatisfied in their jobs and considering leaving their agency; a disturbing finding given that the federal government is already struggling to populate its understaffed cybersecurity workforce with talented and experienced cybersecurity leaders and practitioners.

The lack of accountability was a consistent theme throughout the survey results, as 21% of respondents were unable to identify a senior leader at their agency whose sole responsibility is cybersecurity. Respondents indicated that certain departments within agencies do not view cybersecurity as important to their departmental functions, the most notable being human resources, purchasing/procurement and communications/public relations.

“I’m greatly concerned about the apparent lack of accountability this survey found, with 21% of respondents indicating there is no senior leader in their agency solely responsible for cybersecurity,” said Tony Hubbard, KPMG principal who advises federal agencies on cyber-risk and whose company sponsored the report. “Clear reporting lines and accountability are foundations for a good cybersecurity program and we hope this report sheds light on this issue. We look forward to the appointment of a federal CISO—that’s a step in the right direction.”

The survey did have a bright spot: Leaders are realizing that people can be their organization’s greatest cybersecurity asset or greatest liability, with 42% of respondents indicating that people are currently their agency’s greatest vulnerability to cyberattacks.

To that point, the (ISC)² judging committee of senior cybersecurity experts from (ISC)²’s U.S. Government Advisory Council (USGAC) and industry have assessed individual and team achievements of a select group of nominees and awarded GISLAs in seven distinct categories.

The 2016 GISLA recipients are as follows:

Technology Improvement – Individual Category

Preston Werntz, chief of technology services for the National Cybersecurity and Communications Integration Center (NCCIC) is a member of the Department of Homeland Security (DHS) team known as the Automated Indicator Sharing initiative (AIS) that works to drive federal-civilian bi-directional threat information sharing. Werntz led the implementation of the AIS initiative at the NCCIC and successfully drove AIS to operation. His efforts to improve threat information sharing have led to near real information sharing across 50+ non-federal entities with 10 department and agency participants.

Process/Policy Improvement – Individual Category

Gregory Touhill, US Air Force brigadier general (retired), deputy assistant secretary (DAS) of DHS’s Office of Cybersecurity and Communications (CS&C) leads DHS efforts to secure federal civilian networks, help the private sector manage cyber risk, coordinate interagency response to cyber-incidents of national significance and engage with DHS’s international partners.

Workforce Improvement – Individual Category

Robert Collins, CISSP, CAP, CISO of the Indian Health Service (IHS), Department of Health and Human Services (HHS) is the principal healthcare advocate and provider for American Indians and Alaska Natives and directs the IHS Division of Information Security (DIS). Collins’ efforts to modernize the IHS cybersecurity program resulted in the establishment of award-winning cybersecurity awareness campaigns. Because of his leadership, the agency has increasingly built trust and a partnership with tribes by showing transparency in processes and increased confidence in the security program.

Up-and-Coming Information Security Professional – Individual Category

Azzar Nadvi, just two years after graduating from college, serves as assistant to the Director of the Cyber Joint Program Management Office (JPMO) at DHS. After President Obama signed the Information Sharing and Analysis Organizations Executive Order, DHS had to move quickly to build a coalition of existing information sharing organizations. With limited resources, Azzar was placed into a role typically reserved for a more senior member of the staff. In all circumstances, he exemplified leadership and professionalism beyond his years. As a result of Azzar and his peers’ contributions, the ISAO Standards Organization was stood up in record time—less than seven months.

Community Awareness – Team Category

Led by David Rosinski, information systems security manager (ISSM), the Naval Computer & Telecommunications Area Master Station Atlantic, Detachment Rota, Spain team reached the majority of the 10,000 people associated with the U.S. military in Rota, Spain, changing awareness training from a one-way message to a two-way dialogue. As a result, there have not been any cyber-incidents on the local network tied to user behavior since before October 2015.

Most Valuable Industry Partner (MVIP) – Team Category

Cisco’s Advanced Malware Protection (AMP), developed by Al Huger, vice president of engineering, is an overarching inter-architecture project that ties together Cisco security products to create one holistic security ecosystem. The AMP technology allows end-users to connect security products and endpoints into one homogenous system that communicates within itself to find breaches. The system can then educate all components within the system to handle the breach. As a result, Cisco’s government customers are spending less human resources to monitor network health. In the long run, AMP is helping the government safely leverage network solutions to best serve their constituents.

F. Lynn McNulty Tribute Award

Richard Hale, deputy chief information officer for cybersecurity for the Department of Defense (DoD), acts as CISO for the government’s largest agency and ostensibly its most targeted. A man highly respected across the DoD, the government and industry for his wide reaching and deep technical knowledge and dedication to ensuring dependable mission execution in the face of cyber warfare, he continually fosters collaboration through his respectful and thoughtful, yet decisive, leadership style. His career has been marked by achievements of far-reaching significance to not only the DoD, but also the American public.

Photo © LeoWolfert

What’s Hot on Infosecurity Magazine?