Survey indicates federal employees see their agencies becoming more resilient as cyberattack threat grows
By Steve Bittenbender
Editor, Government Security News
While the number and nature of cyberattacks on the federal government has increased in recent years, it appears that agencies are becoming more prepared and resilient to them.
That’s the key finding from a recent survey by GovLoop, a social network that connects 200,000 public sector employees from all levels of government. The poll of more than 350 workers was conducted both to review 2016 incidents and prepare for what may happen this year.
According to the survey, 43 percent of employees said their agency or department experienced an attack in the past year. Of those who suffered a hack, 78 percent said their office handled the attack either effectively or adequately.
Half of the respondents said their department underwent more attacks in 2016 than in the previous year, while 43 percent indicated the number of intrusions stayed the same.
One area where employees felt their departments made the biggest strides was in identity management. The number of personal identity verification cards nearly doubled over the past year, with 81 percent of civilian employees now using the cards.
Employees also felt better about their agencies’ ability to defend against attacks, as the number of agencies that improved their phishing and malware defense capabilities rose from 10 to 19 in the past year.
“Government has been doing a great job in making cybersecurity a priority,” said Tom Ruff, the vice president for Akamai’s Public Sector-Americas division who helped analyze the survey’s results. “Agencies are prepared as much as they can be, given the rapidly evolving landscape.”
Ruff has more than 30 years of experience in IT, having held numerous executive positions in Fortune 500 companies before becoming Akamai’s leader in selling IT and cybersecurity solutions to government agencies.
While most employees feel good about their department’s resiliency, they also indicated there are a few areas for improvement. Most notably, employees are concerned about an overreliance on internal IT offices to handle attacks, and they’re also not sure what they need to do during an attack.
In its summary, GovLoop noted that many employees will look to take such shortcuts as sharing accounts or writing down login information, to improve productivity. Those steps, however, also make systems more vulnerable to attacks.
Ruff noted that employees tend to be the leading threat to cybersecurity. That backs up an anecdote then-Homeland Security Secretary Jeh Johnson gave back in 2015. He noted that one of his directorates sent out an email to staff with the subject line “Free Redskins Tickets.” All they needed to do in the email was click on a link and then they’d receive information about where to meet to get tickets to a football game. When the workers arrived at the location to get the tickets, they instead received information on how to combat phishing and other cyberattacks.
Other challenges facing government agencies include the lack of employees with the skills necessary to prevent and deter hacks. GovLoop noted that less than 1-in-4 applicants for cybersecurity jobs actually have the skills pertinent to do the job. Funding is another issue, especially as more than 75 percent of federal IT spending goes toward legacy systems that may be antiquated and extremely susceptible to attacks.
The 2017 federal budget included a request for $19 billion to develop a cyber strategy for federal infrastructure. That request represents a 35 percent increase from the previous budget.
Further complicating the financial strain is the cost of hiring security experts as the government must compete with private businesses. That demand, Ruff said, makes it “very difficult” for agencies.
Among the solutions available to help agencies become even more resilient are moving government enterprises to the cloud and improve employee education. GovLoop noted DHS’ Cybersecurity Workforce Development Toolkit as a best practice that’s helped the department improve its cyber resiliency.
“No government entity or enterprise can move as fast as adversaries are moving,” Ruff said. “But government is moving in the right direction. A defensive strategy is continuing to educate, enforce policy, and make sure you have the budget.”
A research brief on the survey can be found at: https://www.dropbox.com/s/otejps51jbuu140/The%20Future%20of%20Government%20Cybersecurity.pdf?dl=0