By Jeff Ghelerter and Curtis Cote
The numbers are astonishing. There are around 70 million cyber-attacks on the Department of Defense per week, or roughly 115 per second, and the National Nuclear Security Administration matches those numbers. Cyber-attacks on the federal government increased 782% between 2006 and 2012, and 66% of security breaches go undetected for months (and the longer a breach goes undetected, the more it costs to mitigate).
If it seems like everyone in the federal government is talking about cybersecurity, now you know why. The government spends $1.2 billion a year on cybersecurity, with roughly $415 million of that being spent on software. The US Cyber Command received $447 million this year, more than double the $191 million it received in 2013, and the Department of Homeland Security (DHS) received $792 million for cybersecurity, a bump of $35.5 million. And yet, there are still enormous challenges. For years, there was no dedicated federal-wide acquisition vehicle for cybersecurity software, though DHS has recently implemented the Continuous Diagnostics & Mitigation (CDM) BPAs to help address this matter.
But as anyone who has worked in government technology knows, software sprawl across multiple agencies often wreaks havoc on efforts to unify standards, and allow for interoperability. Nowhere is that a more pressing problem than in cybersecurity, where staying ahead of constantly morphing threats is an enormous challenge, and mitigation costs are high. Similarly, because of the rapidly changing world of cybersecurity, it’s often difficult for federal managers to stay ahead of the curve.
The questions are, then: What is the true cost of a security event, and how much should the government be willing to spend to protect against such an event? As part of an acquisition solution, the government needs to be able to identify emerging risks, quantify their potential impact, and make a smart business decision regarding spending money to mitigate them.
Communication Is Key
While it’s important to monitor CDM and continue to improve its performance, it’s also imperative that agencies speak to each other. During our extensive interviews with cybersecurity pros in the government, one of the common threads was a need for greater communication between agencies. One interviewee told us, “Groups of Chief Information Security Officers tend to not sit down and chat, but have done this on a couple occasions and it’s been useful. All the silos need to work together.”
To this end, we propose that a centralized, knowledge management group be formed, pulling together requirements owners and acquisition personnel from across the federal government to share information, and update each other on their efforts. The complexity and speed at which the market changes creates challenges for agencies, and convening a regular knowledge management group meeting will help broaden the knowledge base, and keep agencies best informed. The group should:
- Invite industry and government CIOs to discuss best practices for keeping up with the latest threats and products
- Compile and communicate a list of latest threats and latest software on a quarterly basis across agencies
- Share best practices on preventing security breaches from new threats (e.g., what to look for, what not to click)
- Share acquisition best practices (e.g., make community aware of acquisition vehicles with on-ramps for quick access to new products)
According to a Government Accountability Office (GAO) report from February 2013, “Several GAO reports have…demonstrated that the roles and responsibilities of key agencies charged with protecting the nation’s cyber assets are inadequately defined.” The knowledge management group could convene the various oversight organizations (e.g., OMB, DHS, CIO Council, Comprehensive National Cybersecurity Initiative) and invite guest speakers to discuss policies, guidelines and clear-up confusion.
To read the rest of this post, please visit Public Spend Forum.