When you hear about a cyber breach, you probably wonder if your credit card has been compromised. But that’s it. Unless you are in the security field, a cyberattack can often feel like someone else’s problem. And that feeling is true in the government as well.
Don’t believe it? Check this out: cybersecurity policies are missing from many agency strategic plans. A new Brookings Institute report found only 35 percent of agency objectives contained some IT elements and about 12 percent of objectives were almost entirely IT initiatives. That means the other 65 percent of agencies are passing the cybersecurity buck on to someone else.
The Department of Agriculture, Department of Commerce, and Department of Health and Human Services emphasize IT the most, while the Department of State, Department of the Interior, and Department of the Treasury seem least interested in IT initiatives.
While the numbers are troubling, they aren’t that surprising. Kevin Desouza is an Associate Dean for Research at the College of Public Programs at Arizona State University; he is also a non-resident Senior Fellow of Governance Studies at the Brookings Institution. He told Chris Dorobek on the DorobekINSIDER program that half of the federal agency strategic plans make no mention of cybersecurity, and less than one quarter of IT objectives make any mention of efforts to secure IT systems and make only brief mentions of ongoing security efforts.
But cybersecurity should be on every agency, department, team and individual government employee’s radar.
Last October, Russian hackers breached unclassified networks at both the Department of State and the White House. CNET reports, “Hackers were able to gain access to real-time nonpublic details of the president’s schedule. Sources told CNN that the hackers are believed to be the same ones behind a damaging cyberattack on the US Department of State around the same time last year, which forced the department to shut down its email system for an extended period.”
One agency that is focusing on cyber is the Department of Defense. “They are cognizant of the threat because of their huge history in dealing with these attacks to their critical infrastructure,” said Desouza.
In fact, the Defense Department taking things one step further by going on the offensive. “They’re using their IT infrastructure as one of the vehicles of traditional warfare. They can attack another network if they need to compromise an outsiders critical infrastructure,” said Desouza.
However, creating that level of cyber preparedness is not easy. “The learning that goes into all of these processes, plus their readiness and the level of resources that are dedicated to actually protecting, monitoring, and bolding the critical infrastructure is pretty significant,” explained Desouza.
While the DoD is making serious progress in cyber readiness, many agencies are still grapping with the realities of cybersecurity.
Take critical infrastructures for example. Many organizations think of infrastructure as roads or the power grid. But Desouza explained critical infrastructures are so much more. “Think of a critical infrastructure as anything that if it were damaged would compromise the national economy at a pretty significant level. That could mean the power grid, food supply, water treatment or even banking.”
If you look at critical infrastructures through Desouza’s lens it is obvious that every agency has a responsibility for a particular aspect of a critical infrastructure. “The Department of Interior is responsible for all of our national parks. While they may not have control over the energy grid which is much managed by the private enterprise and the Department of Energy, they have a role to play in terms of protecting the infrastructure because it crosses park boundaries, both in the physical space and cyberspace,” said Desouza.
Everything is connected. And while interconnectedness means that no one agency has to fight cyber crooks alone, it can also complicate the situation because it muddles the question of what is in charge.
“When you think about who owns a given element of the infrastructure or who actually controls it, the relationships can be confusing. As technology has advanced our interdependencies have increased. In order to achieve global outcomes, communications between highly complex parties needs to happen,” warned Desouza. “We need greater amounts of collaboration across agencies, across the private enterprises, across agencies in the U.S. and internationally.”
The White House is trying to smooth the road so different entities can work together easier. “These various alliances are a good first step to help protect critical infrastructures, however they have a long way to go,” said Desouza.
The DoD has taken the call to work across teams and across department borders very seriously.
“The DoD has seen their entire processes and their operations completely transformed through information technology. For them, information technology is not just an administrative tool that is used by the accounting department or the HR department. Information technology has enabled intelligence that helps them achieve their core objectives,” explained Desouza.
The DoD has also invested heavily in IT. “The sheer volume of the DoD’s IT budgets affects private contractors. The contractors have been forced to play ball, because the contracts are so big, contractors have become very conscious of how they protect and how they govern these infrastructures and these technologies.”
“Protecting IT infrastructure may seem like a no-brainer, but it is clear that cybersecurity is not a high priority for most U.S. federal agencies. Failure to enhance IT security will likely result in catastrophic outcomes as militant groups and other cyber vandals increasingly target critical infrastructure,” said Desouza.