Government IT Vulnerabilities Persist

Over the past year a wide consensus has emerged that cybersecurity is no longer only, or even primarily, a “technical” issue but rather a top-line issue of national and homeland security. As the administration, Congress and other policy leaders debate the appropriate structures for tackling the issue on a national and global basis, the problem of securing operational IT across government continues to fester.
Across Federal civilian and Department of Defense (DoD) agencies, the number and severity of cybersecurity incidents has stayed the same or increased in the last year, with nearly one-third of Federal agencies experiencing a cybersecurity incident daily, according to the 2009 Federal Cybersecurity Report report released last week by CDW Government, Inc (CDW-G).
The report, based on a September survey of 300 Federal IT security professionals, identifies agency cybersecurity threats, steps Federal IT professionals are taking to combat them and opportunities for improvement.
More than half of all Federal agencies experience a cybersecurity incident at least weekly, according to the report, with malware ( including viruses, worms, spyware, adware, Trojan horses, etc.), inappropriate employee activity and remote user access most frequently cited as the top challenges Federal IT.
Federal IT professionals say their agency network’s biggest threat comes from external sources.
More than 70% of respondents to the report say they still have seen inappropriate Web surfing or downloads in the past 12 months, while more than 40% say they have seen an unauthorized transfer of sensitive information. Further, nearly half have seen employees post passwords in public places of those who provide employee training.
Huge gaps in basic IT security persist despite what sources describe as extensive commitments of resources.
For instance, 60% of all Federal IT professionals say threats related to mobile computing have increased or significantly increased versus one year ago yet nearly two-thirds of all respondents report their agency does not have data loss prevention. Further, of those who report their remote/mobile computing threats are increasing 63% do not use wireless encryption, 50% do not use two-factor authentication, 31% do not use a VPN and 31% do not use e-mail encryption.
Of those who report inappropriate employee activity is increasing 33% do not use Web filtering software and 32% do not use network access control software.
The report outlines several recommendations.
First it urges organizations to reassess end-user training by establishing a program and metrics to measure training success, communicating security policies that include guidelines for acceptable use and policy acknowledgement and establishing consequences for non-compliance with agency cybersecurity policies.
 The report further recommends organizations address the mobile threat by implementing a tiered security architecture on mobile assets such as two-factor authentication, VPN sessions, data-at-rest encryption, remote Web filtering and end-point security software to ensure the mobile device is compliant and within policy.
Yet another recommendation is the implementation of industry-standard technologies.
Finally the report recommends agencies participate in the Trusted Internet Connections program.

(Visited 19 times, 1 visits today)

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply