Survey: U.S. Government Still Vulnerable to Cyber Attacks Despite Major Security Investments

The U.S. government is just as vulnerable to cyberthreats—if not more so—compared to two years ago, according to a new survey of federal information security professionals. Nearly half of approximately 1,800 respondents indicated that security has not improved in the federal space; while another 17 percent stated their organization’s security posture is actually worse off, primarily due to an inability to keep pace with threats, a poor understanding of risk management, inadequate funding and not enough qualified professionals.

According to the biennial survey by the professional association (ISC)2, 58 percent of respondents indicted that, despite government investments to shore up vulnerabilities, they still are not confident legislators will provide new or adequate levels of funding to meet cybersecurity needs.

“The results of this year’s work force study are somewhat predictable, yet startling at the same time,” Dan Waddell, director of government affairs for the National Capital Region of (ISC)2, says in a statement. “While the task at hand is indeed overwhelming given the complexity of threats and the government’s limited resources, when we consider the amount of effort dedicated over the past two years to furthering the security readiness of federal systems and the nation’s overall security posture, our hope was to see an obvious step forward. The data shows that, in fact, we have taken a step back.”

Roughly 1,800 information security managers and personnel working for the U.S. federal government were surveyed for the seventh Global Information Security Workforce Study, done in partnership with Booz Allen Hamilton, Cyber 360 Solutions and NRI Secure Technologies, and conducted by Frost & Sullivan. Results of the survey, collected between October and December 2014 through a Web-based survey and released Thursday, indicate that respondents believe the government earned quite a small return on investments to create cybersecurity policies, guidelines, tools and acquire technologies. Other findings include the following:

·       Threat response times have not changed in 2 years. More than half of survey respondents believe organizations did not improve security readiness. Application vulnerabilities and malware remain the top security threats and are increasing as a concern.

·       Although procurement and acquisition are cited as moments of great vulnerability, officials place little focus on applying security during the supply chain process.

·       Despite the improvements in federal hiring, more respondents indicated that they do not have enough information security personnel to meet mission demands, and the work force gap hurts organizations and customers.

·       There has been little return on the larger investment in the National Institute of Standards and Technology’s Cybersecurity Framework. Fifteen percent of organizations outside of the federal government have implemented the framework; and 45 percent say they don’t know if they’ll use it.

·       Cloud remains slow to take off, despite Cloud First policy. The Federal Risk and Authorization Management Program, in particular, has less of an impact than anticipated in advancing cloud migration, with 64 percent of respondents not knowing if it has any impact.

“On a positive note, we are starting to see an uptick in federal personnel salaries, with a 4 percent jump over salaries reported in 2013,” Waddell says. “Overall, the federal government must invest more to improve cybersecurity, but it needs to find better ways to ensure that those investments will provide adequate returns. Given the significant demand for skilled professionals, training and education are areas of investment that can lead to significantly higher returns and help to both attract and retain cybersecurity professionals.”