Most agencies are falling short in making cybersecurity a part of their strategic plans.
New research shows only the departments of Defense and Energy did a good job recognizing the role of cybersecurity more broadly across their agency.
Kevin Desouza, the associate dean for research at the college of public programs at Arizona State University and a non-resident senior fellow of Governance Studies at the Brookings Institution, examined more than 1,000 pages of strategic plans from all the major agencies to assess how they integrate cybersecurity with their goals. Desouza, who wrote a blog about his findings for Brookings, said the results were less than reassuring.
“The major issue that we uncovered was that even though the threats of attacks to critical infrastructure are at an all-time high, most of the agencies lack clear plans on how to invest into capabilities to actually deal with these threats and also in the agencies were they had clear plans or clear actions, there were no real performance evaluation metrics to actually uncover if these investments are actually going to pay off,” Desouza said in an interview with Federal News Radio. “The other thing that we found that was rather critical was with the exception of the Department of Energy and the Department of Defense, where you have traditional large, critical infrastructure programs, the rest of the agencies pretty much ignored this issue all together. If you were going to cause harm to the U.S., there are plenty of agencies whose data you could easily compromise given that they don’t recognize this as a strategic priority.”
Desouza defined critical infrastructure as water, electricity, telecommunications and other traditional sectors as well as the hardware and software components of systems.
Even though the private sector controls about 85 percent of all critical infrastructure, Desouza said agencies still are at risk. Not only do they buy these services from the private sector, but the 15 percent that DoD, DoE or others do control usually have some connection back to the non-public sectors.
“The private sector invests a huge amount of resources to actually protect its information, its data and everything else that goes along with the infrastructure,” he said. “However the critical issue is regardless of the amount of effort the private enterprise invests, if the weak link is the 12 percent or 18 percent owned by the public, that weak link can be used as an entry point to exploit things further down due to the interconnected nature of the infrastructure. The other thing is that the public sector has a role to play when it comes to establishing frameworks and governance protocols to actually get collaboration done among the various agencies and also between the agencies and the private sector.”
Desouza found 35 percent of the agency objectives included some IT elements, and about 12 percent were entirely technology related. But the research showed that half of all agency plans make no mention of cybersecurity, and less than 25 percent of the IT objectives do not address the need to secure their computers or networks.
Additionally, agency strategic plans rarely discussed cybersecurity in detail, with most only making brief mentions of ongoing efforts.
Desouza said the reason for these shortcomings are varied. As part of his broader research looking at how performance measures are applied to IT, Desouza said he’s interviewing public sector CIOs, and it became clear that there are culture and leadership challenges causing this lack of focus on cybersecurity.
“If you take an agency where IT is actually helping that agencies innovate and increase the efficiency of how their processes happen and deliver their services more effectively, IT by default is going to make things cheaper,” he said. “No head of a unit or a team wants to say, ‘Now I need a lower amount of money.’ So IT is not always viewed as ‘Hey, thank you for reducing my operational costs’ because if you reduce my operational costs, then I can’t ask for the same amount of money going ahead. So, in agencies that have been traditionally been very labor intensive, IT, I think, is purposely downplayed due to the fact that there can be a lot of efficiency gains.”
Desouza said the reason DoD and DoE were ahead of the other agencies is the simple fact that these two agencies face more cyber attacks than others and have well defined cyber protection programs and teams.
“There were elements in other agencies that we were impressed with. Just an example, if you look at Treasury, they have a pretty extensive program in place when it comes to how do they monitor criminal activity that happens on online networks, and the movement of money across these networks to actually conduct illicit activities,” he said. “They have that element of that program that was actually pretty good. However, we didn’t think that their program was extremely advanced because they viewed that as an isolated branch within their agency and as we looked at how well is this connected to an offensive program that may be run out of the IT department to actually learn from those experiences to actually protect their infrastructure, we didn’t find a clear link. Now, we didn’t go into an extreme amount of detail so that link may exist, but at least from our initial evaluation we didn’t see a link to an extremely good program that they could use to actually increase their learning with their IT.”
Desouza added the agencies with the most challenges were the ones where the CIOs and the information security roles were furthest down in the organization. He said they counted the number of layers between the CIO and the secretary of the agency or their chief of staff.
In many ways, the cybersecurity problems Desouza talks about mirror problems with federal IT acquisition. This is one reason Congress passed and President Barack Obama signed the Federal IT Acquisition Reform Act into law.
Desouza said his final cybersecurity research, which initially began with a grant from the IBM Center for the Business of Government focusing on performance measures, should be ready by mid-April after he wraps up some of the final interviews with CIOs.
“The real trick with cybersecurity from a recommendation point of view is there is very little to recommend that we already did not know,” he said. “Just as an example, if an agency doesn’t take that threat seriously, they will get compromised. If an agency doesn’t have an information officer or a team, chances are it is not a priority. While we have tried to think about innovative recommendations as we did the research that was highly specific to the blog post, we couldn’t come across anything that that wasn’t already told to CIOs and agency heads. One of the things we do recommend is there needs to be more information sharing that happens across these agencies.”