Cyberthreats Rise as Federal Agencies’ Defenses Slip

Information technology vendors who can provide productive ways to protect against cybersecurity threats should find a welcome market among federal agencies. Cybersecurity is the major worry of government IT personnel, two recent surveys concluded.

Federal IT managers polled for a Cisco-sponsored study were asked to select which of nine possible scenarios posed the “greatest risk” to their agencies over the next year. The “increased sophistication of cyberattacks” was a risk cited by 71 percent of respondents, and it ranked at the top of threat scenarios.

All of the 174 participants in survey conducted by MeriTalk, an online community for federal agencies, said that cybersecurity threats had increased in the past year.

In late 2008, when MeriTalk last addressed the issue, about 87 percent of respondents said that the cybersecurity threat was greater in 2008 than in 2007.

“We believe the increase in concern between 2008 and 2011 is due to a perfect storm of different factors — more information online, a greater variety of devices, and the increase in sophistication of cyberattacks,” Steve O’Keeffe, founder of MeriTalk, told CRM Buyer.

The “negligent use of information by internal personnel” was cited by 63 percent of Cisco survey respondents as a risk over the next year, ranking second among worrisome scenarios. Next were “increased use of social media” at 61 percent and “lack of integration across multiple systems” at 45 percent.

Vendors Must Add Value

The heightened concern about cybersecurity presents an opportunity for vendors who can address data protection issues. However, constraints on federal budgets will present a challenge to vendors marketing cybersecurity products and services, the survey results indicate.

For example, 53 percent of respondents in the Cisco study said that budget cuts were negatively impacting their cybersecurity goals.

Federal agencies responding the MeriTalk survey said that on average, they only had about 60 percent of the funds to cover their cybersecurity needs.

However, declining budgets need not compromise security, Cisco researchers found, noting that there are cybersecurity solutions that deliver trust and visibility while reducing expense and increasing resilience.

“One of the most important factors we see is that vendors should not only address the functional needs for an IT installation,” Tom Albert, senior advisor at Cisco, told CRM Buyer. “What is truly necessary is to include the cybersecurity issue at the front end. You can’t just address it as an afterthought with a later bolted-on approach,” he said.

Integrating cybersecurity into any infrastructure improvement is the most efficient and productive way to handle threats, Albert noted.

To ensure that cybersecurity investments are productive, agencies must be able to match the threat with the solution. That’s where vendors can add value to the process, he added.

“One of the things we as vendors can do is help the agencies actually identify and detect vulnerabilities. Often the agencies will have a broad concern about security, but we can help them focus on specific requirements,” Albert pointed out.

Helping Agencies Help Themselves

“We also encounter situations where the agencies need help in leveraging the resources they already have to deal with cybersecurity — so there’s a lot of education and knowledge transfer that we can provide,” continued Albert. “

Vulnerability resulting from an inadequate knowledge of operations is a key worry for federal agencies. Only 51 percent of Cisco’s survey respondents said they had a “clear picture of all the activity on our networks.”

“Education and training” and “network intrusion detection” were the top two challenges agencies faced regarding cybersecurity, Cisco researchers found. In terms of investment priorities, “identifying system vulnerabilities” was cited by 50 percent of respondents, while “training agency personnel” was cited by 37 percent of survey participants.

The two most important cybersecurity priorities cited in the MeriTalk study were “securing federal networks” and “critical infrastructure protection.”

However, there may be one factor that is beyond the reach of vendors to address. Agencies are uncertain about who “owns” cybersecurity in terms of ultimate responsibility for protection, MeriTalk found. Respondents listed six different organizations, including the White House and the Department of Homeland Security at 14 percent each, and the Department of Defense at 6 percent. The category of “other” had the largest ranking at 35 percent.

“This finding illustrates there is significant confusion regarding who has overall responsibility and accountability for federal cybersecurity. This is of significant concern because coordinated monitoring and response is critical — definitely a ‘we all sink or swim together’ situation,” O’Keeffe said.

“This should be a priority for the new federal chief information officer,” he recommended. “Agencies need to know who establishes the policy, who sets the standards, where and how to share threat information and, most important, who is responsible for response.”