A report from the Office of Management and Budget (OMB) highlights a nuanced and concerning landscape regarding cybersecurity within various federal agencies.

The document, submitted to Congress, underscores a persistent vulnerability across several large federal agencies to cyberattacks, despite a decrease in reported incidents. This decrease, a 12% drop to 31,107 incidents, is not necessarily indicative of improved cybersecurity. The OMB advises caution in interpreting these figures, especially considering the recent changes in reporting guidelines.

That would be word-salad for “we have to say it, but it’s not true”.

Despite Years of Warnings from CISA

Email-based threats remain the primary method of cyberattacks on federal agencies. Alarmingly, in approximately 27% of these incidents, the agencies were unable to pinpoint the source of the attacks. This statistic is particularly troubling as it reflects the sophistication and stealth of cyber adversaries, as well as potential deficiencies in federal cybersecurity strategies.

The report focuses on the cybersecurity posture of specific agencies, including the Departments of Energy (DOE) and Health and Human Services (HHS), the Environmental Protection Agency (EPA), the Federal Communications Commission (FCC), and the Federal Trade Commission (FTC).

Each of these agencies was identified as being “at risk” due to significant gaps in their cybersecurity measures, despite having policies and processes in place. The assessment was based on five critical factors: the ability to identify information technology assets, protect them, detect attacks, respond to and recover from these attacks.

Money, Money, Money

In terms of budget allocation, the federal government’s spending on cybersecurity was substantial, amounting to $14.9 billion. Of this, the Department of Defense (DoD) accounted for more than half, with an expenditure of about $8.05 billion. This substantial investment reflects the high priority placed on national security and the recognition of the evolving cyber threat landscape.

The risk profiles for the various agencies reveal concerning details. The DOE, for instance, was marked as being at “high risk” concerning the protection of its assets and “at risk” in the areas of detection, response, and recovery. The DOE’s vulnerability is particularly alarming given its critical role in managing the nation’s nuclear weapons, energy infrastructure, and scientific research and development.

A successful cyberattack on the DOE could have catastrophic consequences, compromising national security and public safety.

Skill and Shield Gap

The HHS, another vital federal agency, was marked as “at risk” because its information security program was evaluated as “Not Effective.” The assessment pointed out that HHS had not achieved a ‘Managed and Measurable’ maturity level in critical functional areas like Identify, Protect, Detect, Respond, and Recover. This rating raises significant concerns about the protection of sensitive health data and critical healthcare infrastructure.

The EPA’s cybersecurity challenges were attributed to gaps in capabilities, human resources, and infrastructure. The report highlighted the agency’s limited ability to collect quantitative data, reliance on qualitative measures, and insufficient funding, which hampers its security operations and incident response capabilities.

For the FCC, the report noted that its information security program was ineffective, encompassing areas like financial management and inventory management systems. The ineffectiveness of these programs in a regulatory body like the FCC, which oversees communications infrastructure, is troubling, considering the critical nature of communication systems in national security and emergency responses.

The report also included other agencies like the Equal Employment Opportunity Commission, the National Archives, the Tennessee Valley Authority, and the Privacy and Civil Liberties Oversight Board, all rated as being “at risk.”

The Smithsonian Institution’s classification as “high risk” is particularly noteworthy, given its role as a custodian of national history and culture. The implications of a cyberattack on the Smithsonian could extend beyond data breaches to impact national heritage and public trust.

DHS Digs Deeper

The Department of Homeland Security (DHS) conducted separate assessments on the capability of these federal agencies to safeguard high-value assets. The deficiencies identified included a lack of data protection, inconsistent application of software security patches, weak authentication requirements for system access, and a lack of continuous monitoring. These findings suggest systemic weaknesses in the federal government’s approach to securing its most critical digital assets.

In sum, the OMB report presents a complex and challenging picture of federal cybersecurity readiness. While there has been a reported decrease in cyber incidents, the persistent vulnerabilities, the inability to identify attack sources, and the varying risk profiles of different agencies underscore the need for a more robust and proactive approach to cybersecurity.

The significant investment in cybersecurity, particularly by the DoD, highlights the recognition of these challenges.

However, the report’s findings suggest that there is a critical need for improved strategies, better resource allocation, and more effective implementation of cybersecurity measures across all federal agencies to safeguard national security and public interests in an increasingly digital world.

The Kicker

So, here’s the kicker – the OMB report was written in 2019 – we have had thousands of attacks on Federal networks since then – most notably, SolarWinds, Microsoft and MOVEit, which affected several U.S. government agencies as recently as May.

The proposed Cybersecurity budget for Federal agencies in 2023 was $10.89 Billion – $4 Billion less than we allocated in 2019.

What are we doing?