Each year the US President delivers an address to Congress, televised around the world, that has come to be known as the State of the Union Address. Consider this the State of Cyber Security address, a topic which may (or may not) get covered come January 2018.
Considering that cyber security affects every individual with a digital device, every business, and even such infrastructure as the power grid, it seems worthy of closer examination. And unfortunately, the state of the union is not what it could be: even within the United States itself, federal government cyber security does not stack up against some other industries.
We’ll take a look at some of the key areas of weakness, where successes have occurred, and even the future of national cyber security (compared to that of other key nations).
Here’s an analysis and review of the state of cyber security in the US government.
US Government in the Spotlight: As an Industry
This year’s analysis of key cyber security data points, by SecurityScorecard, “2017 US State and Federal Government Cybersecurity Report” showed that government, as an industry within the United States, actually did improve over the previous year. Of course, in the 2016 report, the government came in dead last and this year only bested two other industries, education and telecommunications, so that’s not much to write home about. One could also argue that education and telecommunications are two of the industries most closely related and interconnected to the government, since, in many cases, they’re public entities (which means public funds, which has a great deal to do with the budget, which leads to cyber budgets…you get the idea).
Still, as a whole, the government sector outperformed telecommunications and education last year, but well behind such sectors as food, entertainment, and retail industries. In part, the federal government attracts a wide threat base, with both state-sponsored threat actors and individual attackers. But then, so do many other industries (more on that later).
Here’s a look at some of the areas in which the federal government isn’t keeping pace. According to a recent joint study by researchers at the University of Maryland and Virginia Tech, “Trojans, followed by viruses and worms, posed the principal threats to machines in the United States.” In part, it may receive a greater volume of such threats than some other industries.
SecurityScorecard pointed out that government size has a great deal to do with threat level, both for better and for worse. Some small organizations outperformed the federal government (Waukesha County, Wisconsin, population less than 400,000, scored better than such organizations as the Internal Revenue Service and Congressional Budget Office).
“While one might think that a smaller IP footprint means these government entities have a smaller attack surface,” the authors expound, “In most cases, it also means that there are [fewer] people monitoring the attack surface.” Mid-sized government organizations often experience the worst of both worlds: too small for decent cyber budgets, too big to go unnoticed. (All of those trojans, viruses, and worms that sweep government entities large and small seem to coagulate on mid-sized organizations).
Despite much larger budgets, some of the largest agencies in the country, have major points of weakness that have gone unhandled.
- Network security – Most experts focus on compartmentalization, closing off and securing all internal systems. Ideally, only a few critical systems connect to the internet. A myriad of tools exists to improve network security — firewalls, packet filtering routers, intrusion detection systems (IDS), etc. Yet, across government organizations of all sizes, weaknesses were detected, “open access points, insecure or misconfigured SSL certificates, or database vulnerabilities and security holes that can stem from the lack of proper security measures.”
- Leaked credentials – Sadly, government scored incredibly low in leaked credentials (meaning, has had many instances). Frightening, considering this only stems from either re-used passwords across platforms or the use of company emails for non-work purposes (remember all of those .gov emails that were part of that Ashley Madison leak, anyone?). Leaked credentials indicate a serious user education problem in US cyber security.
- Patching cadence – If systems were patched when updates became available, there would have been no Wannacry or Notpetya, among so many preventable attacks. Despite the press given to Zero Day Vulnerabilities, a remarkable percentage of cyber attacks get caught and patched before they ever reach most organizations. But cyber security in the United States government is not keeping up with a short update sequence and is plagued by outdated “legacy” equipment and software that lacks support. Endpoint security (for all of those many devices workers bring to the office) has also taken a major hit due to the lack of updated, updatable systems.
The government didn’t fare poorly in every category (just most every category). When it comes to DNS security, they got close to top marks. That’s one area in which budgets have paid off and kept up with other industries. “Cubit score” also rated well.
- “The Cubit module reveals which administrative portals or subdomains are publicly viewable, which provides a potential access point to an organization’s internal network. By knowing that there is an exposed administrative portal, a hacker may look for leaked credentials in the deep web and use it to leverage the identity of an authorized user. Once logged in, the hacker may obtain unauthorized access of default accounts, take over unused pages on a website, unpatched flaws, or unprotected files and directories to gain access to or knowledge of the system.”
Only the legal sector got a better Cubit score than the government. Considering how poorly government performed in related areas, such as leaked credentials as discussed above, that Cubit score could be a measurement of why we haven’t seen much of a major federal government-level cyber fiasco, despite such snafu’s as the hack of a Pentagon official.
The score of the government sector across these key areas of vulnerability is one topic. Next, we’ll take a look at some of the underlying core policies and problems that may be creating these technical vulnerabilities.
The Achilles of Government: When You are Goliath
Why not borrow from both Greek and Hebrew mythology when you talk about weaknesses in the operations of the US government? After all, the young nation was founded by political and religious asylum-seekers who modeled their system of government off of a combination of Greek and Biblical ideologies.
First, the Goliath problem: cyber security in the United States suffers from its mere size, one of biblical proportions.
COMMUNICATION PROBLEMS –
There is a published protocol for reporting cyber incidents to the federal government, via the Federal Bureau of Investigation (FBI). Fun survey: ask 10 people if they’ve ever heard of such? You could even survey IT people and the answer would probably amount to very little more than blank stupor. (That’s likely because the above-linked PDF has not been widely distributed, you have to seek it out).
The federal government also has some serious trust issues: as in “trust us but we don’t trust you.” When data is turned over to the federal government, they tend to hide it very quickly. Data sharing and crowdsourcing advance innovation, but communication breakdowns in the name of security occur even across and within federal agencies. Speaking to US News & World Report, the CEO of Virginia-based cybersecurity company Endgame (a Marine Corps and Iraq War veteran), Nate Fick said, “There’s a lot of talk in the U.S. about public-private partnerships. Most of them are thin.”
By the time the feds do hire a private company, they’re usually experiencing some major (and complicated) event. Yet government entities expect an absurd amount of trust from users. (Just take a look at the “Informed Delivery” service that security researcher Brian Krebs called, a “stalker’s dream.”) For trust to work, it needs to be a 2-way street, but the US government has not done so well in choosing whom or how to trust. Just this week, Wired Magazine published a story about the continual problems with contractor leaks experienced by the National Security Agency (NSA). No wonder they’re hesitant to partner with private entities.
ADMINISTRATION PROBLEMS –
While we’re on the subject of the problems of being the size of Goliath in a world where every hacker could be your David, let’s pause and talk about this acronym problem: just in the paragraphs above, we had to mention the FBI and NSA. But then there’s also the CIA, DHS, DoD, White House and others with a role in the superpower’s cyber security and digital health.
While an excellent case could be made to combine the US federal defense structure, at the very least clearer definitions for each area of government, with minimal overlap, minimal bureaucracy and maximum cooperation could go a long way toward improving the state of cyber security in the nation. That clarity would then also improve coordination and efforts between public and private sectors.
One model the US government could replicate, from the private sector, would be the Google model. With onsite housing and lots of perks, Google not only has internal coordination and innovation but also the ability to attract top talent. That model might not be so different from some nations, such as China or North Korea, which reportedly have clandestine “hacker schools,” live-in facilities sponsored by the government where the elite train as though for a cyber Olympics (or cyber apocalypse).
With many smaller private companies and smaller government entities within the United States unable to financially support in-house cyber defense strategies, and thereby serving as weak points in the national cybersecurity chain, the US would also do well to get so administratively organized that it could provide better resources to businesses (such as through the FTC or FBI).
RELIC PROBLEMS –
A theme throughout the vulnerabilities discussion above, when it comes to the government sector, has to do with the age of equipment and software. The US did invest in computer technology from an early age. “The problem is those old technology investments are still there,” the authors of the SecurityScorecard state. “A museum-worthy collection of technology investments through the ‘80s, 90s, and mid-2000s full of vulnerabilities sit alongside new emerging (and often misconfigured) technology, creating a horrible hodgepodge of cybersecurity risks.”
Where the US has led the globe is in anything that can be monetized, such as innovative devices and cyber insurance. If innovation outpaces security, however, you only increase the breadth of the attack playing field.
EDUCATIONAL PROBLEMS –
Another Achilles heel in the behemoth cyber security problem within the United States comes back to education. If a Pentagon official can fall for a phishing scam and the government can score so poorly in areas related to leaked credentials (see leaked credentials preventability above), you have a cyber education problem.
While the US has helmet laws for bicycle riders and fire safety laws for businesses of all sizes, the digital world is accessible by one and all. The equality of platforms (to those with the financial resources, but that’s another topic of equality altogether) is part of the appeal of the digital age. What started as a resource for research and data gathering has grown to include an entire alternate universe, such as the home of all things social media.
Most platforms have tried to increase requirements for cyber security, such as “password strength” ratings. Yet the “rate” of your password is no indication of whether you’ve used that same password on multiple sites, a key point of weakness in the cyberverse now that literally billions of user credentials are on the dark web.
Without proper education in cyber technologies and cyber safety, users also fall for social engineering scams. Those scams don’t even require hacking skills since you can buy exploit kits or pre-packaged phishing attacks in darker corners of the internet. Unless the US figures out how to make cyber security and digital research knowledge part of Common Core or some other educational model, it’s unlikely that Goliath will ever be able to shake off the Achilles ankle-biters.
The US vs…Everyone Else: the Age of Cyber Warfare
So far we’ve been analyzing the government sector on sort of an internal view, reviewing the state of such key categories as vulnerabilities, preparedness, and education, and we’ve touched on some points of comparison with other countries on the global playing field. What we haven’t really done yet, though, is to compare the United States to other countries, when it comes to cyber security.
In the history of warfare, the newer, bigger devices often turned the tide of warfare. When Europeans showed up with guns, natives didn’t stand a chance. When the US bombed Japan with nuclear weapons, the Great War soon ended. The philosophy of having the biggest and best gun first has created an international one-upmanship.
The digital world has changed the game. For one, the tools of cyber warfare are more easily obtained then, say, nuclear weapons. For two, there are scenarios under which the US would never stand a chance. For example, North Korea has earned the moniker “The Hermit Nation,” because it is famously dark from space, yet it has state-sponsored hacking groups that have managed to infiltrate such companies as Sony Pictures.
How could the US, a country where nearly every resident has at least one internet-connected device, ever retaliate against a nation that doesn’t even allow residents to have lights on after dark? The stakes are very different in this particular kind of war. Yet, despite such points of weakness, the US recently ranked 11th in the world for cyber security safety. Several European countries scored better, but Goliath ranked ahead of China, Russia, India, Saudi Arabia, and South Korea, among others.
The tactics of the impending (and possibly waging) cyber war, though, are similar to other, non-digital campaigns. The objectives fall under three main categories:
- Espionage – Data-gathering provides enemy insight, but also circumvents the innovation process, such as when China recently stole fighter plane technology from the US. Potentially, a well-armed cyber espionage team shortcuts and aids all other warfare techniques.
- Propaganda – Though the US didn’t invent propaganda-as-a-means-of-warfare (aka psychological warfare), it has certainly utilized such tactics the world over. No longer requiring dropping leaflets from the sky, psychological warfare in the digital age has to do with SEO (search engine optimization), state-screening of stories, waging of public opinion and fake news, among other tools in the cyber warfare propaganda toolbox.
- Direct attack – Yes, some cyber threats are actually just direct attacks, designed to either disrupt operations, discredit sources (another aspect of psychological warfare), or otherwise directly torpedo your opponent. While the US has admitted to such attacks as Stuxnet that hit Iran’s nuclear program, the extent to which this battle is waging across borders is not fully known.
The cyber war appears to be escalating, as larger attacks, of a state-sponsored nature, occur seemingly every month. It’s such a new area of warfare, where nations seem to have a codified sense of what is an act of espionage and what would constitute a full-blown assault. Yet how long will such a code of ethics last, without a more organized set of protocols?
The state of the union, in cyber security in the United States, is therefore uncertain, but hopeful. With an address to some of the points of weakness discussed in this analysis and review, this Goliath could become a more efficient, natural leader in the field of cyber security.