Federal cybersecurity is in better shape than recent high-profile breaches might suggest, says a new report by security risk assessment company BitSight Technologies.
In its third annual “Insights Industry Benchmark Report,” BitSight ranks government cybersecurity second in security out of six major sectors, with a composite score of 688 on a 900 point scale. Only the finance sector scored higher, achieving a score of 716.
The high score comes in spite of a slew of allegations that the government is not doing enough to safeguard information, particularly in light of April’s massive Office of Personnel Management breach. A report by the Institute for Critical Infrastructure Technology alleged that “ill-equipped personnel, antiquated cyber security infrastructure, and abysmal security practices” were a major problem at Office of Personnel Management and numerous other agencies.
BitSight assess sectors on a basis of resistance to major security threats, including malware like POODLE, FREAK and Heartbleed. According to BitSight, such SSL vulnerabilities “can provide attackers with the ability to perform man in the middle attacks and extract sensitive information or gain private keys.” Although the government still showed some vulnerability to these tactics, the report stated that “many agencies are performing well as a sector in defending, detecting and recovering from network threats.”
The federal government’s 2015 score marks a four-point improvement over last year’s and puts it narrowly ahead of industries like retail and utilities, which scored 684 and 652 respectively. The government scored significantly higher than the health care education sector, which indexed at only 554.
The federal industry grouping includes 119 government entities spanning from defense to diplomacy and budget. To further increase their scores, the report stipulates that agencies must strive to establish best practices and stop “lowest bidder” contracting, which led to the hacks of USIS and Keypoint, yielding sensitive information to overseas hackers.