Many federal cybersecurity executives are underwhelmed by the government’s “cyber sprint” in response to the Office of Personnel Management’s massive data breach last year, according to a new report Thursday.
More than half of respondents (52 percent) in the small-scale survey said the administration’s “cyber sprint” — a 30-day push led by U.S. CIO Tony Scott to strengthen agencies’ network defenses — hadn’t improved the overall security of federal systems.
A quarter said their own agency made no changes after the June breach.
The report said the OPM wasn’t the wake-up call some cyber experts had hoped for.
“OPM had the breach, and while others were affected, they may not have felt the impact to the pain level needed,” said one former federal chief information security office in the report, which was produced by the nonprofit International Information Systems Security Certification Consortium and sponsored by KPMG.
The anonymous former CISO added, “The Sprint looks to be turning into a marathon for some agencies — resources, mandates, oversight are all roadblocks to getting agencies started on [U.S. CIO] Tony Scott’s vision of security.”
Scott announced the sprint after news broke that the personal information of 22 million people who held or applied for a U.S. security clearance was exposed in the OPM breach. After the sprint, Scott lauded agencies for making “significant progress“on using personal identity verification cards or other forms of strong authentication.
The report also found 59 percent of survey respondents believe their agencies struggled to understand how cyberattackers could breach their systems.
Nearly two-thirds, 65 percent, disagreed that the federal government was capable of detecting ongoing cyberattacks.
For the report, researchers conducted an online survey of 54 people who identified themselves as federal senior managers or contractors with cybersecurity responsibilities.
The report offers recommendations:
- Use a holistic approach to dealing with cybercrime — don’t just focus on getting more technology.
- Give federal cyber executives more authority to make risk-based decisions and improve their agencies’ cyber culture.
- Educate the entire workforce on cyber.
- Conduct regular cyber hygiene trainings and simulations drills. Don’t just hold annual PowerPoint-based lectures.
- Nurture the government’s existing cyber professions and reward them with continuing education opportunities.
- Reinforce the NIST Cybersecurity Framework functions as a baseline for security assessment.