While major companies such as Facebook, Marriott and Capital One often dominate data breach headlines, government bodies are increasingly the target of crippling cyberattacks.
In fact, more than 170 government systems have been hit with ransomware attacks since 2013 according to the U.S. Conference of Mayors. And an attack on the city of Atlanta ended up costing the city upward of $17 million.
But despite ongoing cybersecurity threats, the Senate’s Permanent Subcommittee on Investigations (under the Committee on Homeland Security and Governmental Affairs) showed in a report it released earlier this summer that government agencies have more work to do.
Of the eight agencies the committee investigated, including the Department of Homeland Security, the Department of Transportation, the Department of Agriculture and the Social Security Administration, it found that five couldn’t produce a complete list of IT assets, six were unable to keep systems patched with security updates, and seven left personally identifiable information vulnerable to theft.
In order to adopt a more robust cybersecurity posture, the above agencies must amend their current shortcomings by taking these three steps:
Lean on true experts from the start
Many well-intentioned but ineffective policies are enacted in response to massive mistakes and written by policymakers who don’t understand the shifting cybersecurity landscape. For instance, the Internet of Things (IoT) Cybersecurity Improvement Act, introduced by the Senate and House in 2017, was drafted to protect “connected citizens” by requiring that vendors certify their connected devices have no vulnerabilities before going to market. That’s a well-intentioned idea but one that likely won’t have an impact. After all, no one can promise that a connected or smart product is absolutely free of vulnerabilities, especially with a cybersecurity landscape that changes so rapidly.
Ultimately, policies like this are just creating a host of unnecessary hurdles without actually improving cybersecurity outcomes for connected citizens or government agencies. To fix the problem, individuals who have both technical expertise and a knowledge of government need to be involved early on in policymaking. Currently, subject matter experts are brought in when proposed legislation is being considered. What’s needed is for policymakers to enlist technical experts to assist in drafting the original language.
Prioritize the phaseout of vulnerable legacy systems
All eight agencies the Permanent Subcommittee on Investigations examined were found to be relying on outdated legacy systems whose vendors no longer even issued patches to fix vulnerabilities. DHS, for instance, had some machines that were still utilizing Windows 2003 although support for the operating system ended in 2015. Meanwhile, some of the SSA’s systems rely on a programming language nearly as old as the citizens Social Security is designed to serve.
These systems make it all but impossible to implement modern cybersecurity measures. To avoid exposure, agencies need to upgrade their technology and expedite the implementation of modern solutions. That’s easier said than done, of course — updates on this scale take considerable agency effort to accomplish. Nevertheless, these updates should be prioritized during the next budget cycle and a plan put in place to make them happen. The working capital funds authorized by the Modernizing Government Technology Act will be of vital importance in this effort.
Ensure email traffic is legitimate
Although hacking tools have become more sophisticated over time, the humble phishing email is still the source of the most breaches, according to the U.K. government’s 2019 Cyber Security Breaches Survey. This is a particular issue for federal agencies. As David Wagner, president and CEO of security technology company Zix, points out, “People assume .gov emails have a certain legitimacy, which makes impersonating the federal government — like the ongoing IRS scam — a common fraud tactic.”
To address email threats, agencies should rely on software that can reduce the number of malicious emails employees receive while training them to spot the ones that inevitably slip through the cracks. When training government employees to recognize email phishing, agency leaders should use specific examples of real phishing emails that the agency has seen, highlighting every red flag. In addition to being specific, this training should be interactive in some way, such as sending out test emails to give employees hands-on practice.
Despite the increasing publicity devoted to cyber threats, federal agencies remain slow to enact improvements to their cybersecurity stances. Massive government agencies can’t expect to shore up their cybersecurity defenses overnight, but they can introduce a few measures that will result in a more fortified future. By enacting policies informed by true cyber experts, moving to modern systems, and taking steps to stop the constant onslaught of email threats, the federal agencies U.S. citizens trust to protect them can make serious strides in cybersecurity.
Rhett Power is head coach at Power Coaching and Consulting and the author of The Entrepreneur’s Book of Actions, a new book about daily exercises for becoming wealthier, smarter and more successful.