Nearly four years ago, hackers breached the U.S. Office of Personnel Management and stole 21.5 million records. In the wake of this cyberattack, many agencies upgraded to Windows 10, Microsoft’s most fortified operating system. State and local government leaders have continued to push a variety of initiatives such as this to increase cybersecurity funding and best practices. And the Modernizing Government Technology (MGT) Act — proposed in the federal fiscal year 2020 budget — is poised to direct more funding to cybersecurity as part of a broader IT overhaul.
Unfortunately, despite these respectable strides toward enhanced security, the public sector remains a prime target for bad actors.
One of the largest cyberattacks in U.S. government history, the OPM hack prompted the government to tackle what many considered to be the root cause of the incident — outdated and vulnerable technology. As we approach yet another anniversary of that event, the office can still do more to bolster itself. Indeed, according to a letter from the U.S. Government Accountability Office sent to OPM at the beginning of April, five cybersecurity recommendations are still pending.
Where should public agencies focus to make sure they are protected from cyberthreats?
The answer comes down to the same issues plaguing many government reformation projects, as well as private sector organizations: changing their cultures, adjusting their approach to budgets and moving toward more modern, security-enriched technologies.
Shifting the culture from top-to-bottom
Essential to any security protocol are the people who must enforce and uphold it. Government agencies need employees to recognize the importance of their efforts as part of a broader culture that values security. So far, they’re lagging.
Reports as recent as 2018 have shown 74 percent of federal offices are at risk or high risk of cyberattack. Yet in some cases, offices submit their plans addressing cybersecurity a year late. And, according to a study by ISACA, only 31 percent of government and military programs have been very successful at obtaining employee buy-in to cybersecurity culture. Placing a higher priority on the urgent demand of cybersecurity requires a team effort.
Instrumental to this process is training — not just for government IT professionals, but for all employees and especially new hires. When positions open, job descriptions should include language around cybersecurity as a shared responsibility. At the leadership level, federal agencies must also address the retention problem that exists for CIO positions. Continuity is important in establishing mental shifts about how an organization runs.
Ultimately, top-to-bottom commitment and buy-in to a greater purpose is vital. If government agencies want to make a dent in their cybersecurity shortcomings, it is imperative that they employ awareness campaigns demonstrating the clear value that heightened security brings to each individual person, not just the organization.
Solving budget concerns with device-as-a-service
Some government leaders certainly recognize the need to better prioritize security programs, especially when it comes to budget. Last year, for example, Deputy Under Secretary of Defense for Intelligence Kari Bingen told Congress she believes the government can no longer afford to adhere to the three traditional pillars of acquisition: cost, schedule and performance. She then said the Department of Defense would begin viewing security as a fourth pillar of acquisition, enforcing stiff security protocols within government and extending them to supply chain vendors.
Ultimately, such moves mean committing larger portions of budget to the CIO’s office, ensuring IT security and acquisitions professionals are in lock-step with one another and retiring the antiquated notion that success always equals buying the lowest-priced technically acceptable (LPTA) computing gear.
Cybersecurity as a fourth pillar of acquisition could — and probably should — also involve government agencies turning over more IT management and security responsibility to reputable third parties. Device-as-a-Service (DaaS) providers can better manage device allocation and support with value-added expertise under a single, cost-effective contract. The DaaS model can monitor entire fleets of devices to assure adherence to security policies regarding passwords, approved applications and access to data, while also accounting for maintenance and operational reliability.
Another important challenge DaaS addresses is finding experienced cybersecurity talent. Many government agencies, including some directly affected by the OPM data breach, have increased the level of staff dedicated to cybersecurity, but most would agree it is not enough. By some estimates, there will be as many as 3.5 million unfilled cybersecurity positions by 2021. Quality DaaS providers enable agencies to swiftly fill this talent gap.
Embracing security-enriched technology
Cybersecurity success really depends upon the recognition of various government agencies that there is no such thing as a “tried-and-true” technology acquisition practice in a hyper-connected world.
In advocating for the MGT bill last year, its chief sponsor, U.S. congressional representative for Texas Will Hurd, noted the federal government spends $80 billion each year on IT systems, of which 80 percent goes to maintaining outdated legacy systems. A move towards more modern technologies — both devices and services — that have security measures built in would help keep information and digital infrastructure secure from cyberattacks, while saving taxpayer dollars.
In fact, modern endpoint devices — such as desktop, laptops and printers — are more likely to have embedded security features that stave off hackers who recognize hardware as the soft underbelly of many corporate and government networks. Investing in modern and more secure printers, which are an increasingly common cyberattack vector, can also help raise an agency’s security posture.
As we approach the fourth anniversary of the massive OPM data breach, it is a good time for government agencies to reflect and ask themselves a familiar question: Are we better off now than we were when that damaging and costly cyberattack occurred?
If the response is anything less than “absolutely,” the public sector must take more dramatic steps to shake up their culture, budgets and willingness to try new approaches.
Tommy Gardner is chief technology officer for HP Federal, spanning the U.S. federal agencies, higher education, K-12 education, state and local government customer segments, as well as federal systems integrators. His current responsibilities include technology leadership, strategic technology plans, product and technology strategies, sales force technical support, and customer and partner relationships.