Skip to main content
banner image
venafi logo

The U.S. Federal Government’s Biggest Cybersecurity Challenge

The U.S. Federal Government’s Biggest Cybersecurity Challenge

The U.S. Federal Government’s Biggest Cybersecurity Challenge
April 5, 2016 | Scott Carter
Key Takeaways
  • Cybersecurity is a priority at the highest levels of the U.S. government
  • Immediate actions are recommended to avoid additional massive data breaches
  • Timelines, budget, and scope are variables that delay major updates
  • Federal agencies need to identify the highest risk areas to protect immediately

The biggest challenge facing cybersecurity professionals in Federal agencies is, well, the Federal government. There are sweeping mandates to keep agencies secure. But the funding to back that guidance is tied to factors that may not even contribute to the protection of privacy and intelligence. Budgets are driven by enforceable regulations, not necessarily by the most effective protection strategies. This leaves Federal security teams facing the unenviable choice between securing their agencies and securing their jobs. But that’s a choice that may not be entirely within your control. One breach and all hell breaks loose.

So what’s at stake?

According to the Government Accountability Office, “If information security controls are ineffective, resources may be lost, information—including sensitive personal information—may be compromised, and the operations of government and critical infrastructure could be disrupted, with potentially catastrophic effects.” The office also highlighted several weaknesses in current Federal cybersecurity practices, including lack of risk-based cybersecurity programs and access control systems, while calling for improvements in contractor oversight, incident response, and security programs at small agencies. 

There’s commitment at the top, but the middle is where it matters

However unenforceable or underfunded, cybersecurity remains a top priority for President Obama. Outlined in a White House blog, the 2016 Federal Cybersecurity Research and Development Strategic Plan calls for “new forensic capacities that reliably identify the perpetrator quickly enough to take action, without compromising free speech, or anonymity for those who are doing nothing wrong.” Again, no one is arguing that Federal agencies will not need advances in cybersecurity to remain viable. But the real question is what can you do RIGHT NOW, given current funding and regulatory limitations.

In the wake of the massive data breach at the Office of Personnel Management, which exposed the records of nearly 22 million federal workers, Federal agencies are worried. But will legislators match that concern with the cash needed to implement the required cybersecurity? Time will tell. But in the meantime, the Office of Management and Budget recently upped the ante with the Cybersecurity Strategy Implementation Plan. The plan includes recommendations for basic security upgrades to prevent infiltration and breach. It’s a smart plan. And the goals are solid, but it’s the journey to those goals that remains uncertain.

What will it to take to evolve Federal cybersecurity?

The machine of bureaucratic change is admittedly cumbersome and slow moving. The U.S. Federal government is not run like a business. It is run like the slow-moving, unwieldy superpower that it is where change is slow and hard fought. Because the government is not profit driven, there may be little formal incentive to increase productivity or reduce costs. There are, however, informal incentives to allocate funds to penalty-driven programs, expend budgets, and maintain continuity. No agency wants to do anything that would disrupt service, as illustrated in the problems that plagued the launch of the Affordable Healthcare Act. So your upgrades get deferred. Then the budget disappears. And the problems remain. But you are back where you started. It’s very much a fix it now and catch up later mentality, according to an astute article in the Daily DOT.

First focus is to overcome the problem from within

In a survey commissioned by HP, the Ponemon Institute recently found that the Federal Government may be its own worst enemy when it comes to cybersecurity. 44 percent of federal workers who responded to the survey indicated that “the biggest threat to federal cybersecurity is ‘the negligent insider’ at an agency who fails to take enough precautions while using or protecting government networks.” By comparison, only 30 percent of respondents marked nation-state hackers as the primary threat.

Enforcement is everything. Employee compliance is critical. And support must trickle down from the top to the middle. The ultimate success of Federal cybersecurity relies on getting buy-in from cabinet secretaries and mid-level managers. It’s a change of mindset that may seem a bit unrealistic. But it’s the only way that the government can truly enact critical changes in cybersecurity. In the meantime, while new systems may be slow to implement due to concern over the continuity of large government programs, agencies must lock down the proper controls that will protect them throughout the process.

Making cybersecurity a priority

Agencies still need to overcome the burdens inherent in large government to enact the changes needed for effective, up-to-date cybersecurity. The good news is that you have backing from the highest levels, i.e. the oval office. But outlining and securing the necessary funding remains a challenge, as does staffing and implementation. To have any chance of bringing cybersecurity up to code, agency teams must identify, clarify, and justify the fastest, cheapest ways to mitigate the highest risks. Automating that security is one the best ways of enforcing compliance.

At Venafi, we believe that as the foundation of cybersecurity, keys and certificates are a good place to start. Without these forms of validation and authentication, we would simply not know which systems, applications, or users to trust. Control that system of trust (or mistrust) and you control access to your critical digital assets. Venafi can help automate the protection and management of your agency’s keys and certificates. Plus, it’s a smart place to invest, especially to prevent man-in-the-middle (MITM) attacks, spoofed websites, code-signed malware, and other threats that misuse keys and certificates to bypass even the most rigorous security controls.

Talk to us today to find out how Venafi can help you eliminate blind spots to protect your agency during the planned upgrades in your cybersecurity.

Like this blog? We think you will love this.
photo of a broken piggy bank with coins and cash falling out
Featured Blog

Why Banks Need to Protect the Machine Identities of APIs

For that reason, many users may not wish to have account details ma

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat