Feds Greatest Security Fear? Hacktivists

New and emerging cyberthreats such as those launched by way of social media tools might be giving federal government IT security administrators willies of late, but perhaps more striking are their concerns over safeguarding against malicious hacktivism. It figures more prominently than potential cyberattacks being launched by foreign governments.

Ed Moyle, a founding partner of SecurityCurve in Amherst, N.H., and co-author of the new InformationWeek "Federal Cybersecurity: The New Threat Landscape” report, admits that caught him off-guard. "From a threat standpoint, folks are pretty concerned about foreign governments, but they’re also concerned about the hacktivism thing," he says. "We’ve heard about hacktivism as it relates to a lot of core services and we’ve seen groups like Anonymous and LulzSec [figure prominently in the media], but in the back of my mind I thought that would very much play second fiddle by a wide margin to the foreign actors--countries like China and Iran, for instance--that might be actively targeting our federal systems."

That said, an InformationWeek survey of 106 federal IT professionals on the cybersecurity threats facing their agencies and their strategies for dealing with them finds the majority feeling optimistic about their chances to stave off a cyberattack. This is in and of itself interesting when considering the tough fiscal climate in Washington.

"The one area where, generally, a lot of organizations are ill-prepared is in coordinated, well-funded, sophisticated, low-noise targeted attacks, both against key systems of the federal government but also against critical infrastructure," Moyle says. "Industry-wide, the real sophisticated attackers … it’s very hard to defend against them. That’s one of the biggest threat areas: the really well-funded foreign government actor who might want to leverage attacks against infrastructure."

According to the survey, more than half of agencies plan to increase cybersecurity spending in fiscal year 2013. What might be sacrificed by federal IT managers to achieve targeted goals at a time when budgets are flat or declining remains unclear."If you look at cybersecurity both on the offensive and defensive side, we’re seeing additional requests for funding, but the money has to come from somewhere," Moyle said.

This should sound alarm bells in light of a recent Enterprise Strategies Group survey that finds three out of four U.S.-based companies anticipate being hit by a cyberattack of some sort for the second or third time.

Meanwhile, of cybersecurity initiatives that rank high with government IT managers, continuous monitoring stands out, says Moyle, who noted other top priorities including upgrading standard defenses and improving the security of agency-issued mobile devices. But the trouble is much of it is being done without rhyme or reason.

"You need to do [continuous monitoring] in a way that ties it back to the risk that your agency faces," he explains. "That might be a little bit different from what folks are doing on the ground. The folks that are implementing these continuous monitoring programs are either just 'checking the box' because they have to, or they’re looking at what they can get access to from a data standpoint. But they’re collecting those metrics because they can and not because they’re actually meaningful for their program."

When asked to rate their level of readiness to defend against new and emerging threats, survey respondents cited social media (28% are completely or somewhat unprepared) and unsecured mobile devices (18% are completely or somewhat unprepared) as prime concerns. The concern about social media might be expected, given the current Wild West nature of the technology and its use, but it struck Moyle as odd that concern about mobile devices ranked as high as it did.

"I thought mobile and bring your own device [BYOD] would be less of an issue within the federal space since culturally that particular sector is more in the model of using resources provisioned for you by the folks whose job it is to secure the technology," he says. "I was surprised to learn that’s not the case. The consumerization [of IT] that’s happening in the rest of the industry is happening in the federal space, too."

Overall, Moyles adds, the most important takeaway from the survey data is agencies’ emphasis on continuous monitoring.

"The fact that it’s not just about checking the box so you can say you’re doing it. The point is to get to some kind of awareness of risk," he says. "The people I spoke to ... we’re pretty adamant about the fact that just monitoring something just because you can isn’t valuable. It’s about tying it back to the risk."

Moyle says he reached out to professionals working in the private sector regarding useful metrics for continuous monitoring, and he found a willingness in the private sector to work closely with public sector counterparts to carve out a solution for government agencies.

"Folks on the federal side that might not be used to working with people in the private sector that can really drive some value from what’s going on in the private sector metrics community," he notes. "That was news to me. I think a lot of folks in the federal space might not necessarily realize this."

In other words, in the near term, there are a lot of federal IT managers who are wasting their energy spending time seeing what data they can gather, though it isn’t tied to any clear and present danger.

"As a general call to action across the federal space, maybe it makes sense to spend some time gauging where agencies are from a risk standpoint before they really go too far down the continuous monitoring road," says Moyle. "The pressure [from above] is for the opposite, however."

Learn more about Research: Federal Government Cybersecurity Survey by subscribing to Network Computing Pro Reports (free, registration required).