WASHINGTON — A survey of federal technology professionals found that routers and other networks used by agencies may be at elevated risk of cyber attack, which costs the government billions of dollars each year.
“A determined attacker will try every way to access a network until they gain entry,” according to Matt Malarkey, vice president of strategic alliances for Titania, which provides cybersecurity software to more than 30 federal agencies, in a statement. “A known vulnerability or misconfiguration is an easy way in. As our report uncovers, the U.S. federal government is not immune.”
Titania said it surveyed 160 CIOs, network experts and other leaders across the federal government and other U.S. critical infrastructure sectors. Almost two-thirds of respondents identified a critical configuration issue between one and two years ago, while 18% found one in the last year, according to the report released Nov. 1.
Respondents shared that while their budgets have increased, extra funding has had little effect on the number of misconfigurations identified. For fiscal year 2023, which began Oct. 1, President Joe Biden proposed $11 billion toward civilian cybersecurity spending, an 11% increase from last year.
Network experts said they’re meeting compliance frameworks for securing government technology against hackers, but risk remains high, according to Titania. Half of all organizations surveyed reported that the number of critical misconfigurations they discovered was unchanged since last year.
The U.S. was the country most severely affected by cybercrime in terms of financial damage in 2018, according to Statista. As a result, industry experts estimated that the government, which operates a fleet of technical devices larger than that of the banking industry, faced costs of more than $13.7 billion as a result of cyberattacks.
Recognizing a need to fortify against increasingly sophisticated and persistent threats, the White House in 2021 directed agencies to migrate to zero-trust architecture, a strategy that continuously validates every stage of a digital interaction to secure it end-to-end. Agencies are working toward achieving these mandatory security goals by the end of fiscal year 2024.
“In the current threat environment, the federal government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,” said a January 2022 memo from the administration that further committed agencies to buttressing cybersecurity measures.
Despite that guidance, most respondents in the survey said they still rely on perimeter-only defenses.
The report by Titania identifies two reasons for the government’s continued vulnerability.
First, federal agencies are more likely to review and validate their network device configurations annually, rather than quarterly. Only about 12% of all respondents reviewed configurations on a bi-monthly cycle, and none reviewed them more frequently than that.
“Networks are constantly changing, as often as on a daily basis,” the report said. “Configuration drift can, and does, go undetected between configuration audits.”
Even when federal agencies did review their network device configuration settings, they only assessed firewalls and overlooked switches or routers. Respondents said these practices were sufficient to meet their security and compliance requirements.
That’s a dangerous mindset, the report suggests, because high-profile security breaches that have used misconfigured routers and switches as a way into networks are not as rare as they ought to be.
An advisory issued by the National Security Administration, FBI and Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security reported severe vulnerabilities for network devices, such as routers, in the last few years that provided cyber attackers with the ability to gain access to them.
“These devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices,” the advisory read.
The FBI has also said it believes hackers compromise routers through “man-in-the-middle attacks,” which are leveraged for spying, extracting intellectual property, maintaining persistent access to victim networks and potentially laying a foundation for future offensives.
Molly Weisner is a staff reporter for Federal Times where she covers labor, policy and contracting pertaining to the government workforce. She made previous stops at USA Today and McClatchy as a digital producer, and worked at The New York Times as a copy editor. Molly majored in journalism at the University of North Carolina at Chapel Hill.