Government facilities are as at risk of cyberattack as their commercial counterparts, and to some attackers, even more enticing. Whether it's a massive database of personal information on federal employees and applicants, classified military information or trade secrets of contractors, the data stored in government computers is often highly valuable.
The now-infamous data breach at the Office of Personnel Management in 2015 might have been one of the most significant cyberattacks against a federal facility, but government agencies encounter an onslaught of attempts every day.
"There are more and more attempts to find vulnerabilities in systems and try to gain access to federal systems," said Dan Tangherlini, former General Services Administrator. "We've seen examples, and particularly the OPM hack is a good example, of really, really well thought-out, focused attacks on big stores of data. At the same time, there is just this endless kind of background pressure on the systems of people trying to find vulnerabilities."
The government relies on Personal Identification Verification cards to shield its facilities and systems from unauthorized access. The cards were first mandated as a result Homeland Security Presidential Directive 12, issued 12 years ago.
Special Multimedia Report
Critical Risk: Assessing the cybersecurity of the nation's infrastructure
"The question now is, is the federal government keeping up with the right technology in terms of evolving the technology it uses to provide that security?" Tangherlini said. GSA owns many federal buildings and leases them to the agencies that use them.
"You know HSPD-12… is pretty old at this point," he said. "What struck me when I when I joined the administration back in 2009 was how little progress had been made around unifying around that architecture. I think a lot of progress has been made in this administration. I think GSA has actually taken a really strong leadership position in trying to emphasize physical security around the HSPD-12 card."
But two reports from the GSA inspector general, both issued on March 30, found serious shortcomings in GSA's oversight of contractor-issued PIV cards. The IG also determined that GSA was issuing customized building access cards that didn't meet HSPD-12 security standards.
The reports blasted the GSA for badge security risks that included:
- Contractors who didn’t pass federal background checks but were given building badges.
- Inactive contractors still possessing badges.
- Unsecured badge IT systems.
- Poor training on the issuance of the badges.
Despite HSPD-12's requirement of a standardized identification card in all federal executive departments and agencies, the OIG found 17 different badges in use at 14 different GSA facilities. This was compounded by conflicting information in government databases about which contractors were actively working for the government. The report offered nine recommendations, which GSA officials concurred with and had begun implementing.
But the question remains, how can the government remain nimble enough to stay ahead of a fluid and an always innovative group of attackers?
"The largest disadvantage that the government has is that they obviously can't compete with the private sector for attracting folks via salary," said Michael Buratowski, senior vice president of cybersecurity services at Fidelis Cybersecurity.
"Cybersecurity has the fortunate or unfortunate problem of negative unemployment. There's way more positions out there then there are people to fill them, let alone people who are competent to fill them. "
But Buratowski said where the government can and does excel is developing unified policy goals to address such challenges and to try and identify solutions.
"They can mandate sharing across their agencies much more easily than private companies can," he said.
Such information sharing makes it easier to identify and thwart suspected cyberattacks, giving the government an edge.
"What's interesting, I believe, is that many of the tools to reduce risk actually are within the toolkit and are ready for agency heads and officials," Tangherlini said. "I think GSA could be part of that solution."
Such tools for innovation include 18F, the digital services agency that Tangherlini helped create within GSA in 2014 to streamline some of the federal government's digital operations.
Tangherlini said that the flexibility that digital teams like 18F provide could help the government move faster and more nimbly in updating and securing its networks.
"The idea was to bring together some of the best and brightest people from industry, from agencies, from a variety of different places to really focus in on how the federal government could be a better consumer of technology," he said.
"Replacing the old school waterfall which thinks of these assets as five, seven, 10-year assets and recognizing that they're going to be more agile, sprint-like developments and that you need to be flexible. That resiliency is really the key watchword as we go into the future and have to deal with an evolving threat."
Another positive move has been the release of the Cybersecurity National Action Plan, a strategy from the Obama administration to strengthen the federal government's cybersecurity posture to prevent breaches.
"I was really heartened and have new hope about the future of cybersecurity in the United States after President Obama's release of the Cybersecurity National Action Plan in January 2016," said Justin Harvey, chief security officer for Fidelis Cybersecurity.
"That's been the first national action plan from a from a president that I've seen that actually makes sense, that goes into details about how we're going to strengthen the cybersecurity workforce, how we're going to get better security amongst all federal agencies in cooperation against the federal agencies."
The plan, or CNAP, is designed to raise both cybersecurity awareness and increase agile development across the country to provide more secure systems.
So while the federal government is making its push for future of cybersecurity, success will largely depend on its unity of effort combined with a newfound flexibility of approach.