Data breaches and hacks of US government networks, once novel and shocking, have become a problematic fact of life over the past few years. So it makes sense that a cybersecurity analysis released today placed the government at 16 out of 18 in a ranking of industries, ahead of only telecommunications and education. Health care, transportation, financial services, retail, and pretty much everything else ranked above it. The report goes beyond the truism of government cybersecurity shortcomings, though, to outline its weakest areas, potentially offering a roadmap to change.
The analysis of 552 local, state, and federal organizations conducted by risk management firm SecurityScorecard found that the government particularly lags on replacing outdated software, patching current software, individual endpoint defense (particularly when it comes to exposed Internet of Things devices), and IP address reputation—meaning that many IP addresses designated for government use or associated with the government through a third party are blacklisted, or show suspicious activity indicating that they may be compromised. A wide range of issues plague government agencies—but they’re largely fixable.
“There’s a lot of low-hanging fruit when it comes to the government sector overall,” says Alex Heid, SecurityScorecard’s chief research officer. “They’ll implement a technology when it’s very new and then it’ll just sit there and age. This creates a mix of emerging technologies, which might be misconfigured, or not everything is known about them yet, with legacy technologies that have known vulnerabilities and exploitable conditions.”
After a few years of high-profile government hacks—the devastating breach of the Office of Personnel Management chief among them—the sector as a whole has made some modest strides on defense, moving up from last place in a 2016 SecurityScorecard report. Even OPM has gained some ground, though findings (and a government review) indicate that it still has a long way to go. Agencies that control and dole out money—like the Federal Reserve, Congressional Budget Office, and National Highway Traffic Safety Administration—tend to have much more robust digital security, as do intelligence and weapons agencies like the Secret Service and Defense Logistics Agency. Even the Internal Revenue Service, which has been plagued by leaks over the past few years, has shown marked improvement, spurred by necessity.
SecurityScorecard gathers data for analyses through techniques like mapping IP addresses across the web. Part of this analysis involves attributing the addresses to organizations, not just by looking at which IPs are allocated to which groups, but by determining which organizations use which IP addresses in practice. This means that the report didn’t just assess blocks allocated to the government, it also tracked addresses associated with contract third parties, like cloud and web application providers. The group also scans to see what web applications and system software organizations run, and compare this information to vulnerability databases to determine which organizations should upgrade and patch their platforms more rigorously. Additionally, SecurityScorecard collects leaked data troves of usernames and passwords, and monitors both public and private dark-web forums.
The report found that government agencies tend to struggle with basic security hygiene issues, like password reuse on administrative accounts, and management of devices exposed to the public internet, from laptops and smartphones to IoT units. “There were more IoT connections available from government networks than I would have expected,” Heid says. “Even things like emergency management systems platforms from the mid 2000s were available to the public.” When systems are unwittingly exposed online, hackers can find credentials to gain access, or use software vulnerabilities to break in. Sometimes this process takes attackers very little effort, because if an organization doesn’t realize that something is exposed online, it may not have made the effort to secure it.
For government groups, the report found that digital security weaknesses and pain points track fairly consistently regardless of the size of an organization. (Shout out to the Wisconsin Court System and the City of Indianapolis for strong cybersecurity showings.) That means that despite the large number of issues across the board, the same types of strategies can potentially be applied widely in an effective way. The question now, Heid says, is how effectively legislation can guide government IT and cybersecurity policy. There’s a mixed track record on that at best, but in the meantime breaches and market forces are slowly driving progress.
“It boils down to the conception of information security as an afterthought,” Heid says. “‘We’ve got operations to handle and we’ll deal with the problems as they arise’ is essentially how it’s been implemented into government. But for some agencies they end up having losses in the millions of dollars. People start wearing kneepads after they fall off the skate board a few times.”