Warning: Infrastructure not ready for imminent cyber attacks
Connecting state and local government leaders
A recent survey of government IT officials paints a picture of an IT infrastructure under constant attack and inadequately prepared to respond.
An information technology security strategy based on regulatory compliance has left agencies ill-prepared to respond to a constant stream of cyber attacks, according to a recent survey of federal information technology officials commissioned by Lumension Security.
“The government view of compliance is very prescriptive,” said Matt Mosher, Lumension's senior vice president for the Americas. “They take security seriously because they are under attack. The government’s reaction is to drive security through compliance.”
The survey was conducted in February by Clarus Research Group for Lumension and included interviews with 201 government IT decision-makers. The respondents painted a picture of a government IT infrastructure that already is under attack. One-third said they had experienced an attack by a foreign nation or terrorist organization in the past year, and 61 percent rated the likelihood of such an attack in the next year as high (among those who work in national defense a security agencies, it was 74 percent). The growing volume and sophistication of the threats is a primary concern.
But 42 percent of survey respondents rated the government’s ability to prevent or respond to attacks on IT systems as fair or poor. Only 6 percent rated the ability to respond as excellent.
Defining an attack and identifying its source is difficult, however. Mosher said that an attack was considered any kind of systematic activity that had to be addressed, and not necessarily a successful exploit or a breach of a system.
Attribution of the source of an attack often is uncertain. Although federal IT officials were concerned primarily about threats from nation-states and terrorists, rather than criminal activity, it is difficult to assign a motive or a point of origin to an attack or a probe of government systems. However, Mosher said, “I am sure the government has some sense of where these things are emanating from.”
The inability to adequately secure systems is due in part to the complexity of the infrastructure being defended. “We have so many pieces of infrastructure, that to think they are all are being handled appropriately is hard to believe,” Mosher added.
Still, a majority of survey respondents said they still felt more confident of their IT security today than a year ago because of improved technology, better collaboration between IT operations and security officials, and internal compliance and audit requirements. Ironically, increasing audit burdens and a lack of resources were identified as major challenges in meeting compliance requirements.
Mosher said security is a continuous process rather than an end-state or an event, and that compliance with security regulations does not reflect this.
“As long as compliance is an event, they are always going to be disappointed with the results,” he said.