Federal networks are attractive targets for foreign intelligence services and other malicious actors in cyberspace. Networks serving over 100 agencies and millions of employees enable government missions and operations, handle sensitive internal communications, and store personal data on millions of Americans. The level of threat faced by federal government networks has few parallels, and agencies have been unable to keep up.
Federal cybersecurity is a dense, inaccessible topic to those outside the information security community and even to some inside it. Information is scattered across a variety of government documents, with no “one stop shop” to understand the topic. This report fills the gap by:
- Characterizing the federal cybersecurity landscape, to include describing roles and responsibilities of various federal agencies and identifying systemic challenges.
- Summarizing recent federal drives to improve it, such as through information technology modernization, identification of high value assets, using shared services and commercial technologies, detecting and blocking threats, identifying and fixing risk factors, and improving incident response.
- Reviewing efforts to improve the foundations of federal cybersecurity by enhancing the cyber workforce, research and development efforts, acquisition, and leadership.
Securing federal civilian networks and systems is a complex and daunting prospect. Several systemic factors contribute to a challenging environment:
- Difficult tradeoffs between centralized and decentralized management. The overall federal structure is largely decentralized, with each agency managing its own risk, and implementing its own security solutions. Full centralization would bring its own challenges, such as limiting agencies’ ability to develop tailored, agile solutions to their cybersecurity challenges.
- Varying levels of engagement of agency top leadership on cyber risk management. Successful agency heads develop an awareness of cyber risk and actively manage it. Within agencies, the authorities of chief information officers vary widely.
- Varying effectiveness of levers to direct, incentivize, and enforce action by nonperforming federal agencies. The Department of Homeland Security and Office of Management and Budget have some levers to drive action by individual agencies, and DHS’ increasing operational authority has been critical.
- Resource constraints and a rigid government budgeting cycle. Properly resourcing cybersecurity priorities can be expensive, and the structure of the government budgeting process poses challenges for agency cybersecurity efforts.
- Scattered congressional oversight. No single congressional body has the full picture of federal cybersecurity measures, and legislative requirements are spread across many bills, making it complicated for federal agencies to adapt to threats.
In developing approaches to better manage cyber risk to federal government systems, policymakers, agency leaders, cybersecurity professionals, and congressional staff should consider the following themes:
- Sound risk management underpins all federal cybersecurity efforts. Federal agencies cannot and will not prevent every incident or intrusion. Agencies must identify the most important missions and assets, then craft strategies to reduce, mitigate, or accept the risks.
- Sustained, high-level leadership from agency heads is critical to success. Agencies with engaged department heads or deputies are much more likely to use resources strategically, force mission or business owners to attend to cybersecurity, and empower chief information officers to take steps needed to protect systems and enforce standards.
- Effective management demands clarity on roles and responsibilities. The federal cybersecurity system is complex. This is not inherently bad but it does demand constant effort to refine, clarify, and institutionalize roles and responsibilities to ensure coherence.
- Steady, incremental progress makes a difference. The Cyber Sprint in 2016, modest as it was, demonstrated that agencies can make progress when held accountable for discrete milestones, especially on issues of basic cyber hygiene often exploited by intruders.
- Some areas, however, require constant innovation, or even a fundamental “rethink.” The most advanced agencies have policies that reward and implement innovative ideas on topics like workforce, procurement, and executive education.
- Congress plays a critical role. Congress authorizes and appropriates agency missions, authorities, and budgets. Very little can be done without strong support and engagement from the legislative branch.
- Resources matter. Skimping on resources for modernizing networks or attracting cybersecurity talent will reduce the ability of agencies to secure their core missions, with real impacts to both government and citizens.
- Evolving technology will change the game. Innovation in the digital ecosystem, like automation, will bring both new threats and new defensive applications. The government will need to plan 5- to 10-years ahead to keep from lagging behind.
There are no silver bullets for federal cybersecurity. The system will retain its inherent complexity, necessitating close coordination and partnership. Federal cybersecurity will be an enduring mission, always evolving and changing to stay ahead of the threat. In other words, there is no “finish line”—only continual improvement, adaptation, and cooperation to secure the federal government and those it serves.