Nearly one-third of federal agencies confront cyber threats every day, with many of the vulnerabilities stemming from foreign attacks and lax internal policies and employee habits, according to a study released today by IT contractor CDW-G.
In its polling of 300 cybersecurity professionals across military and civilian federal agencies, CDW-G found that the threat rate had either held steady or increased over the past year.
Many respondents said their budgets were stretched too thin to establish sufficient security procedures and training programs for employees.
“Fundamentally, cybersecurity is not just a technology issue — it is a management and cultural challenge for federal agencies,” CDW-G Vice President Andy Lausch said in a statement.
The study comes amid the ongoing efforts of the Obama administration to revamp the government’s cybersecurity apparatus, a seismic undertaking that in some respects seems to have lost momentum.
Earlier this year, Obama commissioned a sweeping review of federal cybersecurity policy. In May, he announced the findings of that report, along with a multi-pronged policy agenda that included the appointment of a White House cyber coordinator to lead the effort, a position that has yet to be filled. White House officials have said they have been conducting high-level interviews, but the months since the report was released have seen several senior IT staffers, including Melissa Hathaway, who oversaw the policy review, leave the administration.
The respondents in the CDW-G survey said that external attacks and vulnerabilities were a bigger threat than internal issues. For agencies in the Department of Defense, IT personnel identified state-sponsored cyber-warfare programs as the single greatest threat.
Security professionals at civilian agencies said that independent foreign hackers and poorly coded software gave them the most headaches.
But respondents at both civilian and military agencies also reported a host of internal vulnerabilities, such as weak authentication, lost equipment and risky Web-browsing activity.
“First and foremost, federal IT security professionals are calling for increased end-user education, both to reduce internal cybersecurity incidents and to close the door to external threats,” Lausch said.
Just half of the security workers CDW-G interviewed said they had the budgets they needed to cope with the rising costs of security practices such as authentication, encryption and patch management.
The firm accompanied its study with a spate of policy recommendations, including a reassessment of the programs in place to train government employees about safe computing. The study’s authors argued for clearer metrics to gauge the effectiveness of training programs, and more serious consequences for non-compliance.