One of the results of the KuppingerCole Digital Risk and Awareness Survey that sprung to my awareness has been the massive difference in C-level awareness for cyber security in government agencies, compared to businesses. While an overall average of 8.2% of all respondents said that they have no C-level awareness for cyber security, the level of non-awareness in government agencies was at 26.3%.
The positive interpretation is that there is C-level awareness for cyber security already in 3 out of 4 government agencies. On the other hand, the situation is obviously worse than in businesses.
Taking incidents such as Wikileaks, the Snowden revelations, or the recent OPM breach, there is no reason assuming that government agencies are less under attack from internals and externals than businesses – in contrast. Simply said: There should be a 100% awareness of the C-levels of agencies (even while they might be titled differently, e.g. minister etc.) nowadays.
But what happens in contrast? Current German legislation e.g. excludes government agencies from the scope of the IT Security Law, focusing only on “critical industries”. Not that a well-working government isn’t critical or attacks against secret services or military can’t cause massive issues…
Realistically seen, the level of security implemented in many government agencies appears being horrible. The breadth of the OPM hack is one example. The German Bundestag hack is another one, with a chaotic reaction, shedding a spotlight on the archaic level of their security concepts and operations. And even today I can’t understand why Manning; a rather low ranked soldier, had access to such incredible amounts of documents. Classification is one thing, additional access control based on the “need to know” principle are a different one.
A frequently heard argument is the lack of skilled people, as e.g. the FBI recently complained. Yes, we have a skill gap, and low-paying government agencies suffer more than businesses. But that an excuse for failing in cyber security in government agencies. The state has to accept that there is a need for funding cyber security, both on the people and technology side.
It is time that all leading people in government agencies understand and take their accountability for improving cyber resilience. Awareness of accountability is the first step towards funding the required activities and distributing responsibilities within the organization.
Furthermore, it is about leveraging cyber resilience to a level that is adequate to the type of attacks in particular government agencies are facing. A relevant part of what today commonly is called APTs (Advanced Persistent Threats) is performed by nation-state attackers and targeted at government agencies, military (and critical infrastructures) of other countries. Modern, elaborated attacks require modern, elaborated defense and response. Old school approaches only relying on firewalls and traditional IT security are no longer sufficient – it requires advanced analytical capabilities such as RTSI (Real Time Security Intelligence), well thought-out user and access management, and more.
Ignorance doesn’t solve cyber security issues. Time to act. Now.
Martin Kuppinger is Founder of the independent Analyst Company KuppingerCole and as Principal Analyst responsible for the KuppingerCole research. In his 25 years of IT experience he has already written more than 50 IT-related books and is known as a widely-read columnist and author of technical articles as well as reviews and is also a well-established speaker and moderator at seminars and congresses. His interest in Identity Management dates back to the 80s, when he also gained considerable experience in software architecture development. Over the years, he added several other fields of research, including virtualization, cloud computing, overall IT security, and others. Having studied economies, he combines in-depth IT knowledge with a strong business perspective.