US Federal Govt. increases spending but fails to stem the flow of cybersecurity breaches

Introduction

This discusses the problem of despite increased spending by the US government it isn't stemming the flow of federal cybersecurity breaches.

The Federal Information Security Management Act 2002

This act is commonly known as FISMA. Eli Dourado and Andrea Castillo from the Mercatus Center – George Mason University in Washington DC have released a report on the effectiveness of FISMA. The authors helpfully explain the intent of the act.

FISMA was intended to strengthen federal IT systems by requiring agency leaders to develop and implement information security protections with the guidance of offices such as the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), and the Department of Homeland Security (DHS). In addition to authorizing the sums necessary for agencies to invest in cybersecurity technologies and infrastructure, FISMA compels agencies to proactively assess and reduce systematic risks, actively train personnel to meet and improve information security standards, improve cybersecurity risk reporting and information sharing capabilities, and develop contingency plans to respond to cyber-breaches.

The report also has data showing spending from 2006 to 2013 under FISMA. Note that the calculation methodology changed in 2013. This partially explains the lower figure. Also the dollar figures are in billions (green bars).

FISMA_SP_BR

So the US  Federal Government has spent $US78.8 billion on FISMA between 2006 – 2013 but despite throwing more money at the problem the number of security incidents has increased 1012%.

Personal Information

Another important problem is the issue of security incidents involving personal information. The next chart reveals that 38% of reported security incidents involved personal information breaches.

FISMA_SI

This increase is far from ideal and is what concerns libertarians and privacy advocates.

Scope of the problem

So what are underlying problems at the heart of these issues? According to the United States Government Accountability Office (GAO) there is a lot of work to do.

Illustrating the extent to which weaknesses continue to affect the 24 major federal agencies, in fiscal year 2013, inspectors general at 21 of the 24 agencies cited information security as a major management challenge for their agency, and 18 agencies reported that information security control deficiencies were either a material weakness or significant deficiency in internal controls over financial reporting in fiscal year 2013. These weaknesses show that information security continues to be a major challenge for federal agencies, putting federal systems and the information they contain.

Comment

Cybersecurity is a serious concern for governments worldwide and the issues the USA is having in getting the right balance between passing sound that can be administered and monitored properly whilst balancing privacy concerns is a major challenge. Add to this the mindboggling technical issues that IT and cyber security experts have to deal with there aren't easy answers. This isn't policy making for the faint hearted.

To be bi-partisan about this there is enough blame to go around as the problems started before Barack Obama became president. That doesn't mean his administration is blameless either. The number of security incidents has increased enormously since 2009. Dourado and Castillo do express concerns about President Obama's proposal of extending the same cyber security policies that aren't currently working properly in the US public sector to the private sector (Executive Order #13636: Cybersecurity Framework). As they correctly observe  the US Federal Government should get its own house in order regarding cyber security before trying to tell others what to do.

Comments (14)

Login to comment or vote

Add a Comment