1(630)802-8605 Ravi.das@bn-inc.net

Every day in the news, we keep hearing about how much the private sector, and Corporate America is being impacted by both Cyberattacks and data breaches.  There is no end to the stories that we hear about how many PII records were stolen, or how many credit card numbers were hijacked, etc. 

But it’s not just here in the United States, we even hear about incidents worldwide where this is occurring as well.  Another geographic location that appears to be a prime target for the Cyberattacker is the European Union (EU), especially that of the United Kingdom.

All of this underscores the notion that the Cyberattacker has no geographic limitations.  They can strike from wherever and whenever, without hardly any notice.  Because of this, many political leaders and others in the Cybersecurity Industry are now firmly believing that World War III may not be fought with nuclear weapons, but with Cyberweapons that can cause just as much or even more destruction.

Of course, when it comes to this, we are totally dependent upon our Federal Government to determine the next course of action in case we are ever hit to this level of magnitude.  But one thing that we do not hear about as much in the news is just how badly has it been affected by Cyberattacks? 

I have come across numerous headlines on a sporadic basis that one agency was hit, or that the Department of Defense (DoD) is trying to create some sort of new Cyber Warfare Division.

Well, we finally have an answer to this question.  According to a study just released to Congress, which is entitled the “FISMA FY 2018 Annual Report to Congress”, no entity of the Federal Government had been impacted by a large scale Cyberattack.  But they did find many other very concerning trends which are as follows:

*There was a total of 31,107 security breaches in Fiscal Year (FY) 2018.  This is representing a 12% decrease over the 35,277 Cyberattacks that agencies reported in FY 2017;

*There were 6,930 phishing incidents in 2018, and in 30% of these instances, the Cyberattacker could not be identified;

*There was a total of 9,674 security breaches that were attributed to due to improper usage.  But keep in mind, the report did not state if this was due to just negligent behavior, or if this could be the works of a potential Insider Attack;

*The loss of theft or equipment (such as wireless as those of wireless devices, portable storage devices, etc.) caused a total of 2,552 Cybersecurity related incidents. 

Also, this study revealed those areas of the Federal Government in which “High Value Assets” are most at risk.  The DoD let the initiative for this part of the study and found 356 specific areas which needs much greater improvement in terms of risk reduction.  Although the specifics of this cannot be released to the public, the general finding is that is a serious lack of audit and controls when it comes to the following areas:

*Information/Data Protection;

*Network Segmentation (this simply means dividing a Network Infrastructure into different subbranches, which are technically known as “Subnets”);

*The lack of a regular schedule for the deployment and implementation of software patches and upgrades;

*A stronger need for more robust authentication services (such as implementing Multifactor Authentication [MFA} which includes the use of Biometric Technology);

*A much more proactive approach is needed when it comes to continuous monitoring of an IT Infrastructure.

My Thoughts on This

Although the good news is that the Federal Government has not been hit any major attacks in 2018, and the trend is lower when compared to 2017, there is a reason for this:  Just in 2018 alone, they sent nearly $15 Billion just in Cybersecurity alone. 

I surmise that much of this money was spent in trying to fight off imminent threats, rather than trying to improve the areas which need further improvement (as just described). 

Just yesterday, I wrote a blog on how much the CIO/CISO wishes that they have more money to spend on Cybersecurity.  Well, $15 Billion is a lot of money, and just imagine if one single business entity had all that (also if it would be spent wisely). 

The Federal Government, if needed, can always get money for mission critical projects, if the President deems so.  So, in this regard, money is really no worry to the various entities of our government.

Even when it is deep in debt, it can keep getting money one way or another.  It is also troublesome to find out that the Federal Government still lacks a set of standards or best practices when it comes to the storage of the Personal Identifiable Information (PII). 

We are not just talking about a customer database here, we are talking about the information and data that is stored for each American citizen, or naturalized resident. 

This includes tax records, Social Security numbers, credit card and banking numbers, etc.  If any of these databases were hacked into, we would see another Marriott Hotel Group incident, but multiplied by a factor of 100x.  Obviously, the Federal Government needs to make this their top priority, and find solutions to it very quickly, especially as we approach tax season 2019 next year. 

This is a time when the Cyberattacker is the most prevalent, and launching attacks not only against taxpayers, but accounting firms, and the Internal Revenue Service itself.

With the gargantuan amount of money that was spent, I am surprised to see that there is still a lack of strong authentication being implemented.  As far as I know, the technology is much more accessible here, because of the research and development that is being done, especially at the level of the DoD. 

They also have access to a very strong network of existing contractors, so procuring the tools that are needed to create a much more robust layer of Multifactor Authentication should not be a problem.

Given their huge Cybersecurity budget, it would nice if Congress could shore up more resources to help Corporate America fight their Cybersecurity battles.  This could include such as things as subsidized payments for Penetration and Threat Hunting Exercises, the creation of Security Policies and Disaster Recovery Plans, access to specialized Cybersecurity consultants, etc.  In other words, if farmers can get subsidies, why can’t Corporate America, to a certain degree get that also?

Finally, more detailed information about this study can be seen here at this link:

https://www.whitehouse.gov/wp-content/uploads/2019/08/FISMA-2018-Report-FINAL-to-post.pdf