In late March, President Obama renewed a declaration of national emergency, citing the rising number of cyberattacks against the U.S. (let's call it a State of Cyber-Emergency). I am pleased to hear the federal government is grasping the urgency of cybersecurity – an urgency demonstrated by the recent flurry of federal data breaches with the IRS, OPM, Department of Energy and Veteran’s Affairs, just to name a few.
Thankfully, this steady drumbeat of federal breaches has not fallen on deaf ears. In addition to the extension, President Obama recently proposed a budget increase of 35% for cybersecurity spending in the overall FY2017 budget, also unveiling a new Cybersecurity National Action Plan (CNAP). For a deeper dive into CNAP and what it means for federal agencies, I recommend reviewing my colleague, Wayne Lewandowski’s latest blog post.
The initial declaration of national emergency was made on April 1, 2015, which empowered the Treasury Department to impose sanctions on foreign nationals perpetrating cybercrimes against the U.S. In his notice, Obama stated that “significant malicious cyber-enabled activities continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”
While these announcements are indeed a step in the right direction, there is still significant work to be done before this emergency has been pacified. In fact, one can safely say that organizations are more vulnerable today than when the initial declaration was put into place. The U.S. federal government edition of our found that a chilling 90% of federal agencies feel vulnerable to data threats, while 61% have experienced a past data breach.
Our report also pointed to a truth that is hard to swallow: federal agencies are not adopting the appropriate technologies to defend their organizations. According to the report, the top categories for increased spending over the next 12 months among respondents were network defenses at 53%, followed by analysis and correlation tools (46%). With data-at-rest defenses the most effective tools for protecting data once other defenses have failed, these defenses were ranked last in terms of U.S. federal spending plans, with just 37% planning to increase their spending on data-at-rest defenses.
What attackers are most interested in getting to is data. Time after time, attackers will find a way to breach traditional perimeters to get to what they seek. Not to say that traditional endpoint and network defenses are not important or don’t need funding, as they are a required element in a layered defense-in-depth strategy. However, a shift in priorities to include data-at-rest security should be a priority for all organizations.
Sticking with the data security status quo won’t help organizations achieve an improved security posture, and the sooner public sector agencies realize this, the better. By implementing strong data-at-rest security controls, security professionals can protect critical information even when peripheral security fails.
What are your thoughts on the current state of cyber-emergency? Feel free to leave your comments/questions below, or tweet me @SolCates.