From the beginning of the Administration, the President has made it clear that cybersecurity is one of the most important challenges we face as a Nation. It is also an ever-growing and constantly changing challenge. For years, whenever I’ve spoken with private and public sector leaders, I’ve regularly asked them how much time they spend on cyber and related issues. And each year, the answers have been a higher proportion of their time than the year before. Today, any responsible leader of an organization – public or private sector – is dedicating significant attention and resources to addressing evolving cyber threats. And for good reason.
Malicious actors take advantage of relatively inexpensive and easily accessible tools to attack systems and infrastructure – targeting applications and computing environments that weren’t designed to withstand the diversity and severity of the cyber threats we face today. Nowhere is this problem more acute than in government, where antiquated systems and processes are still pervasive. That is why the Administration is executing a broad strategy to enhance the Federal Government’s cybersecurity, including both our defensive and offensive capabilities, to tackle today’s increasingly sophisticated cyber actors. Since 2009, the Administration has shifted the paradigm of how our government views the defense of its networks: Directing a comprehensive Cyberspace Policy Review in order to assess U.S. policies and structures for cybersecurity; Making cybersecurity one of the Administration’s first cross-agency priority management goals; Leveraging cutting edge tools like the Department of Homeland Security’s (DHS) EINSTEIN and Continuous Diagnostics & Mitigation (CDM) program; and, Proposing commonsense legislation that enhances information sharing and establishes data breach standards while also protecting the personal data and privacy of citizens.
Last month, the Office of Management and Budget (OMB) launched a 30-day Cybersecurity Sprint to assess and improve the health of all Federal assets and networks, both civilian and military. As part of the Sprint, OMB directed agencies to further protect Federal information, improve the resilience of our networks, and report on their successes and challenges. Agencies were instructed to immediately patch critical vulnerabilities, review and tightly limit the number of privileged users with access to authorized systems, and dramatically accelerate the use of strong authentication, especially for privileged users. All of these actions reduce the risk of adversaries penetrating Federal networks.
One of the most significant steps any organization can take to reduce the risk of adversaries penetrating networks and systems is requiring the use of a hardware-based Personal Identity Verification (PIV) card or an alternative form of strong authentication. Over the course of the Sprint, agencies made significant progress in this area: Federal Civilian agencies increased their use of strong authentication for privileged and unprivileged users from 42 percent to 72 percent – an increase of 30 percent since agencies last reported their quarterly data on Performance.gov. (see below) Specifically, Federal civilian agencies increased their use of strong authentication for privileged users from 33 percent to nearly 75 percent – an increase of more than 40 percent since agencies last reported their quarterly data on Performance.gov. Thirteen agencies, or more than half of the largest agencies – including the Departments of Transportation, Veterans Affairs, and the Interior – have implemented the same level of strong authentication for nearly 95 percent of their privileged users.
Since 2011, Federal agencies have made publicly available on Performance.gov their quarterly progress on meeting the Administration’s cybersecurity cross-agency priority (CAP) goals, including their progress on implementing strong authentication. Here’s how the Cybersecurity Sprint compared against previous quarterly performance metrics on implementing strong authentication.
Federal civilian CFO Act agencies do not include DOD or Intelligence Community agencies. This chart does not include DOD, as the size of DOD could partially alter the government-wide rate; however, DOD participated in the Cyber Sprint and their results are included on the site. For purposes of this report, this is consistent with and continues the standard we have used in previously published Cross Agency Priority reports.
While these statistics are just a few examples of a marked improvement in identifying and closing the gaps in the Federal cyber infrastructure, we still have more work to do. The work of addressing cyber risks is never done. Agencies are reducing the number of privileged users and working with DHS to scan their networks on an ongoing basis for known critical vulnerabilities. Additionally, agencies continue to train employees to recognize and report phishing attempts to introduce malware into Federal networks. But malicious actors aren’t slowing down. As their efforts become more sophisticated, frequent, and impactful, so must ours. Although the Sprint may have come to a conclusion, it is only one leg of a marathon to build upon progress made, identify challenges, and continuously strengthen our defenses.
To accelerate and amplify the work and objectives of the Sprint, a team of over 100 experts from across the government and private industry are now leading a review of the Federal Government’s cybersecurity policies, procedures, and practices. Ultimately, the team’s assessment will inform and operationalize a set of action plans and strategies to further address critical cybersecurity priorities and recommend a Cybersecurity Sprint Strategy and Implementation Plan to be released in the coming months.
At the same time, we need help from our partners in Congress. Decades of underfunding and years of uncertainty in budgets and resourcing for strategic and critical IT capabilities like cybersecurity have contributed to the current unsustainable state of the Federal Government’s networks. We now have an opportunity and a pressing need to come together as a government and a nation to change our approach. The best way for any industry executive or agency leader to ensure the security of their networks is to have the resources they need and the certainty to deploy those resources. That is why it is critical Congress lift the harmful spending cuts known as sequestration and provide agencies certainty in their budgets, to improve their planning, and their ability to forecast and acquire the necessary resources for addressing emerging cyber threats. The President’s 2016 Budget lifts these reckless cuts and proposes $14 billion, or a $1.4 billion (11 percent) increase in cyber activities to strengthen U.S. cybersecurity defenses and allow the Federal Government to more rapidly protect American citizens, systems, and information from cyber threats. Additionally, the President has been calling for cybersecurity legislation since 2011, and re-proposed legislation this past January. Congress must act as soon as possible to pass legislation that will facilitate greater information sharing and help the Nation better defend itself against cyber attacks.
This is a key moment in our Nation’s history. As the number of threats continue to increase, affecting both the public and private sector, we must take aggressive and decisive steps to protect our networks and information. Our economy, and the credibility and viability of our most cherished and valuable institutions depend on a strong foundation of trust and the protection of critical assets and information. But let me be clear: there are no one-shot silver bullets. Cyber threats cannot be eliminated entirely, but they can be managed much more effectively. And we can best do this by aligning and focusing our efforts, by properly funding necessary cyber investments, by building strong partnerships across government and industry, and by drawing on the best ideas and talent from across the country to tackle this quintessential problem of the 21stcentury.