Late last month, the Government Accountability Office released its study of cyber incidents reported by federal agencies. From 2011 to 2013, cyber attacks on federal government systems increased approximately 38 percent, reaching 46,160 incidents in 2013. Despite the increase in number and sophistication of cyber attacks, GAO found that federal agencies “did not consistently demonstrate that they are effectively responding to cyber incidents.”
Number of cyber attacks on federal agencies soars
The Cybersecurity Threat Is Large and Growing
In May 2009, President Obama declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.” In the same speech, the president recognized that the United States is “not as prepared as we should be, as a government or country.” The federal government has a wealth of sensitive information vital to our national security, economy, critical infrastructure, public safety, and health. Most, if not all, of it is vulnerable to exploitation.
The threat extends beyond the government to the private sector. Cybercrime costs the United States approximately $100 billion annually. According to one survey, 69 percent of U.S executives are worried about how cyber threats will affect their company’s growth. The threat to U.S. corporations continues to escalate at a shocking level, including a 38 percent increase in incidents of loss, theft, and exposure of personally identifiable information from 2011 to 2012. In 2013, there were reportedly 2,164 cyber incidents, exposing 822 million records.
To combat the enormous challenge, the federal government has spent $65 billion to enhance the security of federal information systems since 2006. Yet, the federal government’s measures, which are partially rooted in the Federal Information Security Management Act of 2002, have not been strong enough to reduce cyber incidents.
With data constantly moving from corporate networks, mobile devices, and the cloud, incidents will continue to accelerate and become more sophisticated. Juniper Networks recently found that the “[cyber] black market ... can be more profitable than global illegal drug trade.” At least 1.25 billion email addresses and other pieces of sensitive information are for sale on the cyber black market.
Insufficient Response by Senate Democrats and President Obama
Despite understanding the significance of the cyber threat, President Obama has failed to lead effectively and cultivate the reforms necessary to match the rapidly evolving threat. The Democrat-controlled Senate has not passed a single major cybersecurity bill during president’s tenure.
All of these bills passed by the House with bipartisan support. Instead of pushing the Senate to vote on these bills, President Obama either threatened to veto legislation or failed to forge a compromise between the two chambers.
In the absence of legislation, the White House promulgated executive order 13636 in February 2013. The administration designed the order to create voluntary incentives for the private sector to share information with the federal government and to create a framework for the protection of critical infrastructure. Although a step in the right direction, cybersecurity experts claim the major result of the executive order – the Cybersecurity Framework created by the National Institute of Standards and Technology – is ineffective because there are no metrics for its use and not enough industry incentives. Even the White House Cybersecurity Coordinator questioned the administration’s initiative, asking: “How do you know that somebody is using it?”
Democrat Inaction Widens Vulnerabilities for all Americans
The failure by the president and Senate Democrats to advance cybersecurity measures is having a significant impact. According to a February 4, 2014, report by Senator Coburn, ranking member of the Senate Homeland Security and Government Affairs Committee: “serious weaknesses in the federal government’s own cybersecurity have put at risk the electrical grid, our financial markets, our emergency response systems, and our citizens’ personal information.”
Additionally, the federal government is responding ineffectively to the threats it detects. GAO projected that, in 65 percent of cases, federal agencies failed to document actions “taken in response to detected [cyber] incidents.”
Cyber attacks have raised serious concerns about the security of the Department of Energy, NASA, and HealthCare.gov. One cybersecurity expert reported 20 vulnerabilities after the launch of the HealthCare.gov website last October. He noted that “hackers could upload malicious code to HealthCare.gov, allowing them to take control of other HealthCare.gov users’ computers to steal and/or modify data as well as attack other computers.”
The administration’s efforts against cyber threats has been woefully inadequate. Government should be collaborating more with industry to find effective solutions and encouraging a public-private partnership.
To tighten the security of U.S. government cyber systems, the president and Senate Democrats should take up the measures focusing on improving security, information sharing, and research and development.