Sunday, June 22, 2014

Compare US Cyber Threat Incidents To Mitigation

Two major cyber threat reports should keep security professionals busy for a while.  The Verizon Data Breach Investigations Report (DBIR) for 2014 includes data from US government cybersecurity organizations.  The US government's closest equivalent of this report is probably the OMB's annual FISMA report for 2014.  Let's compare and contrast.

The Verizon report revealed that accidents and insider misuse account for a significant percentage of the threat.  The OMB report revealed that cyber incidents are concentrated at six agencies, with the VA, HHS, and NASA as the top three impacted agencies.  The Defense Department experienced less than 10% of the federal government's cyber incidents but spends almost 90% of the government's cyber budget.  The remarkable part of that DOD spending is the 50% devoted to shaping the cyber security environment.  Note that HHS and the VA devote most of their cyber spending to detecting and mitigating intrusions, presumably from external threats.  If the majority of incidents are internal accidents and malice, as the Verizon report indicates, those agencies' cyber efforts are misdirected.

Consider the implications.  Uncle Sam is devoting the bulk of his cyber effort to what is very likely DOD's offensive capability in US Cyber Command and other special agencies.  He is also absorbing internal accidents and malice at three relatively less protected agencies, drawing from both reports.  The imbalance between targeting malicious foreign hackers and tolerating internal sloppiness is clear.  Consider that HHS and the VA are involved in managing a significant part of the US health care system.  The government's underattention to accidents and insider fraud in its health care cyber security places a significant portion of the US economy at risk.  There's a lot of very valuable data in the health care sector worth protecting.

The Alfidi Capital investment thesis does not account for the federal government's IT competence.  My analysis of several IT and telecom conferences in the past two years reveals that the mobile computing sector pays serious attention to app security.  Go back and read my stuff tagged "conference" to see how closely I've tracked this trend.  I've also tracked articles in Federal Computer Week that chronicle the government's immaturity toward IT policy.  Many FCW articles read more like tabloid coverage of whose career is hot as a federal procurement manager.  That Beltway culture is handicapping the federal government's approach to cyber security.

The big takeaway from these reports is that the federal government should think more like the private sector in mitigating cyber threats.  Vulnerability analysis precedes the response strategy and economic impact is always a major factor.  If the threats with the biggest economic impacts for the US are generated internally, then direct the response to human training and device management.  All of the federal agency CIOs need to have a copy of Cloudonomics open when they compute the budget lines they will request for cyber threat mitigation.  That may be too much to expect.  I'll wait for someone from the GSA's 18F digital innovation team to troubleshoot a comprehensive solution to this IT malaise.  In the meantime, I will mention the market opportunity in federal contracting to enterprise and mobile entrepreneurs I meet in the San Francisco Bay Area.  That's how I do my part for the nation.