Data breaches and hacks of U.S. government networks, once novel and unheard of outside of spy movies, have become a common ‘breaking news’ story over the past few years. So it makes sense that a recently released report ranked U.S. state and federal governments at 16 out of 18 in a ranking of industries, ahead of only telecommunications and education.
In a new report by SecurityScorecard, U.S. state and federal governments’ cybersecurity standings ranked 16th out of 18 industry sectors, with industries like healthcare, transportation, financial services, and even retail ranked higher. In fact, retailers and the fast food industry rounded out the top of the list.
“Meeting the information security posture of the fast food industry should not be a lofty goal when it comes to the federal government,” said Alex Heid, SecurityScorecard's chief research officer.
While this ranking is a small improvement over last year’s standings, which ranked government cybersecurity at 18th out of 18, it still paints a bleak picture of our government’s cyber heath status.
SecurityScorecard, a New York-based third party risk management firm, publishes the annual U.S. State and Federal Government Cybersecurity Report. For this year’s report, SecurityScorecard analyzed 552 State and Federal government agencies, and compared the results, as a group, to 17 other industry sectors across 10 categories.
Key findings from the report include:
- Government organizations were ranked third from last (16th) in overall cybersecurity, even when compared to heavily-regulated industries like transportation, finance, energy, and healthcare.
- Government organizations fell significantly short in Network Security (13th), Application Security (11th), Leaked Credentials (12th), Patching Cadence (16th), Endpoint Security (17th), IP Reputation (16th), and Hacker Chatter (18th).
- Government organizations performed above the cross-industry average in three categories: DNS Health (2nd), Social Engineering (3rd), and Cubit Score (2nd).
Aging software, improper basic security hygiene and weak endpoint defense are just some of the weaknesses pointed out in the report. A wide range of issues plague government agencies—but they're largely fixable. For government groups, the report found that digital security weaknesses and pain points track fairly consistently regardless of the size of an organization. Meaning that despite the large number of issues across the board, the same types of strategies can potentially be applied widely in an effective way.
"There’s a lot of low-hanging fruit when it comes to the government sector overall," says Alex Heid. "They’ll implement a technology when it's very new and then it’ll just sit there and age. This creates a mix of emerging technologies, which might be misconfigured, or not everything is known about them yet, with legacy technologies that have known vulnerabilities and exploitable conditions. It boils down to the conception of information security as an afterthought. ‘We’ve got operations to handle and we’ll deal with the problems as they arise' is essentially how it’s been implemented into government."
Heid said he can see how smaller local governments and municipalities don’t have the money to “allow them to get up to the security level of a Fortune 500 fast food retail chain.” But that’s no excuse for the federal government, he said.
The federal government is riddled by cybersecurity vulnerabilities, including in the U.S. Office of Personnel Management (OPM), which suffered the largest theft of government data in the history of the U.S. in 2015.
Within the government offices analyzed, the Federal Reserve, the Secret Service and the IRS are all, reassuringly, within the top ten performing agencies.
"Since our last report in 2016, U.S. state and federal government cybersecurity issues have gained national attention," said Sam Kassoumeh, COO and co-founder at SecurityScorecard. "On an almost daily basis, the institutions that underpin the nation's election system, military, finances, emergency response, transportation, and many more, are under constant attack from nation-states, criminal organizations, and hacktivists. Government agencies provide mission-critical services that, until they are compromised, most people take for granted. This report is designed to educate elected officials, agency leadership, as well as government security professionals about the state of security in the government sector."
After a few years of high-profile government hacks, the sector as a whole has made progress , moving up from 18 out of 18 in 2016. However, it is apparent that government agencies still have a long way to go when it comes to cybersecurity.