New study reveals national IT cyber security challenges mounting

SCOTTSDALE, Ariz., 10 April. 2010. According to a new Clarus Research Group survey commissioned by Lumension, nearly three-quarters of federal IT decision-makers who work in national defense and security departments or agencies say the possibility is high for a cyber attack by a foreign nation in the next year. Additionally, a third of these respondents say they have already experienced such a cyber attack within the last year.

Apr 10th, 2010

Posted by John McHale

SCOTTSDALE, Ariz., 10 April. 2010. According to a new Clarus Research Group survey commissioned by Lumension, nearly three-quarters of federal IT decision-makers who work in national defense and security departments or agencies say the possibility is high for a cyber attack by a foreign nation in the next year. Additionally, a third of these respondents say they have already experienced such a cyber attack within the last year.

The survey of 201 federal IT decision-makers and influencers also identifies the growing volume and sophistication of cyber attacks as the top IT security risks facing federal IT in the coming year. Yet, more than half of those surveyed expect only minor policy changes as a result of the recently created federal cyber security coordinator position. Of federal IT personnel surveyed, 41 percent said they spent less than 10 percent of their time over the past year working on the Comprehensive National Cyber Security Initiative -- and a solid majority, 62 percent, said they spent less than 25 percent of their time on it.

Key findings in the study included:
- 33 percent of respondents who work for departments or agencies affecting national security say they have experienced an attack by a foreign nation or terrorist organization in the last year;
- 61 percent of respondents view the threat of a cyber attack from foreign nations against critical U.S. IT infrastructure in the next year as high;
- 42 percent of respondents believe the U.S. government's ability to prevent or handle these attacks is only fair or poor;
- 64 percent of respondents identified the increasing sophistication and growth in the volume of cyber attacks as the number one IT security risk; and
- 49 percent of respondents believe that negligent or malicious insiders/employees are the largest IT security risk.

Only six percent of respondents rated the federal government's overall ability to prevent or handle possible threats from cyber attacks on critical IT infrastructure in the U.S. as excellent, according the Lumension public release. Difficulty integrating multiple technologies, aligning IT needs with department objectives and in complying with requirements were identified as the greatest challenges in managing IT security operations today. While the majority of respondents felt more confident in their level of IT security today versus a year ago, this was mainly due to improved IT security technology, collaboration between IT operations and security and internal compliance and audit requirements. However, increasing audit burdens and a lack of resources were identified as major challenges in meeting ongoing compliance requirements.

In addition, the introduction of new technologies, such as application whitelisting, whole disk encryption and device control for removable media, were identified as having an anticipated expanded use within federal IT environments. According to the survey, 76 percent of federal IT professionals expect an increased use of virtualization technology; 57 percent expect an increase in cloud computing; 63 percent say they will increase their use of social networking; and 66 percent will increase use of mobile platforms, all within the next year.

According to the survey results, federal IT decision-makers expect that over the next few years there will continue to be a growing threat to America's critical IT infrastructure from foreign entities, and terrorist organizations. Survey respondents also view compliance as a double-edged sword: on the one hand, it helps IT departments acquire additional resources that can be used to enable new security technologies, but is also placing a growing strain on departmental resources through increasing audit burdens.

"Unfortunately, when it comes to our infrastructure, we are already under attack and are faced with the reality of a growing and advanced persistent threat from foreign entities that are targeting our critical U.S. infrastructure," says Pat Clawson, chairman and chief executive officer of Lumension,. "The traditional government responses we've seen so far, such as naming a security coordinator, announcing a cyber security initiative and focusing on compliance initiatives will not alone successfully address this problem.

"We must do three things if we are to truly empower and implement a robust national cybersecurity plan," Clawson continues. "One – we need to have an empowered cyber security czar, with budget and policy authority, reporting directly to the President. Next – given that 90 percent of our critical infrastructure is owned or managed by private entities, we need a collaborative government and private sector partnership to better understand the risks at hand and to better define IT security standards, practices, and contingency plans in the event of a major attack. And finally – we need to shift from an absolute focus on being compliant with ad-hoc audits for verification, to one of being secure and continuously monitoring our IT environment to ensure that the proper controls are always in effect."

The Federal Cyber Security Outlook for 2010 survey was conducted by Washington, D.C.-based Clarus Research Group and commissioned by Lumension. The survey included interviews with 201 federal government IT security decision makers and influencers who work in federal government agencies and departments that deal with national security – such as defense, foreign policy, and homeland security – as well as agencies and departments that are not dealing with national security affairs.


More in Defense Executive