Dive Brief:
- Across 18 industries, the U.S. government ranked 16th in overall cybersecurity, ahead of only the telecommunications and education sectors, according to new SecurityScorecard report.
- SecurityScorecard, a security rating platform, studied the cybersecurity of 500 local, state and federal government agencies along with 17 other industries for its annual report. Of the 10 security risks analyzed, the government came in 17th for endpoint security, a company's network of employee devices, and 16th place for patching applications.
- The research firm analyzed IP reputation for the detection of malicious actors where the government came in 16th place, meaning its data and networks are more susceptible to hacking. Such vulnerable networks can invite malware attacks and data breaches, as showcased in the 2016 presidential election.
Dive Insight:
In 2016, the Obama administration reserved $19 billion for cybersecurity for 2017, earmarking cybersecurity as a top priority for federal IT, but issues still remain.
Of the government's $80 billion IT budget, 75% goes towards maintenance leaving little room for modernization efforts, which is reflective in their patchwork ranking. Much of the technological infrastructure in the government dates back decades, leaving vulnerabilities in networks that $19 billion in cybersecurity cannot cover alone.
Government security has seen a slight improvement since last year. In SecurityScorecard's 2016 report, the government came in last place when analyzed against 17 industries for overall cybersecurity. During last year's data collection period, there were 35 breaches within 600 of the examined government agencies.
The federal government in particular has had some glaring cases of cybersecurity shortcomings. After the July 2015 data breach in the Office of Personnel Management (OPM) that impacted 21.5 million people, the Government Accountability Office gave OPM a list of security requests to update. While they have completed 11 of the 19 requests, the agency still has some gaps.
OPM named its current CIO David De Vries last year. However, it was announced this month that he plans to leave the government altogether. De Vries is the third CIO for OPM since February 2016 after Donna Seymour left the position following the breach, according to FedScoop.
This has become an overarching trend in federal IT as many CIO positions are still occupied by acting or deputy candidates. Without consistency in leadership roles, tech and security protocols may suffer as a result.