The White House and the Department of Homeland Security have finished a governmentwide review examining the security of federal agencies, and the results aren’t pretty.
Dozens of federal agencies have cybersecurity programs that aren’t properly equipped to deal with cyber intrusions in their networks, according to a new report released by the White House Office of Management and Budget. Of the 96 federal agencies examined, a whopping 71 were relying on cybersecurity programs deemed “at risk or high risk.”
President Trump came to office promising cybersecurity would be a major priority — vowing on the campaign trail to order a review of U.S. cyberdefenses and to confront malicious cyber activity by foreign governments. And this report was commissioned last May under his sweeping executive order on cybersecurity, which broadly sought to hold agency heads accountable for protecting their networks.
Trump’s relative prioritization of federal cybersecurity was welcomed by many experts in the wake of the massive Office of Personnel Management breach that exposed the personal information of some 22 million people in 2014, and in light of the intelligence community’s fresh concerns about Russia’s election interference during the 2016 presidential election.
But one year later, the results of this report spotlight how the federal government is still struggling to organize its cybersecurity efforts. And former White House and DHS officials worry that the Trump administration lacks a path forward without proper leadership at the top.
“Things aren’t improving as fast as we need them to,” said Ari Schwartz, who served on the National Security Council during the Obama administration as senior director for cybersecurity. “We’re behind where we need to be to be successful in preventing attacks.”
The report found that 12 agencies had “high risk” programs, meaning key cybersecurity tools weren’t in place or weren’t deployed sufficiently. Fifty-nine agencies had “at risk” programs, meaning some of the right policies were in place but there were “significant gaps” in terms of security. OMB also noted that federal agencies lacked the visibility into their own networks that would help them detect attempts to steal data and respond to other cyber incidents.