Report shows US citizens’ data is vulnerable to cyber attacks

A scathing report by the US government indicates that almost 75% of government agencies have inadequate cybersecurity tools and procedures in place. Why is this a problem, and what does it mean for the average US citizen?

(Un)prepared for any threat

US government agencies are a prime target for a variety of different cyber threats – from criminals looking for identity information to advanced state-funded hackers looking to uncover state secrets or exploit national vulnerabilities. As such, you might expect the US government to take cybersecurity very seriously. Currently, however, that’s very far from the truth.

In the report, published by the Office of Management and Budget, it was found that “71 of 96 agencies (74 percent) participating in the risk assessment process have cybersecurity programs that are either at risk or high risk.” At-risk agencies, by far the most numerous, were those that had significant gaps in their cybersecurity procedures and capabilities. High-risk ones were missing fundamental elements of a basic approach to cybersecurity. In a shocking 38% of cybersecurity incidents, the Federal government wasn’t even able to identify where an attack came from!

The report identified four different key findings, all of which were damning for US cybersecurity.

• “Agencies do not understand and do not have the resources to combat the current threat environment”: In other words, US cybersecurity is severely lagging behind the rapid development of new cyber threats by various threat actors. The government is too slow to identify, understand, and respond to them.
• “Agencies do not have standardized cybersecurity processes and IT capabilities”: Standardized procedures and measures would allow agencies to communicate and cooperate when identifying and combating new threats. Right now, an attack that fails against one agency may very well work on the next. They’d also have difficulty responding to a broad attack undertaken by a hostile state.
• “Agencies lack visibility into what is occurring on their networks, and especially lack the ability to detect data exfiltration”: This one is downright embarrassing. 73 percent of the agencies in the report were either at risk or at high risk for being incapable of identifying unauthorized data retrieval attempts on their systems. Not only are they easy to hack, but they may not even be able to detect when they’ve been hacked or who hacked them!
• “Agencies lack standardized and enterprise-wide processes for managing cybersecurity risks”: As the report clarifies, this finding essentially means that the leadership structure of most agencies makes it difficult for CIOs (Chief Information Officers) to enact sweeping changes across their agencies to improve cybersecurity. This sort of problem means that the right hand may not always know what the left is doing when it comes to protecting data. It also means that agencies may not even be prepared to enact the changes this report demands of them.

A few striking key stats from the report:

• In 38% of cyber attacks, the attacker was not identified. The federal government often doesn’t even know who they’re up against.
• 73% of agencies find it difficult or impossible to detect and investigate any attempt to access large amounts of data.
• Only 16% of government agencies meet the standard for encrypting data that is not being actively used.

What does this have to do with you?

Pick any government agency and it will probably be mostly or completely unprepared to prevent or investigate a cyber attack. This is clearly a potential national security risk, but it should also matter to the average citizen.

Most of us have a healthy skepticism towards sharing our most sensitive personal details and information with corporations or people. Identity theft is a common crime that can destroy people’s lives, and it happens when criminals get their hands on your personal data. You can’t always trust corporations or individuals to keep your data secure, so you try to keep your data to yourself as much as possible.

However, many people trust the government with our data (though they probably shouldn’t, as recent events suggest). After all, we don’t always have a choice, since some of our identifying information is given to us by the government (like social security numbers, passport numbers, etc.). Moreover, as we saw with the unprecedented Equifax data breach, our government can share our data wholesale with private companies totally unprepared to protect our information with the cybersecurity it deserves.

What can you do?

The report outlines the action steps that the government needs to take to shore up the significant gaps in its cybersecurity. We can only hope that agencies quickly follow those steps to keep our data secure, but given the flagrant disregard for data security we’ve seen to this day, I wouldn’t bet on it. Consider pressuring your local representative by letting them understand how important cybersecurity is to you.

What you can do for now is reduce your data footprint as much as possible. Reduce, as much as you can, the information collected about you by both government and private entities. This involves common-sense moves like disabling location tracking on your phone and reducing the number of websites and apps that have your data, but that’s not enough. A premium VPN like NordVPN should be just one of many tools and methods in your arsenal to ensure that your data stays secure and safe.