The Department of Homeland Security is congressionally mandated to convey secret tips on cyber threats across industry and government. President Barack Obama stood up a center for U.S. spies to transmit similar reports internally. And the Senate is debating a bill that would make it easier for companies to inform the government about its own run-ins with hackers.
But this so-called information sharing is useless, according to a majority of federal and state IT security pros.
“When you look at large organizations like government enterprises, you are dealing with bureaucracy, and information that really should be shared doesn’t get shared quickly enough or it gets filtered,” Larry Ponemon, founder of research group The Ponemon Institute, said in an interview. “It basically gets stopped.”
This finding is one of several grim conclusions in an independently conducted Ponemon study on the state of cybersecurity at all levels of government. The report is set to be released today.
“Threat intelligence sharing is ineffective,” reads an advanced copy of the survey reviewed by Nextgov.
About 57 percent of federal IT employees and 70 percent of state and local personnel say intelligence shared through a government exchange is only somewhat effective or not effective.
The issue is not that the information itself serves no purpose. Rather, the government throws up roadblocks that erode the timeliness of the data.
In general, “the problems aren’t because of the technology,” Ponemon said he believes. “But there is a bureaucracy inherent in government organizations that prevents information” from flowing.
Cultural issues are frustrating efforts by hands-on practitioners to stay ahead of threats, such as floods of paralyzing network traffic, he said.
“If you’re in the trenches and you see it coming at you, you can actually stop it or reduce the potential harm to your organization,” Ponemon said. “But what happens sometimes in these organizations is everyone needs double and triple approval” to give other targets a heads-up.
HP sponsored the survey, which polled 443 IT employees in the federal government and 402 IT workers in state and local government during July.
Federal agencies suffer a cyberintrusion about every two months, according to the findings.
The perpetrators largely are employees who do not mean any harm.
According to the study, the primary threat facing the federal government is the negligent insider (44 percent), followed by “zero day” attacks that piggyback off secret software vulnerabilities (36 percent). Contractor mistakes also are a major contributor to data breaches (36 percent). Nation states were the least common culprits.
“It’s not people bad people doing bad things; it’s good people doing stupid things,” Ponemon said.