Government’s response to 2015 OPM data breach hasn’t improved U.S. federal agencies’ security: study

More than half of polled federal cyber executives in the United States said they don’t agree that the government’s response to last summer’s massive Office of Personnel Management (OPM) data breach has improved their agency’s security.

The State of Cybersecurity from the Federal Cyber Executive Perspective – An (ISC)² Report, released on Thursday, revealed that the OPM breach that compromised the personnel records of 21.5 million current, former and retired federal employees and contractors in June 2015 wasn’t the wake-up call many thought it would be, despite U.S. President Barack Obama’s call-to-action imposed on federal agencies.

In fact, 52% of respondents disagree that the call-to-action exercise improved the overall security of federal information systems. Twenty-five per cent of respondents said their agency made no changes in response to the OPM data breach; and still, a year later, 40% of respondents surveyed believe their agency lacks an effective response plan.

The survey was conducted by (ISC)², a not-for-profit membership body of certified cyber, information, software and infrastructure security professionals worldwide, with over 114,000 members in more than 160 countries. The survey, which was sponsored by KPMG LLP, includes responses from 54 cyber executives in the U.S. federal government, including those working in defence, intelligence and civilian agencies and the U.S. contracting industry. Respondents can be characterized as senior-level and highly experienced, with nearly 90% having worked in cybersecurity for more than 10 years and 30% for more than 20 years.

Related: US personnel chief Katherine Archuleta resigns after more than 21 million affected by hack

Other key findings included:

• An “alarming” 59% of respondents said that their agency currently struggles to understand how cyber attackers could potentially breach their systems, with 41% indicating their agency is not aware of where key assets are located;
• Almost two-thirds (65%) either disagree or strongly disagree that the federal government as a whole is capable of detecting ongoing cyberattacks;
• Federal cybersecurity executives are disheartened by the current environment, with 25% “unsatisfied or extremely unsatisfied” in their jobs and considering leaving their agency; a disturbing finding given that the federal government is already struggling to populate its understaffed cybersecurity workforce with talented and experienced cybersecurity leaders and practitioners;
• The lack of accountability was a consistent theme throughout the survey results, as 21% of respondents were unable to identify a senior leader at their agency whose sole responsibility is cybersecurity;
• Respondents indicate that certain departments within agencies do not view cybersecurity as important to their departmental functions, the most notable being human resources, purchasing/procurement and communications/public relations.
• Leaders are realizing that people can be their organization’s greatest cybersecurity asset or greatest liability, with 42% of respondents indicating that people are currently their agency’s greatest vulnerability to cyberattacks; and
• The technology solution overwhelmingly identified by respondents for its significance as a game-changer was “predictive analytics.”

“I’m greatly concerned about the apparent lack of accountability this survey found, with 21% of respondents indicating there is no senior leader in their agency solely responsible for cybersecurity,” said Tony Hubbard, KPMG principal who advises federal agencies on cyber risk. “Clear reporting lines and accountability are foundations for a good cybersecurity program and we hope this report sheds light on this issue. We look forward to the appointment of a federal CISO – that’s a step in the right direction.”