The federal government is falling behind in a “cyber arms race,” putting millions of taxpayers’ personal information at risk, digital security experts told a joint hearing of two congressional subcommittees Friday.
Hackers ranging from hacktivists to state-sponsored attackers will continue threatening the federal government’s digital networks to steal personal information and state secrets unless agencies make major improvements, cyber experts told the Research and Technology, and Oversight subcommittees of the House Space, Science and Technology committee.
“Without a doubt, we are currently engaged in an escalating cyber arms race with entities that are methodical, sophisticated and effective,” cyber expert and VMWare Senior Vice President Martin Casado told the panels. “They will continue to probe our cyber infrastructure for vulnerabilities and they will continue to exploit our agencies’ networks whenever possible.”
“It is clear to our nation and to those who perpetuate these attacks that the way in which we protect our national cyber infrastructure, the way in which we design and deploy cyber security systems across federal agencies is insufficient.”
Casado is no rookie in the cybersecurity sphere. He previously oversaw networks operated by U.S. intelligence agencies as a researcher at the Lawrence Livermore National Laboratory in Northern California. He later sold a cybersecurity startup for $1.28 billion to his current employer, which is the fourth largest software company in the world.
Larry Clinton, the president and CEO of the Internet Security Alliance, also saw the government’s failure to build an effective cybersecurity infrastructure.
“We are not doing enough to combat the growing cyber threat, and what we are doing, we are not doing nearly fast enough,” Clinton testified. Clinton said the slow-moving legislative process has been another problem in the government’s ability to do what it needs to do in the cybersecurity realm.
Casado recommended switching to a cybersecurity method that would limit a hacker’s movements to just one section after breaching an agency’s network. He also suggested the federal government invest in better cybersecurity technology.
But some solutions are much simpler and cheaper. The government could adopt better “cyber hygiene” with basic changes, such as using more sophisticated passwords and encrypting devices, CEO and chairman of international cybersecurity firm Telos Corporation, John Wood, told the subcommittees.
Already, Americans have suffered from the federal government’s failure to build effective cybersecurity.
The private information of an estimated 22 million individuals were compromised last year after a cyberattack on the Office of Personnel Management (OPM), the federal government’s central human resources operation.
“This breach has put our nation’s blood and treasure at risk,” Casado said. “As is apparent from publicized accounts, the nature of the security breach at OPM is not particularly unique.”
OPM has an “overall lack of compliance that seems to permeate the agency’s IT security program,” according to a report by the agency’s inspector general. The report added 23 systems had not been through a thorough security controls assessment.
“Combined with the inadequacy and non-compliance of OPM’s continuous monitoring program, we are very concerned that the agency’s systems will not be protected against another attack,” the IG continued.
The OPM breaches also highlighted cybersecurity challenges in both the public and private sector.
The number of IT security incidents at federal agencies, for example, has increased by over 1,000 percent from 2006 to 2014, according to the Government Accountability Office. Private companies, including Target, eBay, and J.P. Morgan-Chase, have also faced recent cyber attacks, often seeking individuals’ private information.
Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact firstname.lastname@example.org.