Federal IT professionals: Cyberattack on U.S. critical infrastructure looming

A majority of federal IT professionals believe the United States is at risk for a major cyberattack, one against which the country is not adequately prepared to defend itself, according to a recent survey.

Security vendor Lumension surveyed 201 IT professionals — from the executive level to operations — between 18 and 26 February, and found that 61 percent of them believe the potential in the next year for a cyberattack against critical IT infrastructure from a foreign nation is “high.” Moreover, 42 percent of them think the U.S. government’s ability to prevent or handle such an attack is merely fair to poor.

“This notion of advanced, persistent threats against critical infrastructure was certainly proved in this research,” said Ed Brice, Lumension’s senior vice president of worldwide marketing.

InformwationWeek’s Elizabeth Montalbano writes that respondents to the survey, called the “Federal Cyber Security Outlook for 2010,” cited several challenges within current federal IT departments that are hindering efforts to protect networks against cyberattacks.

Among them are the complexities of integrating multiple technologies found in networks, as well as aligning the needs of IT departments with objectives executives set in the department.

Moreover, some of the risks to critical infrastructure may come from inside a federal agency, according to survey respondents, 49 percent of which said they believe that negligent or malicious insiders or federal employees are the largest IT security risk.

Federal compliance efforts undertaken in recent years also are not working as well as they should to protect networks, according to survey respondents, who seemed to find them more trouble than they’re worth.

In the last several years, the federal government has enacted regulations, including the Trusted Internet Connection (TIC) and the Federal Education Security Management Act (FISMA) to strengthen security of federal networks.

Fifty-seven percent of respondents said their biggest challenge to meeting federal compliance regulations was lack of resources — that is, skilled personnel, bandwidth, and budget, while 43 percent cited increasing audit burdens such as time and paperwork as a challenge to meeting regulations.

“Compliance for the sake of compliance is not going to be effective,” Brice said. Lumension concluded from the responses to the survey that rather than merely meeting compliance requirements to pass regular audits, the government needs to shift to a more proactive compliance model that continuously monitors networks for attacks, he said.

Montalbano nots that there was some good news in the survey, however. Even if compliance is not doing the job it is intended to do, the majority of respondents think it has made networks more secure than a year ago.

Thirty-eight percent of the respondents said the impact of compliance regulations has enabled them to secure more funding and personnel for their departments, while 32 percent said the impact of compliance regulations has allowed them to make additional technology purchases.

The Obama administration is well aware of the growing cybersecurity threat in the United States and has been busy trying to address the issue.

The Senate is currently considering broad cybersecurity legislation that would help foster collaboration between the federal government and the private-sector companies that own critical infrastructure, while the House of Representatives recently passed a cybersecurity bill of its own.

Meanwhile, DHS also is engaged in ongoing efforts to assess the cybersecurity threat and help private-sector infrastructure owners have access to important intelligence information government agencies collect to be better prepared against threats.

Indeed, a better partnership between the government and the private sector is necessary to better protect the U.S. against cyberattacks, Brice said. “We need to have a government-private partnership that unlike other government-private partnerships has to be non-toxic, collaborative and productive,” he said.