Experts Warn Federal Cyber Strategies Increasingly Lack Accompanying Resources

A new federal plan to align the cyber defenses of government agencies is likely to encounter significant roadblocks, said cybersecurity experts who cited challenges such as resource distribution, leadership engagement and a range of operational and governance issues.

With a digital infrastructure as diverse and complex as the federal enterprise, it can be hard to know where to start when it comes to fortifying defenses. The U.S. Cybersecurity and Infrastructure Security Agency acknowledged this fact Monday in its Federal Civilian Executive Branch Operational Cybersecurity Alignment plan, writing that diverse approaches have left the federal enterprise without consistent baseline security practices and made it vulnerable to a range of attacks.

CISA urged agencies to provide increased operational visibility into their assets and vulnerabilities as part of an apparent effort to accelerate risk reduction through enhanced detection and response. But with a government shutdown possible as congressional spending negotiations stall, analysts said agencies may be too cash-strapped and nervous to launch an additional series of cybersecurity initiatives.

"Federal agencies may struggle to allocate sufficient resources for implementation while maintaining their existing operations, especially in today's unpredictable federal budget cycle," said Bill Wright, global head of government affairs for Elastic. He added that "too many agencies are still reliant on insecure legacy software and outdated architectures" and that "balancing these different starting points and agency specific needs and missions through collaborative development will be crucial."

The CISA guidance includes some cybersecurity best practices, tasking agencies with implementing enterprise-wide identity management solutions, hardening systems controlled or hosted by third parties and isolating different resources from one another through host or network-based segmentation. It's a "broad brush," according to Bill Moore, CEO of the security firm Xona.

CISA's FOCAL plan "is too broad in its prescription for alignment goals under each priority area," Moore told Information Security Media Group, noting how certain alignment goals - like building a defensible architecture - do not include any mention of critical infrastructure systems or operational technology.

"How are critical OT systems such as HVAC, fire suppression, fueling systems, cameras and surveillance systems being managed through a policy enforcement point?" he added.

CISA did not immediately respond to a request for comment. Much of the plan focuses on calls to enable CISA's persistent access capabilities, with warnings that "nation-state actors have demonstrated the ability to gain and maintain access to FCEB assets for extended periods." Travis Rosiek, public sector chief technology officer at Rubrik, described warnings of a sophisticated and persistent cyber threat actor already in the FCEB's systems as a "constant theme" in the FOCAL plan and said that acknowledging the severity of federal vulnerabilities "is the first step in helping address the problem."

"That said, cybersecurity budget constraints, over reliance on compliance requirements and sluggish acquisition processes are significant challenges that FCEB organizations face," he added.

Government watchdog reports have called on federal agencies to fully implement incident response requirements and further address critical cybersecurity challenges for years, warning that more than 500 cyber recommendations remain unimplemented as of May 2024.

CISA's latest guidance says that increased cross-agency technical exchanges, information sharing and feedback about operational challenges can decrease "the likelihood and severity of future incidents." But experts say the long-term challenges that plague federal cyber efforts will continue to hinder agencies as they work to implement the new FOCAL plan.

"Resource allocation will most certainly be an issue here, but my guess is that the vast number of disparate teams and cultural differences across all of the agencies will present an even bigger and more immediate challenge," said John Vecchi, security strategist at Phosphorus Security. "It can be quite challenging for different teams within a single agency to collaborate effectively, let alone across so many unique, independent agencies and networks."