In short, a big problem. In 2013, the latest year for government-wide statistics, federal agencies were the target of 46,160 cyber attacks, according to an April report [.pdf] by the Government Accountability Office. This represents a 33 percent jump from the year prior. While most Americans know the name Edward Snowden, fewer know that in June 2013 hackers stole personally identifiable information from the Department of Energy, costing taxpayers $3.7 million, or that in January, investigators uncovered a malware hosting service responsible for infecting millions of computers worldwide – including those belonging to NASA and other agencies.

The most troubling thing is not the sheer number of attacks against the federal government (the vast majority of them are quite small and ineffective), it's the evolving sophistication of weapons in the hacker's arsenal. 

In June 2014, GBC deployed a survey on cyber threats to a random sample of Government Executive, Nextgov, and Defense One subscribers and received 424 responses from federal employees at the GS/GM 11-15 levels and members of the Senior Executive Service.

According to federal officials, a technique known as a "phishing" attack represents the greatest threat to federal data security. In a phishing attack, the prospective intruder attempts to gain an unsuspecting target's credentials by luring him or her to webpage infected with malware, often by sending the target a fake email or message with a link intended to appear identical to one from a bank or social media site. Once the target follows the link, the embedded malware proceeds to mine user names, passwords, credit card information, and other sensitive data. Phishing scams are responsible for a significant amount of the identity theft committed each year.

A common theme throughout the GBC survey responses is that the most effective techniques are often those that rely on tricking individuals into inadvertently handing over their credentials. These types of attacks, known as "social engineering" are frequently much more harmful than brute force methods like denial of service attacks because they can allow attackers to gain access to secure internal networks, where they can lie hidden for days or even months.

Overall, federal employees reported mixed feelings on the state of cybersecurity in their agencies. For example, only 65 percent were confident in their agency's ability to protect its information systems, while only 60 percent were confident in their agency's ability to keep up with evolving threats.

Given that social engineering attacks pose some of the greatest threats to federal data security, it is perhaps unsurprising that over half (52 percent) report the need to improve workforce education, cybersecurity literacy, and awareness training. Similarly, 51 percent express the need for more comprehensive risk management procedures, ranging from developing strategies to improve situational awareness, to continuity of operations planning (COOP), to disaster recovery.

As agencies look for innovative strategies to detect and report unauthorized network access, continuous monitoring (or continuous diagnostics and mitigation [CDM]), is regarded as among the most promising strategies. Initially developed as a risk management framework by NIST, CDM works by deploying automated sensors that can continuously scan a network in search of anomalous patterns that might represent an incoming cyber attack or malicious insider. 

The goal is to shift the paradigm from static and labor-intensive cybersecurity practices that involve conducting risk analyses every three years, to greater reliance on automated systems that can scan a network every three days. By doing so, agencies should be better able to detect, quarantine, and report intrusions more quickly, thereby minimizing potential damage to critical networks and infrastructure. According to many cyber experts, the potential advantages of continuous monitoring are hard to overstate. The Center for Strategic and International Studies estimates that government-wide adoption of CDM could prevent up to 85 percent of the cyber attacks that agencies currently face.

Federal officials are finding that perhaps the greatest challenge in adopting continuous monitoring is the sheer volume of data generated. Effective CDM requires not only raw storage capacity, but also tools to sift through massive data inflows in search of minute patterns. For the average agency with a 10Gb/second Internet connection, this means sorting through roughly 100 Tb (terabytes!) per day. What was previously a security problem has evolved into a big data problem, placing onerous demands on the federal government’s aging storage infrastructure. 

In August 2014, GBC deployed a survey on big data analytics and cybersecurity to a random sample of Government Executive, Nextgov, and Defense One subscribers and received 155 responses from Defense Department employees at the GS/GM 11-15 levels and members of the Senior Executive Service.

The vast majority respondents report that they see big data analytics as an effective complement to their agency's current methods and an important component of their agency's efforts to implement continuous monitoring. 79 percent say they see big data analytics as an effective tool for monitoring cyber threats, while 75 percent say it plays a key role in their agency's strategy.

In a CDM strategy, big data analytics are used to detect unauthorized hardware and software, discover known vulnerabilities, and identify hardware and software misconfigurations. By sifting through the terabytes of routine traffic data, analytics software can detect anomalous patterns that could signify an intruder, thereby allowing network administrators to investigate the anomaly and revoke access before more damage is done.

With cyber threats showing no signs of slowing down, more and more agencies will begin to see an operational role for big data analytics beyond performance management or fraud detection. Protecting the nation's critical networks and infrastructure will require the vigilance that only real-time data analysis can provide.

Following the widely publicized cyber attacks against Sony Pictures, in December 2014, the Obama White House unveiled a new policy for bolstering security in cyberspace, in part, by incentivizing greater information sharing between the private sector and federal government.

White House Legislative Proposal

• Enabling Cyberspace Information Sharing

The cornerstone of Obama's 2015 cybersecurity policy will involve working with Congress to pass a law that provides incentives for private entities to share cyberthreat-related information with federal agencies. Under the proposed bill, companies responding to a cyber attack by notifying the Department of Homeland Security's National Cybersecurity and Communications Integration Center will receive targeted liability protections from certain regulatory penalties or lawsuits that typically follow public disclosure of a data breach.

• Modernizing Law Enforcement Authorities to Combat Cybercrime

A second facet of the proposed bill would broaden federal law enforcement agencies' authority to investigate and prosecute cyber crime of a financial or commercial nature. The statute would allow the government to prosecute those engaged in selling malware or botnets, criminalize the sale of stolen U.S. financial information, empower federal courts to shut down botnets involved in distributed denial of service (DDoS) attacks. It would also update the Racketeering Influenced and Corrupt Organizations Act (RICO), often used agains organized crime, to include provisions for cybercrime.

• National Data Breach Reporting

The third component of the White House's legislative proposal would require businesses that have experienced a data breach to notify all customers whose personally identifiable information may have been compromised. The statute would standardize and clarify existing data breach notification laws currently in place in 46 states and the District of Columbia.

Other Initiatives

• White House Summit on Cybersecurity and Consumer Protection

On February 13, 2015, the White House will host a Summit on Cybersecurity and Consumer Protection at Stanford University. The conference aims to facilitate discussion between senior officials from across the federal government; corporate officers representing leading firms in the technology, retail, financial services industries; as well as consumer advocates, cybersecurity researchers, and students. The goal is ultimately shape public-private approaches to improving cybersecurity technologies and practices, and to broaden the adoption of secure payment methods.

• Grants to Historically Black Colleges for Cybersecurity Education

The Department of Energy will allocate $25 million in grant funding over the next five years to support a cybersecurity education consortium consisting of 13 historically black colleges and two national labs. The program is a continuation of the Administrations jobs-driven training initiative and aims to fill the growing demand for skilled cyber professionals in the U.S. job market while increasing diversity in science, technology, engineering, and mathematics (STEM) fields.

The question of whether or not the federal government can or should force private companies to share information regarding data breaches with federal agencies is one of the most controversial issues in cybersecurity today. From a governmental perspective, information sharing is a no-brainer: the information provided allows the Department of Homeland Security to notify other organizations potentially victimized by a similar attack, as well as issue patches and guidelines to prevent similar breaches in the future. 

From an industry perspective, however, the benefits aren't so straight-forward. For a company, publicly disclosing that you've suffered a data breach can often result in reputational damage, fines imposed under laws like HIPAA, and legal action by affected customers. By proposing liability protections for firms that disclose cyber attacks, the White House hopes more will choose to come forward in the future.

But to many observers, the President's proposal bears a striking resemblance to the Cyber Intelligence Sharing and Protection Act (CISPA) that failed to pass the Senate in 2013 amid heavy opposition by Internet privacy and civil liberties groups. Critics say legislation like CISPA would expand the amount of personal information private companies hand over to the government. Proponents argue that, unlike CISPA, the President's cybersecurity proposal includes privacy provisions that would oblige firms to strip the data shared with the government of any personally identifiable information.