When Ignorance Isn’t Bliss: Emerging Cyber Threats Put Risk Mitigation Capabilities to the Test

In 2014 alone, more than a billion personal data records were compromised by cyber attacks, a 78 percent increase in the number of compromised records over the previous year. From 2014 and continuing into 2015, the federal government suffered over a dozen major cyber breaches initiated by external actors. Now a recent report by RAND says these trends will only continue, citing new research advances that have the capability to “generate large quantities of exploitable bugs” in data infrastructures.

In light of these concerns, and in order to understand what factors agencies are considering when devising ways to mitigate information risk, Government Business Council (GBC) conducted a flash poll in June 2016 on the following question:

The poll yielded 107 responses from self-­identified project/program managers operating in the federal government. Respondents were asked to select all answer choices they considered applicable to their organization’s current risk mitigation situation. Overall, respondents regard emerging cyberthreats/external vulnerabilities as the most challenging variable (47%) facing their risk mitigation capabilities. Many are also concerned at the state of employee education and awareness of risk factors (38%), the quality of communication channels among stakeholders (32%), and the level of in­house technical expertise they observe in their organization (27%).

Overall, the top three challenges seem to indicate a general anxiety agencies feel about the volume and variety of cyber threats facing them in the years ahead. Moreover, it is clear that educating employees on risk factors and communicating such risks to stakeholders will be paramount to developing an effective risk mitigation plan.

Recently, Secretary Jeh Johnson of the Department of Homeland Security (DHS) put forward a solution to address these concerns with the Automated Indicator Sharing (AIS) system, which aims to improve information sharing about cyber threats with the private sector, provide involved parties with new liability protections, and require the scrubbing of any personally identifiable information that is swapped during such exchanges.

Likewise, employee awareness of risks merits serious attention. Just ask Admiral Michael Rogers, director of the National Security Agency: “We don't give weapons to everyone in the [Defense Department],” Rogers says, “but we do give them a keyboard. You may have the greatest technical solution in the world about how you defend a system, [but] bad user behavior, bad choices, [will] start to make your defensive abilities really challenging.”

Certainly agencies should continue investing in sound cyber defense and risk mitigation technologies to prepare for the threats ahead. But beyond technical solutions alone, agencies can go a long way to consolidate their cyber forces by increasing risk awareness and engaging stakeholders openly about the threats of tomorrow before they strike today.