Federal IT pros say U.S. at high risk for cyberattack

Almost three-quarters of the government IT administrators polled in a new survey believe the U.S. is likely to face a cyberattack from a foreign country in the next year.

Key IT decision makers who work in national defense and security were questioned in a new Clarus Research Group survey commissioned by Lumension and released Tuesday. Among those polled for the "Federal Cyber Security Outlook for 2010 Survey," 74 percent expect a cyberattack from foreign shores in the next year.

What types of threats and security risks do federal IT professionals fear the most? Among the respondents, 64 percent said they're worried about the growth and sophistication of cyberattacks, while 49 percent expressed concern over negligent or purposely malicious employees or insiders creating trouble.

These risks are also heightened by a lack of sufficient resources and coordination: 42 percent said they don't have the budget or staff to properly address security risks, 25 percent noted a lack of integration between security and overall IT operations, and 22 percent said there's no coordination between security and their IT operations.

The holes in IT security within the government have already left the door open for attacks. Over the past year, 59 percent of those polled said their agency or department was hit by viruses or malware, 53 percent said that internal notebooks, desktops, and other devices have been stolen, and 50 percent reported the loss of sensitive information due to a negligent employee.

The White House, under both President Bush and President Obama, has struggled to try to clean up the nation's weaknesses in cybersecurity. In 2008, the Department of Homeland Security established the National Cyber Security Initiative as an attempt to coordinate national security with the private sector and within the government itself. This past December, the White House appointed a new cybersecurity chief.

Despite these and other efforts by the government, more than half of the IT pros questioned by Clarus Research expect only minor changes as a result. Of those polled, 41 percent said they've spent less than 10 percent of their time in the past year working on the National Cyber Security Initiative.

Overall, only 6 percent of those surveyed rated the government's ability to stop or deal with cyberattacks on critical U.S. operations as "excellent," while 42 percent rated it as "only fair" or "poor." Most did express more confidence in their level of IT security today versus a year ago, but mainly due to improvements in technology, better collaboration between IT security and operations, and internal audit requirements.

"Unfortunately, when it comes to our infrastructure, we are already under attack and are faced with the reality of a growing and advanced persistent threat from foreign entities that are targeting our critical U.S. infrastructure," Lumension CEO Pat Clawson said in a statement. "The traditional government responses we've seen so far, such as naming a security coordinator, announcing a cyber security initiative, and focusing on compliance initiatives will not alone successfully address this problem."

What does the future hold? Those polled expect that the next few years will see growing threats to U.S critical infrastructure from foreign countries and terrorist groups. In response, Clawson, who has a background in security, offered a few suggestions in a recent blog posting and laid out some specific steps:

We must do three things if we are to truly empower and implement a robust national cybersecurity plan. One--we need to have an empowered cyber security czar, with budget and policy authority, reporting directly to the president.

Next--given that 90 percent of our critical infrastructure is owned or managed by private entities, we need a collaborative government and private sector partnership to better understand the risks at hand and to better define IT security standards, practices, and contingency plans in the event of a major attack.

And finally--we need to shift from an absolute focus on being compliant with ad-hoc audits for verification, to one of being secure and continuously monitoring our IT environment to ensure that the proper controls are always in effect.