U.S. Can’t Detect When Cyber Attacks Are Under Way, Survey Finds

  • Groups surveyed 54 senior federal cyber executives in March
  • 25% said their agencies made no changes after OPM breach

A majority of senior federal cyber officials responding to a survey said they don’t think the U.S. government can detect cyber attacks while they’re under way.

Cybersecurity officials from the Defense Department, intelligence agencies and federal civilian agencies were questioned in the survey released Thursday by the nonprofit International Information System Security Certification Consortium Inc. and KPMG LLP. The organizations said the 54 executives who responded identified themselves as "federal senior managers or contractors with cybersecurity responsibility in government."

Sixty-five percent said they disagreed with the idea that the federal government as a whole can detect cyber attacks while they’re happening. In addition, 59 percent said their "agency struggles to understand how cyber attackers could potentially breach their systems," according to the report on the survey, which was conducted in March. A quarter said their agency made no changes in response to last year’s breach at the Office of Personnel Management, which compromised data on 21.5 million individuals and has been traced to hackers in China.

"There’s certainly concern that the next breach is just waiting to happen," Tony Hubbard, who heads KPMG’s cybersecurity practice, said in an interview.

Forty-percent reported their agencies don’t know where their key cyber assets are located.

"That’s pretty alarming," said Dan Waddell, who is North American director of the Clearwater, Florida-based certification consortium and worked on the study. "They still do not know exactly what they have in their inventory" and what devices hold critical data, he said.

Forty-two percent of the federal executives cited employees, contractors and system administrators as their greatest vulnerability with regard to a potential cyber attack. The report didn’t provide a margin of error for the small survey.