Federal Opportunity Alert: Cybersecurity Weaknesses at the Department of Transportation

by Chris Wiedemann, Senior Analyst

If you’ve been following our blog lately, you will have noticed a heavy focus on cybersecurity coming out of the government at a very high level, as mentioned by both Steve and Tom in the last few weeks. It’s not surprising that federal executives at the highest levels are dedicating renewed energy to this topic – there have been a number of high-profile and successful cyber attacks against federal systems lately. However, while attempts to solve sweeping issues at the level of legislation and executive policy are admirable, the fact remains that many (possibly all) government departments and agencies have real issues at the ground level that contribute to government-wide vulnerabilities. The good news for us is that many of those issues can be solved with COTS security technology.

To illustrate the point, let’s take a look at the Department of Transportation (DOT), which handles the fifth-largest civilian IT budget at a little over $3 billion. Although the department is best known for the NextGen program at the Federal Aviation Administration (FAA), it also handles a huge infrastructure – all of which needs to be secured. According to an Inspector General (IG) report from November, however, there are real deficiencies across DOT’s security posture, which can largely be described in three categories:

• DOT networks are not sufficiently covered for the purpose of detecting and reporting incidents to the Department of Homeland Security (DHS);
• Reported incidents are not remediated properly;
• Configuration baselines and configuration changes are not appropriately managed.

That last point is particularly serious. In fact, the IG report went on to estimate that only 63% of DOT computers were compliant with departmental security policies. In other words, there is a real configuration management challenge being faced here, and it represents an area of priority for DOT cybersecurity personnel. The department is also severely delayed in terms of response to identified incidents, and it still trying to determine how many medium-risk vulnerabilities are present in its security architecture, which makes DOT a great target for vulnerability assessment & remediation. Finally, continuous monitoring tools are a big requirement. Now that the continuing resolution is in place and agencies finally know how much money they have to spend for the rest of the fiscal year, we expect to see movement on quickly addressing some of these issues, both at DOT and in other departments.