Federal Government, Data Security, and Cybercrime
In 2018, over 31,000 cybersecurity incidents were reported by federal agencies. The following year, the U.S. government accounted for 5.6 percent of all data breaches and 2.1 percent of exposed data in the country. October 2020 saw an attack by Iranian hackers on state election websites aimed at downloading voter registration information and conducting a voter intimidation campaign. Just a month later, multiple U.S. government agencies revealed breaches by Russian hackers.
A recently issued data breach notification bill, the Cyber Incident Notification Act of 2021, would “require Federal government agencies, Federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected so that the U.S. government can mobilize to protect critical industries across the country.”
One of the pervasive challenges to building impenetrable federal government cyber defenses is human error, often the weakest link in the security chain. Government employees are prime targets for cyberattacks because they have access to sensitive data, such as financial, economic, and military records. Hackers typically target government employees using phishing scams, posing as trusted sources to access login credentials.
Aligning with Robust Industry Protocols
Federal government agencies must become more intentional about aligning their operations to the latest and most robust industry standards and protocols. This could involve:
- Pairing Common Access Card (CAC) and Personal Identity Verification (PIV) access with smart card readers, where the CAC/PIV card is the authenticator, and the smart card reader is used in the authentication process
- Securing their login.gov accounts with a FIDO security key to prevent phishing attacks from hijacking user accounts and compromising credentials.
How Can Identiv Security Keys Help?
Hardware security keys are increasingly being recognized as the sensible and responsible way to solve the federal government data security challenge.
The beauty of this approach is the authentication process: it is one-touch.
When users sign into their email or applications, for example, they enter their password and click “sign in”. But the process does not end there. They are required to supply a secondary authentication factor to prove they are who they claim to be and are authorized to sign into the account.
At this stage, the user inserts their unique, personal key into their device, presses the button, and access is granted immediately.
In technical terms, what happens here is in the background. A challenge-response exercise is initiated using public-key cryptography between the security key and the service provider. This eliminates the threat of users’ accounts being accessed via compromised credentials or a phishing attack.
FIDO Government Deployments
Through its login.gov program, the U.S. General Services Administration (GSA) has rolled out a single sign-on approach across different agency applications. Use of FIDO (Fast Identity Online) is one option. FIDO2 is a set of strong authentication standards enabling users to leverage common devices like on-device biometrics and FIDO security keys to authenticate to online services with phishing-resistant cryptographic security. After a thorough review, GSA found FIDO2’s phishing resistance made it the most appropriate approach to address its security challenges.
The login.gov platform provides single sign-on for U.S. public and federal employees to interface and transact with federal agencies online. With one account, users can access services like the federal government’s job board, USAJOBS, and the Department of Homeland Security’s Trusted Traveler Programs, such as Global Entry.
Other federal bodies have made recent legislative and programmatic moves to boost their levels of data security. These include:
- National Cybersecurity Center of Excellence: Mobile Single Sign-on for Public Safety/First Responders
- NIST: Digital Identity Guidelines: Implementation Resources for SP 800-63-3 Program
- Office of Management and Budget: Implementation of OMB memo M-19-17 – FICAM Policy
- Drug Enforcement Administration: Electronic Prescribing of Controlled Substances
While these moves are welcome and warranted, is it feasible to bring a standard, robust approach to what still remains a piecemeal legislative patchwork?
The easiest and most effective option is to invest in hardware-based security keys supporting FIDO2 specifications.
uTrust FIDO2 GOV Security Keys
Federal government agencies need to shift to a mindset where security is implicitly attached to data and the users who need to access it. If they fail to act decisively, they will face a future littered with data breaches that have far-reaching implications.
The good news? Hardware security keys, like those offered by Identiv, put the power (literally) back into their hands and allow them to focus attention on what matters: protecting data and identities.
Identiv’s uTrust FIDO2 GOV Security Keys meet FIPS 140-2 and NIST guidelines for high-assurance strong authentication. With multi-protocol FIDO U2F, FIDO2, smart card (PIV), and OTP support, our security keys are resistant to phishing attacks, safeguarding your credentials and accounts.
Federal Identity and Cybersecurity Solutions
Learn more about how Identiv ttackles cybercrime in the U.S. federal government with hardware security keys.