Almost half of federal government agencies have had their data security breached, according to a recent survey of security and IT management professionals. While that’s a sobering number, it’s also not surprising, given that these organizations are prized targets for cybercriminals and rogue nation-states.
And while new technologies such as artificial intelligence can enable agencies to improve the user experience and support other stakeholders, they also open the door to previously unknown security vulnerabilities. The solution to this dilemma lies in the adoption of technologies including phishing-resistant multi-factor authentication (MFA), encryption of data-at-rest and in-motion, secure, controlled cryptographic keys and quantum-safe cryptography.
Those are some of the key takeaways from a recently released 2024 Data Threat Report — Federal Edition. What follows is a summary of those takeaways and how agencies and vendors can work together to help stem the rising tide of data threats.
This report was prepared by Standard & Poor and commissioned by Thales.
The threat landscape — spikes in malware, phishing and ransomware
The scope of data threat problems for federal agencies cannot be overstated. As noted above, about half (49%) of federal agencies and organizations have been breached. On the plus side, the number of organizations reporting a recent breach in the last 12 months has dropped from 47% in 2021 to 13% in 2024. This reduction is the result of a combination of factors, including directives such as:
The government is not taking data threats lightly, including with continuing heavy investment in cybersecurity. The federal fiscal 2025 budget request includes approximately $13 billion for civilian cybersecurity-related activities.
Despite these efforts, the cyberattack landscape is growing quickly. Nine out of 10 federal organizations (93%) have experienced an increase in attacks — specifically in the areas of malware, phishing and ransomware.
The most common causes of cloud-based data breaches were cited as human error (27%), exploitation of a known vulnerability (27%) and failure to use MFA for privileged user accounts (20%). Misconfiguration (human error) was ranked as the top cause of external attacks.
In terms of planning, just over two-thirds of agency respondents (69%) said they are or will be using MFA to secure access to data in the cloud. While this is encouraging, organizations must ensure they utilize strong MFA such as hardware tokens and phishing-resistant MFA — for example, public key infrastructure (PKI) or Fast Identity Online (FIDO) passkeys — instead of SMS or email challenges.
Existing technological challenges, such as DevSecOps and a complex operational structure with multiple key management systems, remain significant security threats.
Two in five agency respondents (41%) noted that their organization uses five or more key management systems. That can be attributed in part to the surge in software-as-a-service (SaaS) applications across agencies — up from only 20 on average in 2022 to 84 in 2024. These results reflect an increase in cloud utilization because of an associated increase in the number of FedRAMP marketplace-certified vendors, with 354 classified as FedRAMP-authorized at the time of this writing.
Risks from emerging technologies
Perhaps more significant than existing threats are those coming from new technologies such as AI and quantum computing. Because classical encryption techniques are likely to be sidestepped by cybercriminals using a “harvest now, decrypt later” attack strategy, post-quantum cryptography (PQC) is seeing considerable interest. Among those who identified PQC as an emerging security threat, 44% said they are considering resilience contingency plans, and 50% would prototype or evaluate PQC algorithms in the next 18-24 months.
This agency’s interest in PQC is also being driven by a significant legislative focus. With the National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems and the Quantum Computing Cybersecurity Preparedness Act (signed into law in late 2022), the government is stressing that agencies must work to deploy PQC-ready encryption techniques.
While artificial intelligence is seen in some circles as an arrow in the quiver of cybercriminals, the technology also is being integrated by federal organizations to improve the user experience. Approximately 31% of agencies and organizations plan to integrate AI into their core products and services in the next 12 months, and 27% of federal organizations are experimenting with AI. The enthusiasm for integrating AI must be tempered with the understanding that the same technology is being used by bad actors.
All of this increasing interest in new technologies has also underscored the need among federal agencies for better access control management. Almost half (48%) of survey respondents agreed that agencies should maintain control over their access security. About two in five (38%) agreed that access security solutions should be delivered by an agnostic security provider rather than a cloud service provider — particularly in multicloud environments. Improved access management and authentication plays a key role in achieving zero-trust security, according to the survey results.
Next steps: The need for vendor/agency cooperation
In the face of these existing and emerging data threats, federal agencies need to step up their proactive measures to protect both assets and personal information.
While technologies such as AI, quantum computing, cloud and edge computing are driving new federal efficiencies and advancements, they also create new threat vectors. Numerous cybersecurity-related policies and strategies have come out of the government over the last few years to address security vulnerabilities and the importance of protecting critical data.
Although policy compliance is well underway, federal agencies have to have more than a “check the box” approach to security. Agencies should employ data protection best practices to improve security and reduce susceptibility. Such best practices include:
- Using phishing-resistant MFA. When developing a phishing-resistant MFA system, agencies should ensure that they consider three principles: 1) Enterprisewide identity systems must be compatible with common agency applications, and should integrate both among agencies and with externally operated cloud services. 2) Not all MFA methods protect against sophisticated phishing attacks. Therefore, agency staff, contractors and partners must be provided with phishing-resistant MFA solutions, such as PIV, FIDO2 and Web Authentication-based authenticators, and PKI certificate-based smart cards. 3) Zero trust principles dictate that user authorization has more fundamental and dynamically defined permissions, such as attribute-based access control (ABAC).
- Encrypting data at rest, in transit and in memory. Data encryption with access controls govern who, what, where, when and how encrypted data can be accessed. Granular access controls enable administrative users to perform their duties while restricting access to encrypted data.
- Ensuring that cryptographic keys are secure, controlled and stored separately from encryption software. As agencies deploy ever-increasing numbers of siloed encryption solutions, they find themselves managing inconsistent policies, different levels of protection, and escalating costs. Key life cycle management tasks, including secure key generation, backup/restore, clustering, deactivation and deletion should be managed centrally.
- Implementing quantum-safe cryptography. IT infrastructure equipment is often deployed for years or decades without hardware replacement. Consequently, in the post-quantum world, it’s important to make sure currently deployed hardware was developed with crypto-agility principles in mind, and to receive software or firmware updates now that post-quantum crypto algorithms and protocols are being standardized. Check with equipment providers to see what beta or technology preview firmware they have available for testing in non-production systems that implements pre-standardized quantum-resistant cryptographic algorithms. Setting up a PQC test environment is a good idea. This will enable organizations to start testing new technology without impacting production environments.
The need for better data security and threat mitigation in the federal sector is a cooperative challenge for both agencies and vendors. Advances in key management and storage, such as hardware security modules and data encryption on the part of vendors can help smooth the road ahead for agencies as they take on new technologies to support their organizational missions.
Gina Scinta is deputy chief technology officer of Thales Trusted Cyber Technologies.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
