Defense Information Systems Agency (DISA) Data Breach – Lessons for Federal Agencies

February 25, 2020  Jeff B. Copeland

The Defense Information Systems Agency (DISA), the technical arm of the Defense Department that provides secure communications for the White House and the military, recently confirmed that itwas hit by a data breach last year exposing PII on perhaps 200,000 employees and contractors.

That such a sophisticated player could suffer a breach – well, it’s not surprising anymore but it is a stark warning to other federal government agencies to assume that a breach is inevitable, apply some rigorous risk assessment and plan security investments accordingly – ASAP.

RiskLens aids government agencies and private enterprises in running quantitative cyber risk analysis based on the FAIR™ model (or Factor Analysis of Information Risk). With FAIR, analysts can break down risk into component, measurable parts that aggregate up to a probable loss exposure in dollars (often, the results of a RiskLens FAIR analysis show the highest risks are the most unexpected). Analysts can then present decision makers with alternative tactics to reduce risk in cost effective ways.

FAIR quantitative cyber risk analysis isn’t just for private sector, bottom-line driven organizations – government agencies may have missions that are hard to define in monetary value but they very much have budgets to meet that are impacted by the direct costs of a data breach such as immediate remediation or longer-term changes to processes that can be priced in paid hours for officials or contractors based on an agency’s costs for previous IT projects – as well as the cost of acquiring new software or hardware for increased security.

For the secondary costs of a data breach, agencies can have the same types of loss exposure as private companies, such as:

  • Offering free credit monitoring to employees whose private information was exposed. DISA has already made the offer. The federal Office of Personnel Management is paying out more than $400 million for credit monitoring for its employees affected by the massive hack of their PII data in 2015.
  • Paying attorney fees or judgments in court cases against the agency by employees claiming harm from disclosure of their personal information. Although it has given our few details about the hack, DISA does deny there is evidence of misuse of the exposed PII – but a recent ruling by the D.C. Circuit Court held that employees had standing to sue the OPM without having to show previous harm.

The RiskLens Platform for cyber risk quantification features out-of-the-box data on judgements for breach cost analysis and credit monitoring ingested from Advisen and proprietary data sources, to build loss tables tailored for corporate and government clients.

The RiskLens Platform also enables ROI analysis for risk reduction tactics. In the case of data breach risks that might include reducing stored PII, implementing data loss prevention (DLP) controls on email, tokenization or encryption of data, moving data to a more secure cloud environment, each with an investment cost and – by changing the inputs in the RiskLens analysis – a measurable and comparable benefit in loss exposure reduction.

While the DISA breach should motivate federal cybersecurity leaders to take a closer look at quantified cyber risk management, in fact, that movement is already underway.  The GAO’s report from last year on cybersecurity failures at 23 agencies and departments laid blame in many cases on lack of a quantifiable, rigorous security metrics.  And influential cybersecurity framework NIST CSF that forms a basis for the 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure and for FedRamp and other federal IT standards has incorporated FAIR as one of its recommended best practices for risk assessment and management.

For more on that movement, stop by the next meeting of the Government Chapter of the FAIR Institute to meet the agency officials putting it into action.