The farce of federal cybersecurity
Flawed technology management to blame
Over the past several years, various Washington entities, from the General Accounting Office to assorted Congressional committees, conducted surveys and issued reports on the state of the federal government's information security posture. In each case, with few exceptions, the findings range from the scathing to the downright embarrassing, and remain essentially unchanged since the mid-1990s.
Like any other issue involving government oversight, this process has become an annual Washington tradition - the reports are released; there's back-and-forth blather in Congress about how we need "to do more" to secure our federal networks; agency leaders and CIOs are called to testify on the Hill; some more blather, and perhaps a piece of legislation is introduced and dies before reaching the floor; and then the issue recedes into digital memory until next year's survey results are released - and the process begins anew, with little or nothing really changing.
It's no different than our annual visit to the dentist. We know he's going to admonish us to brush more and cut out the sweets, and we know that we're going to be embarrassed or uncomfortable as he tells us this to our face and makes notes in our patient file, but we endure it year after year, because it's something we have to do for good oral hygiene. Of course, we ignore his advice because it's inconvenient and, besides, candy is a tastier snack than celery.
This seems to be the approach taken by the majority of the federal government when dealing with the security of federal information systems. As you can see in the following articles going back to the late 1990s, there's much bad news and many prescriptions for improving things, but the patient refuses to cooperate... and the dentist is powerless (in this case, unwilling) to force him to change his ways:
Fed agencies' networks at risk
24 September 1998
Network security weaknesses in the 24 largest U.S. government agencies, including the Internal Revenue Service and the Defense Department, put critical government operations and data at "great risk of fraud, misuse, and disruption," according to the investigative arm of Congress.
Study: Government Web sites weak on privacy, security
12 September 2000
U.S. government Web sites and computer systems are failing to ensure adequate privacy and security, according to reports issued by the General Accounting Office. The reports strongly suggest that the federal government has not gone far enough to protect information submitted to the Web sites of its various agencies or in defending information systems from predators. The GAO's privacy study used the Federal Trade Commission's methodology for judging commercial sites as a yardstick for assessing the government's Web efforts. The FTC's fair information guidelines say that Web sites should post a privacy notice before collecting information from consumers, let consumers opt out of disclosing information, let consumers review information before submitting it, and provide adequate security to prevent unauthorized usage.
Report raps FAA for continued security lapses
27 September 2000
Despite its efforts to remedy serious security problems outlined in a government study this summer, the Federal Aviation Administration is still failing to protect its critical computer systems, including those used for air traffic control, according to a new government report on computer security released today. The report by the General Accounting Office was released and discussed at a hearing before the House Science Committee to investigate continuing computer security lapses at the FAA and how these lapses could affect travelers, the committee said in a statement.
U.S. agencies flunking in tech security
9 November 2001
Government agencies have some chronic problems with their computer security, according to testimony at a congressional hearing Friday. A subcommittee of the House Committee on Government Reform issued a set of grades - mostly failing - to government agencies regarding how well they are protected against hackers, terrorists and other miscreants. "There's no significant relationship between the percent of (an agency's) IT spending on security and the security performance of that agency," Mark Forman, associate director for information technology and e-government at the Office of Management and Budget, said at the hearing.
Study: Feds Have Not Identified Vulnerable IT Assets
2 April 2003
More than four years after a receiving a presidential directive to determine if their networks were vulnerable to terrorist attacks, at least four federal agencies have not completed the processes of identifying critical agency assets and assessing their vulnerabilities, according to a General Accounting Office report released Wednesday. The GAO report, ordered by the House Energy and Commerce Committee to measure the pace of the critical infrastructure protection efforts of the agencies under the committee's purview, examined the Department of Energy, the Department of Health and Human Services, the Department of Commerce and the Environmental Protection Agency. "The agencies still have not completed the fundamental step of identifying their critical infrastructure assets and the operational dependencies of these vital assets on other public and private assets," the report states. "Once these assets and dependencies are identified, further steps will be necessary, such as conducting or updating vulnerability assessments, managing identified vulnerabilities, and ensuring that these assets are appropriately considered in planning for the continuity of essential agency operations."
U.S. Gov't Computers Get Barely Passing Grade
11 December 2003
Acknowledging that there is considerable work to be done, Adam H. Putnam (R-Fl), chairman of the U.S. House of Representatives Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, reported that the federal government's computer security has improved from a failing grade in 2002 to a passing grade in 2003. "The Federal Government should be the standard bearer when it comes to information security. Unfortunately, today's report card indicates anything but that. The Federal Government — overall — scored a D. While that's an improvement over last year's F, it's nothing to be proud of and much more must be done to secure our government computer networks," said Putnam.
House Panel Slams Federal IT Security
17 March 2004
Federal agencies aren't doing enough to secure their network systems, even as documented cyber-attacks against the U.S. government continue to dramatically rise, U.S. Rep. Adam Putnam (R-FL) said Thursday. Putnam pointed to the federal agencies' overall security grade of "D" issued in December and a General Accounting Office (GAO) study released Thursday reporting 1.4 million cyber-security attacks launched against government agencies and departments in 2003. The report said there were 489,890 attacks in 2002.
In some cases, these reports show marked improvements in specific offices or sub-agencies of the federal government, and those success stories should be made known both to the American people (as a sign that there are clueful security people making a difference in their agencies) and throughout the federal government as a helpful roadmap to improve security practices elsewhere. Unfortunately, these few truly noteworthy success stories are seldom reported by the mainstream press because good news doesn't pull in the ratings the way gloom, doom, and old-fashioned Washington finger-pointing does.
Like the much-vaunted but ineffective "certification and accreditation" process required for government and military systems, these annual assessments are an exercise in bureaucratic idleness designed to "address" but not "resolve" security problems in any meaningful fashion. After several years, the logic seems to be "why fix the problem when talking about it keeps us (and our contractors) employed?"
As a result, and contrary to popular belief and rhetoric, security for federal systems has been reduced to a check-box on our government's annual to-do list - as long as federal enterprise leaders can prove that work is being done on the matter, that's perfectly acceptable, it seems, because in federal security circles, "activity" (e.g., certification and accreditation) has been confused with "progress" (e.g., actually fixing things) and "job security" has been confused with "effective security". Agency leaders confirming this with Congress each year generally can avoid anything stronger than a verbal reprimand about their job performance, no matter how dismal security really is back home.
This solution is favored by politicians and agency heads who can avoid responsibility for fixing today's problems simply by deferring them into the future. In other words, the favored remedy for federal security problems is more talk, long-term research, meaningless reports, industry courting, and less real action in the here-and-now - all with the unspoken goal of maintaining the status quo and avoiding any responsibility whatsoever for today's many problems. The 2002 White House National Cybersecurity Strategy comes to mind as an example of this politically-safe and traditional approach to America's cybersecurity needs, however flawed it may be.
Indeed, billions of dollars are allocated for new commissions, long-term research on the "next" type of threats to our networks, continued "certification and accreditation" activities, and pondering the next-generation of security technologies (e.g., "activity") but there's little if anything spent on resolving the many problems that plague federal networks on a daily, if not hourly basis (e.g., "progress") to improve security today. To make matters worse, Congress seems more interested in having sensational authors and profit-seeking industry executives testifying on the matter - and espousing their special interests - than in a serious dialogue with well-known technologists who can provide rational thoughts on how to improve security effectively drawn from their ongoing real-world operational involvement with the IT security community and firsthand understanding of the threats, vulnerabilities, and risks of the digital age.
This contributes to a general level of ignorance and hypocricy in Congress and the federal government when making and enforcing federal (or national) cybersecurity policy. Or, as my network security friend ruefully notes about the wisdom of Congressional oversight in this area: "You have a basically clueless congressman whose own governmental body is one of the absolute worst offenders, infosec-wise, who has the gall to give us an F in security. I don't think [Congressman] Adam Putnam (R-FL and chairman of a House subcommittee conducting federal cybersecurity oversight) would know a secure system if it bit him in his rear....of course, he and his cronies have conveniently made Congress exempt from the examinations they so righteously pound the rest of us with every year." (Ironically, this is the same fellow proposing the government mandate computer security standards for the private sector last year.)
In the government's defense, however, such regular assessments are a useful tool to grade the management effectiveness of a federal CIO in exercising a significant part of their job description, but only if its findings are acted upon in a meaningful, lasting way. Specifically, and most importantly, this means holding senior agency leaders responsible for their agency's information security posture - or lack thereof.
If the security of federal systems is as important an issue as we're led to believe, there is no reason (other than political) why an agency technology executive or CIO should still be employed if there is not a marked improvement in his agency's information security over a prolonged period of time. Simply giving such leaders (or their supervisors, usually the agency head) an annual reprimand is a joke - absent any meaningful punitive sanction for failing to secure their networks adequately, there's no incentive for these executive-level folks to do anything more than continue confusing "activity" with "progress" and "job security" with "effective security" - thus perpetuating indefinately this federally-funded, frustrating, and dangerous cycle of inaction and ineffective security.
In most cases, keeping such people employed is a clear demonstration that mediocrity is the accepted standard for federal computer security practices. We continue to forget that no amount of gee-whiz GSA-certified technology or turnkey professional security certification programs will replace demonstrated career-based competence and common sense in those charged with overseeing the security of our most critical national or corporate networks - and that deferring today's unresolved problems into the future, while convenient, is an unacceptable course of action.
Perhaps before spending more to fix recurring technology problems, we try fixing the people responsible for repeatedly tolerating such problems in the first place. Technical engineers and systems administrators can be fired for poor job performance - it's about time that enterprise IT leaders get held to the same standards of job performance as well.
Granted, popular enterprise technology is nowhere as secure as it should be, but today's federal cybersecurity woes result more from flawed technology management practices than flawed technology. To that end, we need to foster and reward innovative, effective management processes in the federal computer security arena and terminate the current technology management and oversight philosophy that tolerates and rewards idleness and mediocrity while doing little to actually eliminate them.
The standards for acceptable cybersecurity are known: it's time to start holding the people in charge accountable to them.
Richard Forno is a Washington, DC-based security consultant and author. During the 1990s, he worked information security at the US House of Representatives when Congress first became 'wired' and started examining technology security issues. His home in cyberspace is at http://www.infowarrior.org.
Sponsored: Network DDoS protection