The limits of a cyber czar
Many of the government's chief security challenges are for agencies to address
As President Barack Obama announces plans to appoint a cybersecurity coordinator, cybersecurity continues to challenge agencies in ways that the eventual appointee might find difficult to fight.
Identifying the chief vulnerabilities in federal cybersecurity is easy: incomplete inventories of systems so agencies do not know what computers they are running; insecure configurations; delays of weeks or months in installing patches; a critical shortage of employees with advanced technical skills to do forensics and intrusion detection and code reviews; and custom software with programming errors that provide easy access for attackers. A more complete list is embedded in the report, "Twenty Critical Security Controls," published by the Center for Strategic and International Studies.
Sadly, solving most of the problems falls to individual agencies more than a cyber czar. Agencies would have fixed most problems if they had the means. So the question is: What are the most critical impediments stopping agencies from doing the right things.
Here are three of the biggest.
1. Chief information officers and procurement officials allow systems integrators and software vendors to deliver systems and software with security flaws. When the flaws are discovered, integrators demand more money to fix their errors — more than the cost of the flawed software. The Federal Desktop Core Configuration is not widely implemented because CIOs still have not forced integrators and software vendors to guarantee their software works on FDCC-equipped systems.
2. Federal managers lower standards to not embarrass unqualified people. An example is the Defense Department's failed effort to ensure its security people have certified technical skills to do hands-on security work. Fixing the skills shortage is one of the nation's top priorities. But when DOD discovered that many security people do not have strong hands-on technical skills, officials simply ordered a security certification that avoided the tough technical questions.
The result is that nearly everybody passes, and the nation wastes the opportunity to improve security. Several civilian agencies meet the requirement to provide technical training for their security employees by offering online training, but the agencies do not require the employees to pass tests to prove they have mastered the material or even ensure they take the training. One agency reported privately that no one — not one person — completed the online training. That agency still gave itself full credit for providing technical training to its security people, and its auditors concurred.
3. Auditors measure what is easy to count instead of measuring what is critical to do. The Government Accountability Office has repeatedly told Congress that federal cybersecurity auditors generally do not measure the effectiveness of critical controls. They might measure whether a policy is in place but not whether the policy has been implemented effectively. Why? Because it is easier to count the paper documents than to ensure that effective technical controls are in place.
So what can the cyber czar do? Shine a public light on those anti-security practices, and when those caught in the spotlight complain, give them the White House support they need to do the job right, along with deadlines and consequences. Every person mentioned above — CIOs, training managers and auditors — want to do the right thing. But they have not been given the spine-stiffening top cover they need from the White House. It's time they got it.
About the Author
Alan Paller is the Director of Research for the SANS Institute.
No comments:
Post a Comment